離央

離央

温良恭谦
github
telegram
steam
email
HomeArchives

Apply for ECC, RSA wildcard dual certificates using .acme.

#笔记106
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
When applying for a certificate using .acme, there are multiple ways to verify domain support. This document provides instructions on how to issue a certificate using acme.sh and Alibaba Cloud DNS for domain validation. It includes steps for configuring Alibaba Cloud credentials, creating directories for RSA and ECC certificates, applying for RSA and ECC certificates, installing the certificates to the specified directories, setting up automatic renewal, and providing an Nginx configuration example.

When applying for a certificate using .acme, there are multiple ways to verify domain name support.
Reference: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
Here, Alibaba Cloud DNS automatic resolution is used to verify the domain name.

Configure Alibaba Cloud Key#
# Alibaba Cloud user key (It is recommended to use a sub-user with only DNS resolution permissions)
export Ali_Key="<key>"
export Ali_Secret="<secret>"
Create RSA certificate storage directory#
# RSA directory
mkdir -p /etc/letsencrypt/inbluemoon.com/rsa/

# ECC directory
mkdir -p /etc/letsencrypt/inbluemoon.com/ecc/
Apply for RSA certificate#
./acme.sh --issue --dns dns_ali --keylength 2048 -d inbluemoon.com -d '*.inbluemoon.com'
Install the RSA certificate to the specified directory#
./acme.sh --installcert -d inbluemoon.com \
--key-file       /etc/letsencrypt/inbluemoon.com/rsa/privkey.pem  \
--fullchain-file /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem \
--cert-file      /etc/letsencrypt/inbluemoon.com/rsa/cert.pem \
--ca-file        /etc/letsencrypt/inbluemoon.com/rsa/chain.pem \
--reloadcmd     "nginx -s reload"
Apply for ECC certificate#
./acme.sh --issue --keylength ec-256 --dns dns_ali -d inbluemoon.com -d '*.inbluemoon.com'
Install the ECC certificate to the specified directory#
./acme.sh --installcert --ecc -d inbluemoon.com \
--key-file       /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem  \
--fullchain-file /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem \
--cert-file      /etc/letsencrypt/inbluemoon.com/ecc/cert.pem \
--ca-file        /etc/letsencrypt/inbluemoon.com/ecc/chain.pem \
--reloadcmd     "nginx -s reload"
Automatic renewal#
./acme.sh --install-cronjob
Nginx configuration example#
server {

    listen      443 ssl http2;
    server_name www.inbluemoon.com;

    # ECC Cert
    ssl_certificate             /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem;
    
    # RSA Cert
    ssl_certificate             /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/inbluemoon.com/rsa/rsa/privkey.pem;
    
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         30m;
    ssl_protocols               TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;

}
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.