06/19/2020 – 一江春水向东流

自签名证书详解

总结下来，其实生成证书就两句话：

DOMAIN='www.example.com'

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"
openssl req -nodes -new -subj $SUBJECT -keyout $DOMAIN.key -out $DOMAIN.csr

printf "subjectAltName=DNS:localhost,IP:192.168.1.1" | \
openssl x509 -req -sha256 -days 3650 -in $DOMAIN.csr \
 -signkey $DOMAIN.key -out $DOMAIN.crt \
 -extfile /dev/stdin

DOMAIN='www.example.com'

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -nodes -new -subj $SUBJECT -keyout $DOMAIN.key -out $DOMAIN.csr

printf "subjectAltName=DNS:localhost,IP:192.168.1.1" | \

openssl x509 -req -sha256 -days 3650 -in $DOMAIN.csr \

-signkey $DOMAIN.key -out $DOMAIN.crt \

-extfile /dev/stdin

———————————————- 有一个shell脚本来自动生成证书：

#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 1024

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"

#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 1024

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key

openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"

echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"

echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"

echo "Add configuration in nginx:"

echo "server {"

echo " ..."

echo " listen 443 ssl;"

echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;"

echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"

echo "}"

另一个脚本：

#!/bin/sh

domain='gpaas.yyuap.com'

# 生成证书和key的对应文件名
ca_file=${domain}.ca
key_file=${domain}.key
cert_file=${domain}.crt

printf "[req]
default_bits            = 4096
default_md              = sha256
prompt                  = no
encrypt_key             = no
string_mask = utf8only

distinguished_name      = cert_distinguished_name
req_extensions          = req_x509v3_extensions

# 将下面的信息替换成你的信息
[ cert_distinguished_name ]
C  = CN
ST = GD
L  = GZ
O  = yyuap
OU = yyuap
CN = gpaas.yyuap.com

[req_x509v3_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical,digitalSignature,keyCertSign,cRLSign #,keyEncipherment
extendedKeyUsage  = critical,serverAuth #, clientAuth
subjectAltName=@alt_names

# 将下面的信息替换成你的信息, 如果无需绑定域名或IP, 可以将其多余删除
[alt_names]
DNS.1 = *.yyuap.com
IP.1 = 172.20.47.38
IP.2 = 127.0.0.1
" >$ca_file


openssl ecparam -out $key_file -name prime256v1 -genkey
openssl req -new -sha256 -x509 -days 7300 -config $ca_file -extensions req_x509v3_extensions -key $key_file -out $cert_file
openssl x509 -in $cert_file -serial -noout
openssl x509 -noout -text -in "$domain-cert.pem"
echo -e "\e[1m\e[34m基于openssl verify校验证书可用性:\e[0m"
# 返回ok字样代表自签名证书是有效的.
openssl verify -verbose -CAfile $cert_file $cert_file

echo -e "\e[1m\e[34m基于openssl s_server校验证书可用性:\e[0m"
openssl s_server -cert $cert_file -key $key_file -CAfile $cert_file -Verify 3 -accept 4430 -www &
openssl_pid=$!
# 测试证书有效性, 127.0.0.1可以改成alt_names中你想测试的域名或IP, 前提是被测试的域名需要被正确解析到本机.
# 返回Verify return code: 0 (ok)代表自签名证书是有效的.
echo 'GET /HTTP/1.1' | openssl s_client -connect 127.0.0.1:4430 -cert $cert_file -key $key_file -CAfile $cert_file
kill ${openssl_pid}

#!/bin/sh

domain='gpaas.yyuap.com'

# 生成证书和key的对应文件名

ca_file=${domain}.ca

key_file=${domain}.key

cert_file=${domain}.crt

printf "[req]

default_bits = 4096

default_md = sha256

prompt = no

encrypt_key = no

string_mask = utf8only

distinguished_name = cert_distinguished_name

req_extensions = req_x509v3_extensions

# 将下面的信息替换成你的信息

[ cert_distinguished_name ]

C = CN

ST = GD

L = GZ

O = yyuap

OU = yyuap

CN = gpaas.yyuap.com

[req_x509v3_extensions]

basicConstraints = critical,CA:true

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = critical,digitalSignature,keyCertSign,cRLSign #,keyEncipherment

extendedKeyUsage = critical,serverAuth #, clientAuth

subjectAltName=@alt_names

# 将下面的信息替换成你的信息, 如果无需绑定域名或IP, 可以将其多余删除

[alt_names]

