目录
官网:https://github.com/acmesh-official/acme.sh#7-automatic-dns-api-integration
官网:
https://github.com/acmesh-official/acme.sh#7-automatic-dns-api-integration
环境: LEMP
说明: 让域名证书自动续签, 普通方式与Docker方式
1. 普通方式
安装:
sudo wget -O - https://get.acme.sh | sh
用crontab -l 可以看到已自动添加了一个cronjob来定时检查过期情况
1.1 申请证书
法一:Http文件认证方式
- 做好域名指向,设置好 www.xxx.com.conf 里面的路径
server {
listen 80;
listen 443 ssl;
listen [::]:80;
server_name www.xxx.com;
set $host_path "/data0/Projects/PP/www.xxx.com";
access_log /data0/Server/Logs/www.xxx.com.log main;
error_log /data0/Server/Logs/www.xxx.com.error.log;
charset utf-8;
root $host_path;
index index.php index.html index.htm;
# letsencrypt file verify
location /.well-known/acme-challenge/ {
#alias /usr/share/nginx/html/;
alias /data0/Projects/PP/www.xxx.com/.well-known/acme-challenge/;
try_files $uri =404;
}
location ~ \.php$ {
try_files $uri =404;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
#include agent_deny.def;
}
- 申请
acme.sh --issue --server letsencrypt -d {domain} -w {website path}
法二: DNS自认证方式:
- 申请 (namecheap 域名服务商)
export NAMECHEAP_USERNAME="name"
export NAMECHEAP_API_KEY="key"
export NAMECHEAP_SOURCEIP="white list ip"
acme.sh --issue --dns dns_namecheap -d www.xxx.com
1.2 部署证书
acme.sh --install-cert -d {domain} \
--key-file /data0/Server/Auths/certs/{domain}/the.key \
--fullchain-file /data0/Server/Auths/certs/{domain}/fullchain.crt
chmod 644 -Rf /data0/Server/Auths/certs/{domain}/*
- 修改 www.xxx.com.conf
server {
listen 80;
listen 443 ssl;
listen [::]:80;
server_name www.xxx.com;
ssl_certificate /data0/Server/Auths/certs/{domain}/fullchain.crt;
ssl_certificate_key /data0/Server/Auths/certs/{domain}/the.key;
set $host_path "/data0/Projects/BD/xxx";
access_log /data0/Server/Logs/xxx.log main;
error_log /data0/Server/Logs/xxx.error.log;
charset utf-8;
root $host_path;
index index.php index.html index.htm;
location ~ \.php$ {
try_files $uri =404;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
#include agent_deny.def;
}
- 重启nginx, OK
2 Docker LEMP 方式
-- 定义docker-compose.yml节
version: '3'
services:
acme:
image: neilpang/acme.sh
container_name: ${APP_NAME:?err}-acme
volumes:
- "./acme.sh:/acme.sh:z"
- "/data0:/data0"
environment:
- CF_Key=""
- CF_Email=""
command: daemon
nginx:
#image: nginx:latest
container_name: ${APP_NAME:?err}-nginx
restart: always
build:
dockerfile: nginx.Dockerfile
context: ./docker
ports:
- '80:80'
- '443:443'
links:
- 'php'
depends_on:
- php
volumes:
- '/data0/Server/Settings/nginx:/etc/nginx'
- '/data0/Server/Logs/nginx:/var/log/nginx'
- '/data0/Server/Tools:/var/server-tools'
- '/data0/Projects:/var/www/html'
- '/data0/Server/Auths:/var/server-auths'
-- 站点虚拟机conf
server {
listen 80;
listen 443 ssl;
listen [::]:80;
server_name xxx.com www.xxx.com;
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
ssl_certificate /var/server-auths/certs/$server_name/fullchain.crt;
ssl_certificate_key /var/server-auths/certs/$server_name/the.key;
set $host_path "/var/www/html/Eshops/xxx.com/src/web";
access_log /var/log/nginx/www.xxx.com.log main;
error_log /var/log/nginx/www.xxx.com.error.log;
charset utf-8;
root $host_path;
index index.php index.html index.htm;
# letsencrypt file verify
location /.well-known/acme-challenge/ {
alias $host_path/.well-known/acme-challenge/;
try_files $uri =404;
}
#location / {
#
# try_files $uri $uri/ /index.php$is_args$args;
#}
...
}
-- 命令行
#首次需要登记email
docker exec om-acme --register-account -m {your mail}
#保管目录
mkdir /data0/Server/Auths/certs/{domain}
#申请证书
docker exec om-acme --set-default-ca --server letsencrypt --issue -d {domain} -w /data0/Projects/BD/oym001/staging/src/mobile
#部署证书,位置与 docker-compose.yml相应
docker exec om-acme --install-cert -d {domain} --key-file /data0/Server/Auths/certs/{domain}/the.key --fullchain-file /data0/Server/Auths/certs/{domain}/fullchain.crt
#修改所属
chown www-data:www-data /data0/Server/Auths/certs/{domain} -Rf
#重启nginx
docker-compose restart nginx
-- 设置cron每月自动重启nginx
# 因证书每三个月到期,更新后需重启/重载nginx才起效,所以需设置一个自动重启cron 命令
# crontab -e
0 3 1 * * /usr/bin/docker restart om-nginx > /dev/null 2>&1