離央

離央

温良恭谦
github
telegram
steam
email

Apply for ECC, RSA wildcard dual certificates using .acme.

When applying for a certificate using .acme, there are multiple ways to verify domain name support.
Reference: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
Here, Alibaba Cloud DNS automatic resolution is used to verify the domain name.

Configure Alibaba Cloud Key#
# Alibaba Cloud user key (It is recommended to use a sub-user with only DNS resolution permissions)
export Ali_Key="<key>"
export Ali_Secret="<secret>"
Create RSA certificate storage directory#
# RSA directory
mkdir -p /etc/letsencrypt/inbluemoon.com/rsa/

# ECC directory
mkdir -p /etc/letsencrypt/inbluemoon.com/ecc/
Apply for RSA certificate#
./acme.sh --issue --dns dns_ali --keylength 2048 -d inbluemoon.com -d '*.inbluemoon.com'
Install the RSA certificate to the specified directory#
./acme.sh --installcert -d inbluemoon.com \
--key-file       /etc/letsencrypt/inbluemoon.com/rsa/privkey.pem  \
--fullchain-file /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem \
--cert-file      /etc/letsencrypt/inbluemoon.com/rsa/cert.pem \
--ca-file        /etc/letsencrypt/inbluemoon.com/rsa/chain.pem \
--reloadcmd     "nginx -s reload"
Apply for ECC certificate#
./acme.sh --issue --keylength ec-256 --dns dns_ali -d inbluemoon.com -d '*.inbluemoon.com'
Install the ECC certificate to the specified directory#
./acme.sh --installcert --ecc -d inbluemoon.com \
--key-file       /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem  \
--fullchain-file /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem \
--cert-file      /etc/letsencrypt/inbluemoon.com/ecc/cert.pem \
--ca-file        /etc/letsencrypt/inbluemoon.com/ecc/chain.pem \
--reloadcmd     "nginx -s reload"
Automatic renewal#
./acme.sh --install-cronjob
Nginx configuration example#
server {

    listen      443 ssl http2;
    server_name www.inbluemoon.com;

    # ECC Cert
    ssl_certificate             /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem;
    
    # RSA Cert
    ssl_certificate             /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/inbluemoon.com/rsa/rsa/privkey.pem;
    
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         30m;
    ssl_protocols               TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;

}
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.