DNS.1 = *.yyuap.com

IP.1 = 172.20.47.38

IP.2 = 127.0.0.1

" >$ca_file

openssl ecparam -out $key_file -name prime256v1 -genkey

openssl req -new -sha256 -x509 -days 7300 -config $ca_file -extensions req_x509v3_extensions -key $key_file -out $cert_file

openssl x509 -in $cert_file -serial -noout

openssl x509 -noout -text -in "$domain-cert.pem"

echo -e "\e[1m\e[34m基于openssl verify校验证书可用性:\e[0m"

# 返回ok字样代表自签名证书是有效的.

openssl verify -verbose -CAfile $cert_file $cert_file

echo -e "\e[1m\e[34m基于openssl s_server校验证书可用性:\e[0m"

openssl s_server -cert $cert_file -key $key_file -CAfile $cert_file -Verify 3 -accept 4430 -www &

openssl_pid=$!

# 测试证书有效性, 127.0.0.1可以改成alt_names中你想测试的域名或IP, 前提是被测试的域名需要被正确解析到本机.

# 返回Verify return code: 0 (ok)代表自签名证书是有效的.

echo 'GET /HTTP/1.1' | openssl s_client -connect 127.0.0.1:4430 -cert $cert_file -key $key_file -CAfile $cert_file

kill ${openssl_pid}

参考：https://www.fullstackmemo.com/2018/05/10/openssl-gen-https-self-signed-cer/ nginx配置：

server {
    listen 80;
    server_name xxx.com gpaas.xxx.com;
    #return 301 https://$server_name$request_uri;
    #rewrite ^/(.*) https://$server_name$request_uri? permanent; # 80端口全部重定向到 https
    if ($scheme = http){
        return 301 https://$host$request_uri;
    }
}

    #启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复.
    listen 443 ssl http2;

    charset utf-8;
    server_name xxx.com gpaas.xxx.com;

    #告诉浏览器当前页面禁止被frame
    add_header X-Frame-Options DENY;
    #告诉浏览器不要猜测mime类型
    add_header X-Content-Type-Options nosniff;
    
    #证书路径
    ssl_certificate      cert/meaninglive.com/full_chain.pem;
    #私钥路径
    ssl_certificate_key  cert/meaninglive.com/private.key;

    #安全链接可选的加密协议
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #可选的加密算法,顺序很重要,越靠前的优先级越高.
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    #在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
    ssl_prefer_server_ciphers on;
    #储存SSL会话的缓存类型和大小
    ssl_session_cache shared:SSL:10m;
    #缓存有效期
    ssl_session_timeout 60m;

server {

listen 80;

server_name xxx.com gpaas.xxx.com;

#return 301 https://$server_name$request_uri;

#rewrite ^/(.*) https://$server_name$request_uri? permanent; # 80端口全部重定向到 https

if ($scheme = http){

return 301 https://$host$request_uri;

}

#启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复.

listen 443 ssl http2;

charset utf-8;

server_name xxx.com gpaas.xxx.com;

#告诉浏览器当前页面禁止被frame

add_header X-Frame-Options DENY;

#告诉浏览器不要猜测mime类型

add_header X-Content-Type-Options nosniff;

#证书路径

ssl_certificate cert/meaninglive.com/full_chain.pem;

#私钥路径

ssl_certificate_key cert/meaninglive.com/private.key;

#安全链接可选的加密协议

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#可选的加密算法,顺序很重要,越靠前的优先级越高.

ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

#在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.

ssl_prefer_server_ciphers on;

#储存SSL会话的缓存类型和大小

ssl_session_cache shared:SSL:10m;

#缓存有效期

ssl_session_timeout 60m;

—————证书知识补充——————————- 自签名证书 + Nginx 实现 HTTP 升级 HTTPS 很多内网平台在开发时候并没有考虑 HTTPS，想要从 HTTP 升级到 HTTPS 一般有两种方法：一种是更新所有相关前后端代码；另一种是基本不改变代码，用 Nginx 把 HTTPS 反向代理到 HTTP 接口。第一种方法工作量有点大，本文介绍下第二种方法，当然首先要做的是生成自签名证书。准备工作内网环境受影响的是软件安装升级和证书申请，所以需要制作本地 yum 和自签名证书，自签名证书稍后讲，制作本地 yum 库可参考链接内容， HTTPS 和 CA 基础知识查看这里。制作本地 yum 库，为了自动处理软件之间的依赖关系，一般都会用 yum 等软件包管理器来安装更新软件，默认 yum 是从互联网获取各种软件包的，内网环境就需要制作本地 yum Read more…

