Skip to main content

使用acme.sh配置HTTPS

Nginx 服务器安装#

如果已有Nginx, 请跳过此步骤

yum install epel-releaseyum updateyum install nginx

使用

  • 启动 systemctl start nginx
  • 停止 systemctl stop nginx
  • 重启 systemctl restart nginx
  • 查看运行状态 systemctl status nginx
  • 开机启动 systemctl enable nginx

Nginx 配置#

使用 certbot 生成证书#


yum install certbotcertbot certonly --webroot -w /usr/share/nginx/html/ -d xxxx.com

#如果看到下列的输出,就证明证书已经生成成功了:
 IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/xxxx.com/fullchain.pem. Your cert   will expire on 20XX-09-23. To obtain a new or tweaked version of   this certificate in the future, simply run certbot again. To   non-interactively renew *all* of your certificates, run "certbot   renew" - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

编辑 nginx 配置文件#

vi /etc/nginx/nginx.conf
server {    listen       80;    server_name  xxx.com;    rewrite ^ https://$http_host$request_uri? permanent;    # http 自动跳转到 https    # root /home/www;    #return 301 https://$http_host$request_uri;}
server {    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;    ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/chain.pem;    keepalive_timeout   70;    server_name xxx.com;    # root /home/www;
    #禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击    server_tokens off;    #如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问    #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";    # ......    fastcgi_param   HTTPS               on;    fastcgi_param   HTTP_SCHEME         https;
    access_log      /var/log/nginx/xxx.com.access.log;    error_log       /var/log/nginx/xxx.com.error.log;}

重启 nginx#

systemctl restart nginx

重启 certbot 自动更新#

模拟更新


sudo certbot renew --dry-run# 看到如下输出证明模拟更新成功-------------------------------------------------------------------------------Processing /etc/letsencrypt/renewal/your.domain.com.conf-------------------------------------------------------------------------------** DRY RUN: simulating 'certbot renew' close to cert expiry**          (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:  /etc/letsencrypt/live/xxxx.com/fullchain.pem (success)** DRY RUN: simulating 'certbot renew' close to cert expiry**          (The test certificates above have not been saved.)

实现自动化#

sudo crontab -e
#添加配置,每周一半夜3点00分执行renew:
00 3 * * 1 /usr/bin/certbot renew  >> /var/log/le-renew.log

acme.sh#

安装

curl  https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh

创建证书

acme.sh  --issue  -d xxx.com -d www.xxx.com  --webroot  /home/www/

拷贝证书

acme.sh  --installcert  -d  xxx.com  \        --key-file   /etc/nginx/ssl/xxx.com.key \        --fullchain-file /etc/nginx/ssl/fullchain.cer \        --reloadcmd  "service nginx force-reload"

vi /etc/nginx/nginx.conf

    server {        listen       80;        server_name  lanten.me www.lanten.me;        return 301 https://$http_host$request_uri;    }    server {        listen       443 ssl http2 default_server;        listen       [::]:443 ssl http2 default_server;        server_name lanten.me www.lanten.me;
        ssl_certificate "/etc/nginx/ssl/fullchain.cer";        ssl_certificate_key "/etc/nginx/ssl/lanten.me.key";
        ssl_session_cache shared:SSL:1m;        ssl_session_timeout  10m;        ssl_ciphers HIGH:!aNULL:!MD5;        ssl_prefer_server_ciphers on;
        root /home/www/;        try_files $uri /index.html;    }

acme.sh 会在证书到期前自动更新#

参考#