Let's encrypt
Get acme.sh
curl https://get.acme.sh | shThen you can find ~/.acme.sh/acme.h
If you can't access raw.githubusercontent.com: curl: (7) Failed connect to raw.githubusercontent.com:443; Connection
You need figure out the ip address your self by:
The Best IP Address, Email and Networking Tools - IPAddress.com
You get the best results with IPAddress.com’s IP Address Lookup, WHOIS, Email Tracing, Networking Tools and much more!
And add ip to your hosts:
vi /etc/hosts
199.232.96.133 raw.githubusercontent.comGet your secret becore your installation
Find it from you dns provider
export Ali_Key="**********"
export Ali_Secret="**********"
acme.sh --issue --dns dns_ali -d ourdark.org -d *.ourdark.orgacmesh-official/acme.sh
A pure Unix shell script implementing ACME client protocol - acmesh-official/acme.sh
Install cert to nginx
mkdir /etc/nginx/ssl
acme.sh --installcert -d ourdark.org \
--keypath /etc/nginx/ssl/ourdark.org.key \
--fullchainpath /etc/nginx/ssl/ourdark.org.key.pem \
--reloadcmd "systemctl restart nginx"Generate dhparam.pem
It will take some time
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048Update your nginx config
ssl_certificate /etc/nginx/ssl/ourdark.org.key.pem;
ssl_certificate_key /etc/nginx/ssl/ourdark.org.key;then reload your nginx
systemctl restart nginxNow, you can verify your site: https://blog.ourdark.org
Finally, you should update certs in every 3 months, it's simple
acme.sh --upgrade --auto-upgradeRenew the cert after 60 days
./acme.sh --renew -d ourdark.com -d *.ourdark.com