By sean, 5 years06/19/2020 ago

SECURITY

内网一键生成 LetsEncrypt HTTPS证书

HTTPS当前越来越重要，所以经常会有公司去花钱买，我们也一样，有时候确实需要https，但是收费的用不起，所以打起了免费的主义。 LetsEncrypt是不错的选择，但是我们如果在内网该如何克服呢，没错，使用ngrok。一键生成。 ngrok是在内网用户可以获得公网访问的一个非常棒的软件。找一台有公网地址的机器我们找到了假设是公网A 找一个域名，用于传输流量我们找到了，假设是ops.ac.cn，注意，ac.cn是域名哦，虽然是二级域名，但是ac.cn是中科院相关的域名机构。而且我们要设置泛域名 A记录到公网A 搭建ngrok 如下脚本一气呵成，胆儿大的可以直接试试。最终的目录是在/usr/local/ngrok下面

# 安装基本依赖
yum -y install zlib-devel openssl-devel perl hg cpio expat-devel gettext-devel curl curl-devel perl-ExtUtils-MakeMaker hg wget gcc gcc-c++
 asciidoc
yum remove -y git
wget https://www.kernel.org/pub/software/scm/git/git-2.6.0.tar.gz

tar zxvf git-2.6.0.tar.gz

cd git-2.6.0
make configure
./configure --prefix=/usr/local/git --with-iconv=/usr/local/libiconv
make all doc
make install install-doc install-html
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
source /etc/bashrc

ln -s /usr/local/git/bin/* /usr/bin/


# 安装go环境
yum install -y mercurial bzr subversion

wget https://storage.googleapis.com/golang/go1.4.1.linux-amd64.tar.gz

tar -C /usr/local -xzf go1.4.1.linux-amd64.tar.gz

mkdir $HOME/go

echo 'export GOROOT=/usr/local/go' >> ~/.bashrc 

echo 'export GOPATH=$HOME/go' >> ~/.bashrc 

echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.bashrc 

source $HOME/.bashrc 

ln -s /usr/local/go/bin/* /usr/bin/

# 编译ngrok
cd /usr/local/
git clone https://github.com/inconshreveable/ngrok.git
export GOPATH=/usr/local/ngrok/
export NGROK_DOMAIN="ops.ac.cn"
cd ngrok

# 为域名生成证书
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=$NGROK_DOMAIN" -out server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 5000


cp rootCA.pem assets/client/tls/ngrokroot.crt

cp server.crt assets/server/tls/snakeoil.crt

cp server.key assets/server/tls/snakeoil.key

sed '5 ilog "github.com/keepeye/log4go"' -i /usr/local/ngrok/src/ngrok/log/logger.go

# 编译服务端
cd /usr/local/go/src 
GOOS=linux GOARCH=amd64 ./make.bash
cd /usr/local/ngrok/
GOOS=linux GOARCH=amd64 make release-server
GOOS=linux GOARCH=amd64 make release-client

# 编译客户端
cd /usr/local/go/src
GOOS=darwin GOARCH=amd64 ./make.bash
cd /usr/local/ngrok/
GOOS=darwin GOARCH=amd64 make release-client

cd /usr/local/go/src
GOOS=windows GOARCH=amd64 ./make.bash
cd /usr/local/ngrok/
GOOS=windows GOARCH=amd64 make release-client

# 安装基本依赖

yum -y install zlib-devel openssl-devel perl hg cpio expat-devel gettext-devel curl curl-devel perl-ExtUtils-MakeMaker hg wget gcc gcc-c++

asciidoc

yum remove -y git

wget https://www.kernel.org/pub/software/scm/git/git-2.6.0.tar.gz

tar zxvf git-2.6.0.tar.gz

cd git-2.6.0

make configure

./configure --prefix=/usr/local/git --with-iconv=/usr/local/libiconv

make all doc

make install install-doc install-html

echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc

source /etc/bashrc

ln -s /usr/local/git/bin/* /usr/bin/

# 安装go环境

yum install -y mercurial bzr subversion

wget https://storage.googleapis.com/golang/go1.4.1.linux-amd64.tar.gz

tar -C /usr/local -xzf go1.4.1.linux-amd64.tar.gz

mkdir $HOME/go

echo 'export GOROOT=/usr/local/go' >> ~/.bashrc

echo 'export GOPATH=$HOME/go' >> ~/.bashrc

echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.bashrc

source $HOME/.bashrc

ln -s /usr/local/go/bin/* /usr/bin/

# 编译ngrok

cd /usr/local/

git clone https://github.com/inconshreveable/ngrok.git

export GOPATH=/usr/local/ngrok/

export NGROK_DOMAIN="ops.ac.cn"

