Let’s Encrypt is a free, open, and automated certificate authority. Many web sites currently use Let’s Encrypt certificates for HTTPS encryption. I also use all the time, it is the single domain name certificate that uses before nevertheless, new website needs to apply afresh, more troublesome. But now you can apply for Let’s Encrypt wildcard certificates.

Actually, there is more than one tool for applying for Let’s Encrypt certificates. I have used cerbot and Acme.sh. When I used Cerbot to apply, I had to stop the service of port 80, which was not friendly. This article will show you how to use acme.sh to apply for domain name wildcard certificates independently.

The acme.sh project address is github.com/acmesh-offi… , this article refers to the official documentation

A, install,

  • 1. Install Socat and curl. Debian/Ubuntu and Alpine are used as examples

    Apt install socat curl # debian/ UbuntuCopy the code

  • 2. Install acmese. Sh

    curl  https://get.acme.sh | sh
Copy the code

    After the installation is complete, the.acme.sh directory is generated in the current directory

2. Generate a certificate

  • 1. Configure the AccessKey of the DNS service provider

You can manually add domain name resolution authentication when applying for a domain name certificate. However, using the API provided by the domain name service provider to automatically add TXT resolution to complete authentication will be more convenient to achieve automatic SSL certificate renewal.

According to different types of DNS service providers, we choose the corresponding DNS API: github.com/acmesh-offi…

First we need to obtain the AccessKey provided by the domain name service provider, which is used as a credential to call the API. For my domain name is bought in ali cloud, the cloud as an example here to ali, can apply for ali cloud Accesskey:usercenter.console.aliyun.com/#/manage/ak click this link

You can use a global AccessKey or a subaccount AccessKey. Since global AccessKey has all permissions of Ali Cloud account, it is recommended to use sub-accounts. Here I use the AccessKey of the subaccount (but note that the subaccount must have DNS related permissions), and generate the AccessKey ID and AccessKey Secret as shown below:

Get the AccessKey ID and Access Scret and add them to the system environment variables

export Ali_Key="LTAI4GCqsh91TURz3hzNkapp"
export Ali_Secret="hyddKq5Dm9OBfpCftGRP9Uo3vcFRaa"
Copy the code
  • 2. Generate a certificate

Once configured, use the following command to generate the certificate

.acme.sh/acme.sh --issue --dns dns_ali -d jkdev.cn -d *.jkdev.cn
Copy the code

Two certificates are generated, one for jkdev.cn, and the other is replaced by * to generate the wildcard certificate for the subdomain name. During the certificate generation process, the service provider API will be called to automatically add a TXT domain name resolution verification, and the resolution will be automatically deleted after the verification passes. This process is unconscious to us.

Note: if you are not using the aliyun domain name, using the above command will not work, please refer to the DNS API description link in 2 (1).

3. Deploy HTTPS websites

The generated certificate can be used on servers such as Apache/Nginx. I use Apache, and share my configuration parameters here

<VirtualHost _default_:443> DocumentRoot "/var/www/html/www" ServerName www.jkdev.cn SSLEngine on SSLCertificateFile /etc/letsencrypt/live/ssl/test.phy/*.phy.xyz.cer SSLCertificateKeyFile /etc/letsencrypt/live/ssl/test.phy/*.phy.xyz.key SSLCertificateChainFile /etc/letsencrypt/live/ssl/test.phy/fullchain.cer <Directory "/var/www/html/www"> Options Indexes  FollowSymLinks AllowOverride All Require all granted ErrorDocument 404 https://www.jkdev.cn/404.html </Directory> </VirtualHost>Copy the code

If you have any questions, please leave a message to the blogger!