下载 acme-tiny
下载 acme_tiny.py 脚本,https://github.com/diafygi/acme-tiny
此脚本需要 python 和 openssl,没有的话请先行安装。
以域名 sdk4.com 为例,工作目录为:/etc/nginx/sites-enabled/ssl/sdk4
创建一个 Let's Encrypt 账户私钥,以便让其识别你的身份
cd /etc/nginx/sites-enabled/ssl/sdk4
openssl genrsa 4096 > account.key
创建域名证书请求文件(CSR)
openssl genrsa 4096 > domain.key
#for a single domain
openssl req -new -sha256 -key domain.key -subj "/CN=sdk4.com" > domain.csr
#for multiple domains (use this one if you want both www.sdk4.com and sdk4.com)
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:sdk4.com,DNS:www.sdk4.com")) > domain.csr
配置验证域名所有权的服务
-
创建验证目录
mkdir -p /var/www/challenges
-
配置一个 HTTP 服务让 LETSENCRYPT 能下载验证文件
server { listen 80; server_name sdk4.com www.sdk4.com; location /.well-known/acme-challenge { alias /var/www/challenges; } ...... }
获取签名证书
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /var/www/challenges/ > signed.crt || exit
转化 crt 到 pem 文件
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
更新证书
此证书只有 3 个月有效期,我们建立一个脚本来进行证书更新:renew_cert.sh
#!/bin/bash
cd /etc/nginx/sites-enabled/nrcapp_api
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /var/www/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
加入crontab
0 0 1 * * /etc/nginx/sites-enabled/ssl/sdk4/www.ssl/renew_cert.sh 2>> /var/log/acme_tiny.log
配置nginx
server {
listen 443;
server_name sdk4.com www.sdk4.com;
include /etc/nginx/sites-enabled/ssl/sdk4/www.ssl;
location / { try_files $uri @proxy_to_app; }
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://127.0.0.1:8080;
}
}
-
/etc/nginx/sites-enabled/ssl/sdk4/www.ssl 文件配置
ssl on; ssl_certificate /etc/nginx/sites-enabled/sdk4/chained.pem; ssl_certificate_key /etc/nginx/sites-enabled/sdk4/domain.key; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/sites-enabled/dh4096.pem; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000;