cd ngrok

# 为域名生成证书

openssl genrsa -out rootCA.key 2048

openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem

openssl genrsa -out server.key 2048

openssl req -new -key server.key -subj "/CN=$NGROK_DOMAIN" -out server.csr

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 5000

cp rootCA.pem assets/client/tls/ngrokroot.crt

cp server.crt assets/server/tls/snakeoil.crt

cp server.key assets/server/tls/snakeoil.key

sed '5 ilog "github.com/keepeye/log4go"' -i /usr/local/ngrok/src/ngrok/log/logger.go

# 编译服务端

cd /usr/local/go/src

GOOS=linux GOARCH=amd64 ./make.bash

cd /usr/local/ngrok/

GOOS=linux GOARCH=amd64 make release-server

GOOS=linux GOARCH=amd64 make release-client

# 编译客户端

cd /usr/local/go/src

GOOS=darwin GOARCH=amd64 ./make.bash

cd /usr/local/ngrok/

GOOS=darwin GOARCH=amd64 make release-client

cd /usr/local/go/src

GOOS=windows GOARCH=amd64 ./make.bash

cd /usr/local/ngrok/

GOOS=windows GOARCH=amd64 make release-client

ngrok服务启动

#!/bin/bash

cd /usr/local/ngrok/
./bin/ngrokd -tlsKey="assets/server/tls/snakeoil.key" -tlsCrt="assets/server/tls/snakeoil.crt" -domain="ops.ac.cn"

#!/bin/bash

cd /usr/local/ngrok/

./bin/ngrokd -tlsKey="assets/server/tls/snakeoil.key" -tlsCrt="assets/server/tls/snakeoil.crt" -domain="ops.ac.cn"

客户端连接

# 配置文件准备
server_addr: "ops.ac.cn:4443"
trust_host_root_certs: false

# 配置文件准备

server_addr: "ops.ac.cn:4443"

trust_host_root_certs: false

ngrok出现”bad certificate”的原因： 1. 看准了， server_address居然是直接使用的主域名， 2. 编译出来的ngrok程序一定是使用和server相同的证书产生的。如果server编译出来的在本地运行的时候出现“segment fault“，那么可以尝试着将/usr/local/ngrok放到本地，然后运行编译客户端的几行代码重新编译即可。 3. 客户端启动的配置文件中，trust_host_root_certs选项，除非你的证书是第三方的，否则就乖乖的使用false吧 ssl脚本执行目录：/root/ssl/ www目录: /root/www/challenges ， python -m SimpleHTTPServer 80 sendemail放置地方：/root/ssl/sendemail ＨＴＴＰ服务器准备如果胆儿大，直接执行如下的内容即可

#!/bin/bash
# filepath: /root/ssl/a.sh

# 清场
ls | grep -v a.sh | grep -v sendemail | grep -v tar.gz | xargs -i rm -f {}

which openssl || (echo "没有找到openssl，开始安装"; yum install -y openssl)

# 创建一个目录
mkdir /root/ssl && echo "创建临时目录成功!" || (echo "创建临时目录失败";exit)

# 创建一个RSA私钥
openssl genrsa 4096 > account.key && echo "创建RSA私钥成功！" || (echo "创建RSA私钥失败!";exit)

# 创建另一个RSA私钥
openssl genrsa 4096 > domain.key && echo "创建另外一个私钥成功！" || (echo "创建另外一个RSA私钥失败！";exit)

#创建ECC私钥
openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)
openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)

#生成ＣＳＲ文件，有两种方式，我用的是第二种，但是第一种可以一次多申请几个，可以稍后测试
# In how many days should certificates expire?
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SD"
export KEY_CITY="JN"
export KEY_ORG="IIOT"
export KEY_EMAIL="zzlyzq@gmail.com"
export KEY_OU="CloudPlatform"

#openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
openssl req -new -sha256 -key domain.key -out domain.csr

