letsencrypt.sh 是 Let's Encrypt - Free SSL/TLS Certificates (2015年底上線) 的 BASH Client, 使用非常易容易
以下範例為 letsencrypt.sh 目錄放在 /usr/local
Document Root 在 /var/www/html
cd /usr/local
git clone https://github.com/lukas2511/letsencrypt.sh
cd letsencrypt.sh
echo yourdomain.com www.yourdomain.com > domains.txt # 建立 domains.txt, 內容是你的 domain name 及 sub domain name
mkdir -p /var/www/html/.well-known/acme-challenge # challenge-response directory
cp config.sh.example config.sh
修改裡面的 WELLKNOWN=/var/www/html/.well-known/acme-challenge
執行 ./letsencrypt.sh -c
letsencrypt 憑證有效期只有三個月, 到期前要再來執行 letsencrypt.sh -c
可排程每月執行, 剩餘時間要少於 30 天才會 renew, 不然只會提示 Longer than 30 days. Skipping
如果遇到這個問題
+ ERROR: An error occurred while sending get-request to https://acme-v01.api.letsencrypt.org/directory (Status 000)
需更新 OpenSSL 的 CA
若機器有防火牆, 需開放以下 IP (for ACME challenge)
outbound1.letsencrypt.org 66.133.109.36
outbound2.letsencrypt.org 64.78.149.164
Apache 設定
Unmark Include conf/extra/httpd-ssl.conf in httpd.conf
conf/extra/httpd-ssl.conf 內容
SSLCertificateFile /usr/local/letsencrypt.sh/certs/yourdomain.com/cert.pem
SSLCertificateKeyFile /usr/local/letsencrypt.sh/certs/yourdomain.com/privkey.pem
SSLCertificateChainFile /usr/local/letsencrypt.sh/certs/yourdomain.com/chain.pem
SSLCACertificateFile /usr/local/letsencrypt.sh/certs/yourdomain.com/fullchain.pem
