Related background knowledge
Let's Encrypt
Let's Encrypt is a digital certificate certification body launched in the third quarter of 2015. It aims to automate the process to eliminate the complex process of manually creating and installing certificates, and promote the ubiquitous connections of the World Wide Web server, providing free transport layer security protocol certificates for secure websites.
ACME
ACME, the Automatic Certificate Management Environment, is a protocol used to automatically issue and update certificates without manual intervention.
The Internet Security Research Group (ISRG) initially designed the ACME protocol for its own certificate service. Certificate authority Let’s Encrypt provides DV certificates for free through the ACME protocol. Today, various other CA, PKI vendors and browsers support ACME protocol and support different types of certificates.
go-acme/lego
A AME client and Go language library written in Go language. The following is abbreviatedlego。
Using the lego client
Install
If you have a golang development environment, you can use the following command to installlego
go install /go-acme/lego/v4/cmd/lego@latest
If there is no golang development environment, go to/go-acme/lego/releasesDownload the latest cli client
Issuing a certificate
Issuing a certificate requires verification of the ownership of the domain name.acmeThe protocol provides two ways to verify your domain name ownership, namely http server verification and DNS verification.
http server verification
Use this method to verify that there is a server, which needs to have a public IP. At the same time, you also need to have the root permissions of the server to listen to ports 80 and 443.
Assuming that the domain name that needs to deploy the certificate is , we need to configure the public IP pointing to the server first, and then execute it on the server.
lego --email="you@" --domains="" --http run
This command starts an http server and listens to port 80/443.
ThenLet's EncryptThe domain name will be accessed according to the domain name () to verify the ownership of the domain name. This process is automated and just wait.
After verification is passed, a certificate will be issued./.lego/certificatesThe validity period of the certificate is 3 months.
dns verification
legoThe powerful convenience is to integrate service APIs of almost all commonly used cloud manufacturers, such as CloudFlare, Alibaba Cloud and Tencent Cloud. Just set API_KEY and API_SECRET to automatically complete DNS verification.
Take Tencent Cloud as an example here:
Execute the following command:
TENCENTCLOUD_SECRET_ID=abcdefghijklmnopqrstuvwx \ TENCENTCLOUD_SECRET_KEY=your-secret-key \ lego --email you@ --dns tencentcloud --domains run
This command will call Tencent Cloud's background API,Fill in DNS verification information;Let's EncryptAfter verification is passed, issue the certificate to./.lego/certificates, and will automatically delete the DNS verification information for you.
Using the lego library
We can also uselegolibrary to generate certificates, or do some secondary development that automates certificate generation and then deploys.legoThe library also supports http server verification and DNS verification. The complete available code is given below.
50-62 is the Tencent Cloud DNS verification part, 64-73 is the http server verification part, just choose one of them.
package main
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"fmt"
"/go-acme/lego/v4/certcrypto"
"/go-acme/lego/v4/certificate"
"/go-acme/lego/v4/lego"
"/go-acme/lego/v4/providers/dns/tencentcloud"
"/go-acme/lego/v4/registration"
"log"
"os"
)
type MyUser struct {
Email string
Registration *
key
}
func (u *MyUser) GetEmail() string {
return
}
func (u MyUser) GetRegistration() * {
return
}
func (u *MyUser) GetPrivateKey() {
return
}
func main() {
privateKey, err := (elliptic.P256(), )
if err != nil {
(err)
}
myUser := MyUser{
Email: "you@",
key: privateKey,
}
config := (&myUser)
= certcrypto.RSA2048
client, err := (config)
if err != nil {
(err)
}
// Use DNS verification method, take Tencent Cloud as an example here. cfg := ()
= "abcdefghijklmnopqrstuvwx"
= "your-secret-key"
p, err := (cfg)
if err != nil {
(err)
}
err = .SetDNS01Provider(p)
if err != nil {
(err)
}
// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
// Use http server verification method to comment the code part of the above dns verification, and cancel the code comment part of the following http verification // err = .SetHTTP01Provider(("", "80"))
// if err != nil {
// (err)
// }
// err = .SetTLSALPN01Provider(("", "443"))
// if err != nil {
// (err)
// }
//-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
reg, err := ({TermsOfServiceAgreed: true})
if err != nil {
(err)
}
= reg
request := {
Domains: []string{""},
Bundle: true,
}
certificates, err := (request)
if err != nil {
(err)
}
("%#v\n", certificates)
err = ("PrivateKey", , )
if err != nil {
(err)
}
err = ("Certificate", , )
if err != nil {
(err)
}
err = ("IssuerCertificate", , )
if err != nil {
(err)
}
err = ("CSR", , )
if err != nil {
(err)
}
}
This is the article about how to use go-acme/lego to automatically issue certificates. For more relevant content on automatic issuance of go-acme/lego, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!