# 配置验证服务，为啥要这么说呢，因为letsencrypt给的也是DV，也就是域名验证，我们运行软件申请的时候，本身python脚本会在本地写一个随机数到一个随机文件，它们官方会从远端经过公网DNS解析并去获取这个文件，如果一致，就说明这个站点是我们的，也就可以申请证书了。
[ -d "~/www/challenges" ] || mkdir -p ~/www/challenges/
# 另外，还需要两个步骤，最后会说明为啥要这两个步骤。
mkdir /root/www/challenges/.well-known/ -p
ln -s /root/www/challenges/ /root/www/challenges/.well-known/acme-challenge

# 接下来我们就要下载python脚本，并去申请证书了
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

#　在执行下面之前，我们可以打开网站，最简单的就是使用python
#nohup python -m SimpleHTTPServer 80&
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

# 如果一切正常，我们会看到signed.crt这个就是我们的证书了。

# 另外，我们还需要letsencrypt的中间证书，我也不知道啥意思，反正是需要一个官网的东西
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

# 打包发送
tar czvf crt.tar.gz chained.pem domain.key
./sendemail -f 123@vip.126.com -t 123@iiot.ac.cn -s smtp.vip.126.com -u "证书快递" -xu 123 -xp 123 -m "证书For域名：XX生成成功" -a crt.tar.gz -o message-charset=utf-8

#!/bin/bash

# filepath: /root/ssl/a.sh

# 清场

ls | grep -v a.sh | grep -v sendemail | grep -v tar.gz | xargs -i rm -f {}

which openssl || (echo "没有找到openssl，开始安装"; yum install -y openssl)

# 创建一个目录

mkdir /root/ssl && echo "创建临时目录成功!" || (echo "创建临时目录失败";exit)

# 创建一个RSA私钥

openssl genrsa 4096 > account.key && echo "创建RSA私钥成功！" || (echo "创建RSA私钥失败!";exit)

# 创建另一个RSA私钥

openssl genrsa 4096 > domain.key && echo "创建另外一个私钥成功！" || (echo "创建另外一个RSA私钥失败！";exit)

#创建ECC私钥

openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)

openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)

#生成ＣＳＲ文件，有两种方式，我用的是第二种，但是第一种可以一次多申请几个，可以稍后测试

# In how many days should certificates expire?

export KEY_EXPIRE=3650

export KEY_COUNTRY="CN"

export KEY_PROVINCE="SD"

export KEY_CITY="JN"

export KEY_ORG="IIOT"

export KEY_EMAIL="zzlyzq@gmail.com"

export KEY_OU="CloudPlatform"

#openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

openssl req -new -sha256 -key domain.key -out domain.csr

# 配置验证服务，为啥要这么说呢，因为letsencrypt给的也是DV，也就是域名验证，我们运行软件申请的时候，本身python脚本会在本地写一个随机数到一个随机文件，它们官方会从远端经过公网DNS解析并去获取这个文件，如果一致，就说明这个站点是我们的，也就可以申请证书了。

[ -d "~/www/challenges" ] || mkdir -p ~/www/challenges/

# 另外，还需要两个步骤，最后会说明为啥要这两个步骤。

mkdir /root/www/challenges/.well-known/ -p

ln -s /root/www/challenges/ /root/www/challenges/.well-known/acme-challenge

# 接下来我们就要下载python脚本，并去申请证书了

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

#　在执行下面之前，我们可以打开网站，最简单的就是使用python

#nohup python -m SimpleHTTPServer 80&

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

# 如果一切正常，我们会看到signed.crt这个就是我们的证书了。

# 另外，我们还需要letsencrypt的中间证书，我也不知道啥意思，反正是需要一个官网的东西

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem

cat signed.crt intermediate.pem > chained.pem

wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem

cat intermediate.pem root.pem > full_chained.pem

# 打包发送

tar czvf crt.tar.gz chained.pem domain.key

./sendemail -f 123@vip.126.com -t 123@iiot.ac.cn -s smtp.vip.126.com -u "证书快递" -xu 123 -xp 123 -m "证书For域名：XX生成成功" -a crt.tar.gz -o message-charset=utf-8

生成的时候会要求输入一些东西，比如国家，省会，城市，公司名称，common name最重要，这个就是域名哦。生成完成后，会自动打包发送邮件。转自： https://blog.csdn.net/vbaspdelphi/article/details/53185943 可参考：https://learnku.com/articles/19999

By sean, 5 years06/19/2020 ago

June 19, 2020

SECURITY

自签名证书详解

SECURITY

内网一键生成 LetsEncrypt HTTPS证书