目前大量的网站都从http 升级为https, https和http的区别, 这边就不说明了, 有大量的文档介绍说明。 这边主要介绍一些怎么生成免费证书。
前提条件:
需要支持DNS服务
基础的wget/curl 需要支持
具体步骤:
1. 下载并安装acme
wget -O - https://get.acme.sh | sh
输出类似如下信息:
--2020-11-06 21:41:48-- https://get.acme.sh/
Resolving get.acme.sh (get.acme.sh)... 172.67.208.34, 104.31.89.68, 104.31.88.68, ...
Connecting to get.acme.sh (get.acme.sh)|172.67.208.34|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘STDOUT’
[ <=> ] 775 --.-K/s in 0s
2020-11-06 21:41:50 (15.2 MB/s) - written to stdout [775]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 201k 100 201k 0 0 16453 0 0:00:12 0:00:12 --:--:-- 13555
[Fri Nov 6 21:42:03 CST 2020] Installing from online archive.
[Fri Nov 6 21:42:03 CST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Fri Nov 6 21:42:11 CST 2020] Extracting master.tar.gz
[Fri Nov 6 21:42:11 CST 2020] It is recommended to install socat first.
[Fri Nov 6 21:42:11 CST 2020] We use socat for standalone server if you use standalone mode.
[Fri Nov 6 21:42:11 CST 2020] If you don't use standalone mode, just ignore this warning.
[Fri Nov 6 21:42:11 CST 2020] Installing to /home/admin/.acme.sh
[Fri Nov 6 21:42:11 CST 2020] Installed to /home/admin/.acme.sh/acme.sh
[Fri Nov 6 21:42:11 CST 2020] Installing alias to '/home/admin/.bashrc'
[Fri Nov 6 21:42:11 CST 2020] OK, Close and reopen your terminal to start using acme.sh
[Fri Nov 6 21:42:11 CST 2020] Installing cron job
no crontab for admin
no crontab for admin
[Fri Nov 6 21:42:11 CST 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Fri Nov 6 21:42:11 CST 2020] OK
[Fri Nov 6 21:42:11 CST 2020] Install success!
上述命令会将acme 默认安装在执行用户的 .acme 目录里面,是一个隐藏目录
2 进入 .acme 目录,并生成证书
### -d 后面跟随域名
### -w 跟随一个目录, 域名生成过程中会校验该目录
./acme.sh --issue -d yuming -w /data1/webroot
最后会生成如下信息:
[Fri Nov 6 21:46:01 CST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Nov 6 21:46:01 CST 2020] Create account key ok.
[Fri Nov 6 21:46:01 CST 2020] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Fri Nov 6 21:46:05 CST 2020] Registered
[Fri Nov 6 21:46:05 CST 2020] ACCOUNT_THUMBPRINT='3SLqrUb6q1mms9A7MxArKa0oOXPRKH7MMOi1R9O_Gr8'
[Fri Nov 6 21:46:05 CST 2020] Creating domain key
[Fri Nov 6 21:46:05 CST 2020] The domain key is here: /home/admin/.acme.sh/yuming/yuming.key
[Fri Nov 6 21:46:05 CST 2020] Single domain='yuming'
[Fri Nov 6 21:46:05 CST 2020] Getting domain auth token for each domain
[Fri Nov 6 21:46:11 CST 2020] Getting webroot for domain='yuming'
[Fri Nov 6 21:46:11 CST 2020] Verifying: yuming
[Fri Nov 6 21:46:16 CST 2020] Pending
[Fri Nov 6 21:46:18 CST 2020] Pending
[Fri Nov 6 21:46:21 CST 2020] Pending
[Fri Nov 6 21:46:27 CST 2020] Success
[Fri Nov 6 21:46:27 CST 2020] Verify finished, start to sign.
[Fri Nov 6 21:46:27 CST 2020] Lets finalize the order.
[Fri Nov 6 21:46:27 CST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/101506269/6069419918'
[Fri Nov 6 21:46:29 CST 2020] Downloading cert.
[Fri Nov 6 21:46:29 CST 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/041fcfdb3118635894b970e6efa1301d4c82'
[Fri Nov 6 21:46:30 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgISBB/P2zEYY1iUuXDm76sEwxHUyCMA0GCSqGSIb3DQEBCwUA
........
016wSiqoEz1sMsfaasHhiswizYaaNUeINxx9GZBPsmGuD4SFJw==
-----END CERTIFICATE-----
[Fri Nov 6 21:46:30 CST 2020] Your cert is in /home/admin/.acme.sh/yuming/yuming.cer
[Fri Nov 6 21:46:30 CST 2020] Your cert key is in /home/admin/.acme.sh/yuming/yuming.key
[Fri Nov 6 21:46:30 CST 2020] The intermediate CA cert is in /home/admin/.acme.sh/yuming/ca.cer
[Fri Nov 6 21:46:30 CST 2020] And the full chain certs is there: /home/admin/.acme.sh/yuming/fullchain.cer
当目前为止证书生成完成了。
3 然后再nginx 文件中配置如下信息,这样nginx 就可以使用https 访问了
listen 443 ssl;
ssl_certificate /home/admin/.acme.sh/yuming/fullchain.cer;
ssl_certificate_key /home/admin/.acme.sh/yuming/yuming.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
server_name yuming;
当然除了上述内容之外nginx 还需要配置如下信息, 用于证书检验和续约
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /data1/webroot/;
}