证书来源
- https://letsencrypt.org/
- 支持类型:单域名证书和泛域名证书
- 证书
有效期90天
- 限制说明:https://letsencrypt.org/docs/rate-limits/
生成步骤
安装工具
在专门的证书服务上安装acme工具
curl https://get.acme.sh | sh
生成单域名证书
第一次执行,新增TXT域名解析,用于验证域名所有者
acme.sh --issue -d test.simlinux.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --force
后续执行
acme.sh --issue -d test.simlinux.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew --force
默认证书生成路径
/root/.acme.sh/test.simlinux.com/
生成泛域名证书
第一次执行,新增TXT域名解析,用于验证域名所有者
acme.sh --issue -d *.test3.ipaylinks.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --force
后续执行
acme.sh --issue -d *.test3.ipaylinks.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew --force
默认证书生成路径
/root/.acme.sh/*.test3.ipaylinks.com/
Nginx配置
http {
# 新增
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# 兼容其他老浏览器的 ssl_ciphers 设置请访问 https://wiki.mozilla.org/Security/Server_Side_TLS
server {
listen 80;
server_name <mydomain>.com;
return 301 https://<mydomain>.com;
}
server {
# 新增
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/*.test3.ipaylinks.com.key
;
}
}
注意事项
问题:
Java7 < 7u111、Java8 < 8u101对Let’s Encrypt X3支持不好,为将其加入根证书,Java程序请求时会提示:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
解决方法:
- 下载Let’s Encrypt中间证书
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
- 导入证书
keytool -trustcacerts -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -noprompt -importcert -alias lets-encrypt-x3-cross-signed -file "lets-encrypt-x3-cross-signed.pem"