1. 安装 acme.sh
Mac/Unix
终端下执行 curl https://get.acme.sh | sh
111
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 775 0 775 0 0 341 0 --:--:-- 0:00:02 --:--:-- 341
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 201k 100 201k 0 0 8055 0 0:00:25 0:00:25 --:--:-- 8801
[Fri 06 Nov 2020 10:04:59 PM CST] Installing from online archive.
[Fri 06 Nov 2020 10:04:59 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Fri 06 Nov 2020 10:05:38 PM CST] Extracting master.tar.gz
[Fri 06 Nov 2020 10:05:38 PM CST] It is recommended to install socat first.
[Fri 06 Nov 2020 10:05:38 PM CST] We use socat for standalone server if you use standalone mode.
[Fri 06 Nov 2020 10:05:38 PM CST] If you don't use standalone mode, just ignore this warning.
[Fri 06 Nov 2020 10:05:38 PM CST] Installing to /root/.acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installed to /root/.acme.sh/acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installing alias to '/root/.bashrc'
[Fri 06 Nov 2020 10:05:38 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installing cron job
[Fri 06 Nov 2020 10:05:38 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Fri 06 Nov 2020 10:05:38 PM CST] OK
[Fri 06 Nov 2020 10:05:38 PM CST] Install success!
2. 申请 HTTPS 证书.
查看更多DNS API 使用方式, 请查看 https://github.com/acmesh-official/acme.sh/wiki/dnsapi
我们这里通过DNS API来验证DNS证书, 我们采用的是阿里云DNS API.
- 打开 https://usercenter.console.aliyun.com/#/manage/ak . 获取
AccessKey ID
和AccessKey Secret
- 配置环境变量
root@tencent-4C-8G-115-159-203-32:~# export Ali_Key=---------(换成你自己的AccessKey ID)
root@tencent-4C-8G-115-159-203-32:~# export Ali_Secret=-------(换成你自己的AccessKey Secret)
- 申请证书
~/.acme.sh/acme.sh --issue --force --dns dns_ali -d jansora.com -d '*.github.jansora.com' -d '*.jansora.com' -d '*.app.jansora.com' -d '*.doc.jansora.com'
申请证书后, key 和 秘钥会被 明文 保存在
~/.acme.sh/account.conf
, 请妥善保管
如果需要重新申请证书: 请删除掉该目录下内容
rm -rf /root/.acme.sh/jansora.com/*
3. 拷贝证书
申请证书后, 在 ~/.acme.sh/jansora.com 下能看到该域名的证书.
root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# tree /root/.acme.sh/jansora.com
.
├── ca.cer
├── fullchain.cer
├── jansora.com.cer
├── jansora.com.conf
├── jansora.com.csr
├── jansora.com.csr.conf
└── jansora.com.key
0 directories, 7 files
拷贝到 nginx 目录.
仅供参考,请根据具体的域名进行替换
mkdir -p /etc/nginx/certs
mkdir -p /etc/nginx/certs/lets-encrypt-jansora.com
cp ~/.acme.sh/jansora.com/* /etc/nginx/certs/lets-encrypt-jansora.com
root@Jans:~# systemctl restart nginx
5. 配置证书.
以 Ubuntu 环境为例, 其他环境未测试,但是应该比较类似.
- 新建nginx配置文件
vim /etc/nginx/sites-available/pancake.conf
- 写入以下内容
server {
listen 443 ssl;
server_name test.jansora.com;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/certs/lets-encrypt-jansora.com/jansora.com.cer;
ssl_certificate_key /etc/nginx/certs/lets-encrypt-jansora.com/jansora.com.key;
root html;
}
- 加载该证书.
修改配置nginx文件 vim /etc/nginx/nginx.conf
, 在 http 域中添加以下三行.
主要关注
include sites-available/* ;
http {
其他的...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
include sites-available/*;
其他的...
}
5. 验证证书配置成功.
打开浏览器 https://test.zhangyangyuan.com 验证 HTTPS 证书