使用acme.sh配置HTTPS
#
Nginx 服务器安装如果已有Nginx, 请跳过此步骤
yum install epel-releaseyum updateyum install nginx
使用
- 启动
systemctl start nginx
- 停止
systemctl stop nginx
- 重启
systemctl restart nginx
- 查看运行状态
systemctl status nginx
- 开机启动
systemctl enable nginx
#
Nginx 配置certbot
生成证书#
使用
yum install certbotcertbot certonly --webroot -w /usr/share/nginx/html/ -d xxxx.com
#如果看到下列的输出,就证明证书已经生成成功了:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/xxxx.com/fullchain.pem. Your cert will expire on 20XX-09-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
#
编辑 nginx 配置文件vi /etc/nginx/nginx.conf
server { listen 80; server_name xxx.com; rewrite ^ https://$http_host$request_uri? permanent; # http 自动跳转到 https # root /home/www; #return 301 https://$http_host$request_uri;}
server { listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/chain.pem; keepalive_timeout 70; server_name xxx.com; # root /home/www;
#禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击 server_tokens off; #如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问 #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; # ...... fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https;
access_log /var/log/nginx/xxx.com.access.log; error_log /var/log/nginx/xxx.com.error.log;}
#
重启 nginxsystemctl restart nginx
#
重启 certbot 自动更新模拟更新
sudo certbot renew --dry-run# 看到如下输出证明模拟更新成功-------------------------------------------------------------------------------Processing /etc/letsencrypt/renewal/your.domain.com.conf-------------------------------------------------------------------------------** DRY RUN: simulating 'certbot renew' close to cert expiry** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/xxxx.com/fullchain.pem (success)** DRY RUN: simulating 'certbot renew' close to cert expiry** (The test certificates above have not been saved.)
#
实现自动化sudo crontab -e
#添加配置,每周一半夜3点00分执行renew:
00 3 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
#
acme.sh安装
curl https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh
创建证书
acme.sh --issue -d xxx.com -d www.xxx.com --webroot /home/www/
拷贝证书
acme.sh --installcert -d xxx.com \ --key-file /etc/nginx/ssl/xxx.com.key \ --fullchain-file /etc/nginx/ssl/fullchain.cer \ --reloadcmd "service nginx force-reload"
vi /etc/nginx/nginx.conf
server { listen 80; server_name lanten.me www.lanten.me; return 301 https://$http_host$request_uri; } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name lanten.me www.lanten.me;
ssl_certificate "/etc/nginx/ssl/fullchain.cer"; ssl_certificate_key "/etc/nginx/ssl/lanten.me.key";
ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
root /home/www/; try_files $uri /index.html; }