“懒人“ HTTPS 证书申请指南

1. 安装 acme.sh

Mac/Unix 终端下执行 curl https://get.acme.sh | sh111

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   775    0   775    0     0    341      0 --:--:--  0:00:02 --:--:--   341
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  201k  100  201k    0     0   8055      0  0:00:25  0:00:25 --:--:--  8801
[Fri 06 Nov 2020 10:04:59 PM CST] Installing from online archive.
[Fri 06 Nov 2020 10:04:59 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Fri 06 Nov 2020 10:05:38 PM CST] Extracting master.tar.gz
[Fri 06 Nov 2020 10:05:38 PM CST] It is recommended to install socat first.
[Fri 06 Nov 2020 10:05:38 PM CST] We use socat for standalone server if you use standalone mode.
[Fri 06 Nov 2020 10:05:38 PM CST] If you don't use standalone mode, just ignore this warning.
[Fri 06 Nov 2020 10:05:38 PM CST] Installing to /root/.acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installed to /root/.acme.sh/acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installing alias to '/root/.bashrc'
[Fri 06 Nov 2020 10:05:38 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installing cron job
[Fri 06 Nov 2020 10:05:38 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Fri 06 Nov 2020 10:05:38 PM CST] OK
[Fri 06 Nov 2020 10:05:38 PM CST] Install success!

2. 申请 HTTPS 证书.

查看更多DNS API 使用方式, 请查看 https://github.com/acmesh-official/acme.sh/wiki/dnsapi

我们这里通过DNS API来验证DNS证书, 我们采用的是阿里云DNS API.

  1. 打开 https://usercenter.console.aliyun.com/#/manage/ak . 获取 AccessKey IDAccessKey Secret
  2. 配置环境变量
root@tencent-4C-8G-115-159-203-32:~# export Ali_Key=---------(换成你自己的AccessKey ID)
root@tencent-4C-8G-115-159-203-32:~# export Ali_Secret=-------(换成你自己的AccessKey Secret)
  1. 申请证书

~/.acme.sh/acme.sh --issue --force --dns dns_ali -d jansora.com -d '*.github.jansora.com' -d '*.jansora.com' -d '*.app.jansora.com' -d '*.doc.jansora.com'

申请证书后, key 和 秘钥会被 明文 保存在 ~/.acme.sh/account.conf , 请妥善保管

如果需要重新申请证书: 请删除掉该目录下内容 rm -rf /root/.acme.sh/jansora.com/*

3. 拷贝证书

申请证书后, 在 ~/.acme.sh/jansora.com 下能看到该域名的证书.

root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# tree /root/.acme.sh/jansora.com
.
├── ca.cer
├── fullchain.cer
├── jansora.com.cer
├── jansora.com.conf
├── jansora.com.csr
├── jansora.com.csr.conf
└── jansora.com.key

0 directories, 7 files

拷贝到 nginx 目录.

仅供参考,请根据具体的域名进行替换

mkdir -p /etc/nginx/certs
mkdir -p /etc/nginx/certs/lets-encrypt-jansora.com

cp ~/.acme.sh/jansora.com/* /etc/nginx/certs/lets-encrypt-jansora.com


root@Jans:~# systemctl restart nginx

5. 配置证书.

以 Ubuntu 环境为例, 其他环境未测试,但是应该比较类似.

  1. 新建nginx配置文件 vim /etc/nginx/sites-available/pancake.conf
  2. 写入以下内容
server {
    listen 443 ssl;
    server_name test.jansora.com;
    ssl_ciphers    ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols    TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate     /etc/nginx/certs/lets-encrypt-jansora.com/jansora.com.cer;
    ssl_certificate_key /etc/nginx/certs/lets-encrypt-jansora.com/jansora.com.key;
    root html;
}
  1. 加载该证书.

修改配置nginx文件 vim /etc/nginx/nginx.conf , 在 http 域中添加以下三行.

主要关注 include sites-available/* ;

http {
  其他的...
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;
  include sites-available/*;
  其他的...
}

5. 验证证书配置成功.

打开浏览器 https://test.zhangyangyuan.com 验证 HTTPS 证书
image.png

评论栏