root@www:/usr/ports # cd /usr/ports/security/letsencrypt.sh root@www:/usr/ports/security/letsencrypt.sh # make install ====> Compressing man pages (compress-man) ===> Installing for letsencrypt.sh-0.2.0 ===> Checking if letsencrypt.sh already installed ===> Registering installation for letsencrypt.sh-0.2.0 Installing letsencrypt.sh-0.2.0... To use this script you should copy the examples in /usr/local/etc/letsencrypt.sh/ and at least add a domain and a contact mail address. You should also copy the openssl.cnf.sample file in /usr/local/openssl so you won't get warnings about it missing. In order to run the script regularly to update the certificates add this line to /etc/periodic.conf weekly_letsencrypt_enable="YES" Additionally the following parameters can be added to /etc/periodic.conf To run the certification renenewal as a different user weekly_letsencrypt_user="_letsencrypt" To run a script after the renewal (as root) weekly_letsencrypt_deployscript="/usr/local/etc/letsencrypt.sh/deploy.sh"я добавил только одну строчку weekly_letsencrypt_enable=»YES», пусть рутом работает
в domains.txt добавим имена доменов и поддоменов
root@www:/usr/local/etc/letsencrypt.sh # cat domains.txt mneti.ru www.mneti.ruв config.sh подправим, это обязательно, папка используется для обмена в процессе аутентификации домена
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges) #WELLKNOWN="${BASEDIR}/.acme-challenges" WELLKNOWN="/usr/local/www/nginx-mneti/.well-known/acme-challenge"Иначе получим ошибку
root@www:/usr/local/etc/letsencrypt.sh # /usr/local/bin/letsencrypt.sh -c # INFO: Using main config file /usr/local/etc/letsencrypt.sh/config.sh Processing mneti.ru with alternative names: www.mneti.ru + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for mneti.ru... + Requesting challenge for www.mneti.ru... + Responding to challenge for mneti.ru... ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized",
root@www:/usr/local/etc/letsencrypt.sh # /usr/local/bin/letsencrypt.sh -c # INFO: Using main config file /usr/local/etc/letsencrypt.sh/config.sh Processing mneti.ru with alternative names: www.mneti.ru + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for mneti.ru... + Requesting challenge for www.mneti.ru... + Responding to challenge for mneti.ru... + Challenge is valid! + Responding to challenge for www.mneti.ru... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done!В конфиге виртуального хоста включим ssl, пропишем пути к сертификату и ключу и редирект на https если пришли на http
# another virtual host using mix of IP-, name-, and port-based configuration # server { <------>listen 80; listen 443 ssl; <------>ssl_certificate /usr/local/etc/letsencrypt.sh/certs/mneti.ru/cert.pem; <------>ssl_certificate_key /usr/local/etc/letsencrypt.sh/certs/mneti.ru/privkey.pem; server_name mneti.ru *.mneti.ru; <------>access_log /var/log/nginx/mneti.access_log; error_log /var/log/nginx/mneti.error_log info; .... <------>if ($ssl_protocol = "") { <------> return 301 https://$server_name$request_uri; <------>} root /usr/local/www/nginx-mneti; index index.html index.htm index.php; location / { <--> try_files $uri $uri/ /index.php; <------>} location ~ \.php$ { <------> fastcgi_pass 127.0.0.1:9000; <------> fastcgi_index index.php; <------> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; <------> fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/tmp:/var/tmp"; <------> include fastcgi_params; <------>} }Обнаружилась проблемка, часть мобильных браузеров сертификат не признавали, все потому что им нужны промежуточные сертификаты вплоть до корневого, полная цепочка, клиент Letencrypt.sh и об этом позаботился, просто заменим в конфиге нгинкса
# ssl_certificate /usr/local/etc/letsencrypt.sh/certs/mneti.ru/cert.pem; ssl_certificate /usr/local/etc/letsencrypt.sh/certs/mneti.ru/fullchain.pem;
С 01.08.2016 изменилась редакция лицензионного соглашения.
Для успешной работы скрипта нужно config.sh указать: