Télécharger le script
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m my@example.comCréer un certificat pour : monblog @ system-linux.fr
root@debian:~/acme.sh# ./acme.sh --issue -d monblog.system-linux.fr -d www.system-linux.fr -w /var/www/html/system-linux.fr/
[Mon Mar 6 18:13:18 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Mar 6 18:13:18 UTC 2023] Creating domain key
[Mon Mar 6 18:13:18 UTC 2023] The domain key is here: /root/.acme.sh/monblog.system-linux.fr_ecc/monblog.system-linux.fr.key
[Mon Mar 6 18:13:18 UTC 2023] Multi domain='DNS:monblog.system-linux.fr,DNS:www.system-linux.fr'
[Mon Mar 6 18:13:18 UTC 2023] Getting domain auth token for each domain
[Mon Mar 6 18:13:19 UTC 2023] Getting webroot for domain='monblog.system-linux.fr'
[Mon Mar 6 18:13:19 UTC 2023] Getting webroot for domain='www.system-linux.fr'
[Mon Mar 6 18:13:19 UTC 2023] Verifying: monblog.system-linux.fr
[Mon Mar 6 18:13:20 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Mar 6 18:13:23 UTC 2023] Success
[Mon Mar 6 18:13:23 UTC 2023] Verifying: www.system-linux.fr
[Mon Mar 6 18:13:23 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Mar 6 18:13:27 UTC 2023] Success
[Mon Mar 6 18:13:27 UTC 2023] Verify finished, start to sign.
[Mon Mar 6 18:13:27 UTC 2023] Lets finalize the order.
[Mon Mar 6 18:13:27 UTC 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/lgXhuraocj8xt_9q1QPuDw/finalize'
[Mon Mar 6 18:13:27 UTC 2023] Order status is processing, lets sleep and retry.
[Mon Mar 6 18:13:27 UTC 2023] Retry after: 15
[Mon Mar 6 18:13:43 UTC 2023] Polling order status: https://acme.zerossl.com/v2/DV90/order/lgXhuraocj8xt_9q1QPuDw
[Mon Mar 6 18:13:43 UTC 2023] Downloading cert.
[Mon Mar 6 18:13:43 UTC 2023] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/0c8FXKVkTcgbU55AGLze6Q'
[Mon Mar 6 18:13:43 UTC 2023] Cert success.
-----BEGIN CERTIFICATE-----
MIIEJjCCA6ygAwIBAgIRAOGXgN+HJPzjAa2NXOTViOIwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMzAzMDYwMDAwMDBaFw0yMzA2
MDQyMzU5NTlaMCIxIDAeBgNVBAMTF21vbmJsb2cuc3lzdGVtLWxpbnV4LmZyMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvu2laGs/uDYOGrwGl14knXTrE7ifnryg
Ud/ebpNcdwnvEFq12SprM9KO1zmreSDNzRJNFvG3lotEippgkwLKvaOCApgwggKU
MB8GA1UdIwQYMBaAFA9r5kvOOUeu9n6QHnnwMJGSyF+jMB0GA1UdDgQWBBTsFW+K
TFWiwYyJEu8iezsx0B308jAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEE
AbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAI
BgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDovL3pl
cm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRl
Q0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28u
Y29tMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYArfe++nz/EMiLnT2cHj4YarRn
KV3PsQwkyoWGNOvcgooAAAGGuCDkzwAABAMARzBFAiEAupjZA9yare3Uj0y5+jE+
qmIR2W+LEUI45DcIBm4DN1MCIAK2roC4yM0tVG6JA0U2LQU2GoiM8sYIGz0FnpHv
KhOgAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGGuCDlLQAA
BAMARzBFAiAWAycwcF/zb7duiiYtxBYTKZvFE84hO6DggbgiJAv+ZQIhAI8WuhgX
Z/hWFeDqj2fi/YTuzdAOhPRbk0LRQ9C0X05mMDcGA1UdEQQwMC6CF21vbmJsb2cu
c3lzdGVtLWxpbnV4LmZyghN3d3cuc3lzdGVtLWxpbnV4LmZyMAoGCCqGSM49BAMD
A2gAMGUCMQDWRV43F8NMhh1RN3S8zwxttBHhYcDzuHWt5l0a3YAqf104uVnfOhBk
u57HWbiq77ECMDU/yTVzc67D1W7N4zGnZt573O7r1MyvQ+9NeH5a/TL+F8qOnk11
vI9+BWq/l0Y1Sg==
-----END CERTIFICATE-----
[Mon Mar 6 18:13:43 UTC 2023] Your cert is in: /root/.acme.sh/monblog.system-linux.fr_ecc/monblog.system-linux.fr.cer
[Mon Mar 6 18:13:43 UTC 2023] Your cert key is in: /root/.acme.sh/monblog.system-linux.fr_ecc/monblog.system-linux.fr.key
[Mon Mar 6 18:13:43 UTC 2023] The intermediate CA cert is in: /root/.acme.sh/monblog.system-linux.fr_ecc/ca.cer
[Mon Mar 6 18:13:43 UTC 2023] And the full chain certs is there: /root/.acme.sh/monblog.system-linux.fr_ecc/fullchain.cerroot@debian:~/acme.sh# ll /root/.acme.sh/
total 256
-rw-r--r-- 1 root root 259 Mar 8 07:29 account.conf
-rwxr-xr-x 1 root root 221906 Mar 6 18:11 acme.sh
-rw-r--r-- 1 root root 78 Mar 6 18:11 acme.sh.env
drwxr-xr-x 3 root root 4096 Mar 6 18:12 ca
drwxr-xr-x 2 root root 4096 Mar 6 18:11 deploy
drwxr-xr-x 2 root root 4096 Mar 6 18:11 dnsapi
-rw-r--r-- 1 root root 393 Mar 8 07:29 http.header
drwxr-xr-x 3 root root 4096 Mar 6 18:25 monblog.system-linux.fr_ecc
drwxr-xr-x 2 root root 4096 Mar 6 18:11 notifyRenouvellement automatique
0 0 * * * "/root/.acme.sh/"acme.sh --renew -d monblog.system-linux.fr --force" > /dev/nullPoser les certificats là où vous désirez
acme.sh --install-cert -d monblog.system-linux.fr \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"On voit donc que la commande acme.sh –install-cert n’est autre qu’un cp….
Attention le répertoire de destination doit exister…. Un wishlist ?
root@debian:~/acme.sh# ll
total 296
-rw-r--r-- 1 root root 1528 Mar 6 18:11 Dockerfile
-rw-r--r-- 1 root root 35149 Mar 6 18:11 LICENSE.md
-rw-r--r-- 1 root root 22468 Mar 6 18:11 README.md
-rwxr-xr-x 1 root root 221908 Mar 6 18:11 acme.sh
drwxr-xr-x 2 root root 4096 Mar 6 18:11 deploy
drwxr-xr-x 2 root root 4096 Mar 6 18:11 dnsapi
drwxr-xr-x 2 root root 4096 Mar 6 18:11 notifyroot@debian:~/acme.sh# ll /etc/letsencrypt/live/monblog.system-linux.fr/02/
total 16
-rw-r--r-- 1 root root 1472 Mar 8 07:31 cert.pem
-rw-r--r-- 1 root root 4140 Mar 8 07:31 fullchain.pem
-rw------- 1 root root 227 Mar 8 07:31 key.pemConclusion
Il est donc assez simple de générer des certificats pour Apache/Ngnix et autre….
Cependant, il vous reste la charge de créer la partie de configuration du service pour utiliser les certificats !
<VirtualHost *:80>
ServerAdmin user@system-linux.fr
ServerName system-linux.fr
DocumentRoot /var/www/html/system-linux.fr
<Directory "/var/www/html/system-linux.fr">
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/system-linux.fr.error.log
CustomLog ${APACHE_LOG_DIR}/system-linux.fr.access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =system-linux.fr [OR]
RewriteCond %{SERVER_NAME} =monblog.system-linux.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
ServerAdmin user@system-linux.fr
ServerName system-linux.fr
DocumentRoot /var/www/html/system-linux.fr
<Directory "/var/www/html/system-linux.fr">
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/system-linux.fr.error.log
CustomLog ${APACHE_LOG_DIR}/system-linux.fr.access.log combined
ServerAlias www.system-linux.fr
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests
ServerAlias monblog.system-linux.fr
SSLCertificateFile /etc/letsencrypt/live/monblog.system-linux.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/monblog.system-linux.fr/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin user@system-linux.fr
ServerName system-linux.fr
DocumentRoot /var/www/html/system-linux.fr
<Directory "/var/www/html/system-linux.fr">
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/system-linux.fr.error.log
CustomLog ${APACHE_LOG_DIR}/system-linux.fr.access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{SERVER_NAME} =system-linux.fr [OR]
# RewriteCond %{SERVER_NAME} =monblog.system-linux.fr
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>