debian+apache+acme_tiny+lets-encrypt配置笔记

需要预先将需要申请ssl的域名指向到服务器，此方法完全通过api实现，好处是绿色无污染，不需要注册账号，不会泄露私人信息
环境为 debian7+apache

apt-get install apache2
a2enmod rewrite
a2enmod ssl
apt-get install php5 php-pear
vi /etc/apache2/sites-enabled/000-default
---------------------------000-default------------------------
Alias /.well-known/acme-challenge/ /var/www/challenges/
--------------------------------------------------------------
mkdir /var/www/challenges

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]
subjectAltName=DNS:domain.com,DNS:www.domain.com")) > domain.csr
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem

--------------------------------------------------------------
a2ensite default-ssl
------------------default-ssl---------------------------------
SSLCertificateFile /etc/apache2/ssl/signed.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.pem
--------------------------------------------------------------



vi /etc/apache2/ssl/renew.sh
------------------------------renew.sh-------------------------
#!/bin/bash

cd /etc/apache2/ssl
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
/etc/init.d/apache2 reload

--------------------------------------------------------------

crontab -e

------------------crontab--------------------------------
0 0 1 * * /etc/apache2/ssl/renew.sh >/dev/null 2>&1
--------------------------------------------------------------

　　nginx设置

location /.well-known/acme-challenge/ {
        alias /var/www/challenges/

; }

cat signed.crt intermediate.pem > mysite.crt #合并证书


nginx配置
ssl_certificate /root/bin/nginx/conf/custom/cert/mysite.crt;
ssl_certificate_key /root/bin/nginx/conf/custom/cert/zorelworld.key;