目录

使用acme.sh –dns 生成证书

准备工作(使用阿里云)

  1. 导入对应的dnsapi环境变量 文档

    export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"

  2. 生成证书

    ./acme.sh --issue --dns dns_ali -d 68hub.com

  3. 安装证书至Nginx

    acme.sh --install-cert -d 68hub.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "service nginx force-reload"

  4. 更新nginx中站点配置,配置nginx中的ssl证书

    ssl_certificate /path/to/keyfile/in/nginx/cert.pem;
ssl_certificate_key /path/to/fullchain/nginx/key.pem;

配置

对应的项目目录中创建.well-known/acme-challenge文件

mkdir -p /data/wwwroot/blog.68hub.com/.well-known/acme-challenge
chown -R root:www /data/wwwroot/blog.68hub.com

创建一个location配置块

# /usr/local/nginx/conf/blog.68hub.com-webroot

location /.well-known/acme-challenge/ {
    alias /data/wwwroot/blog.68hub.com/.well-known/acme-challenge/;
}

在对应项目nginx配置文件中加入配置块

# /usr/local/nginx/conf/vhosts/blog.68hub.com.conf

server {
    listen 80;

    server_name blog.68hub.com;

    # ....

    # Let's Encrypt webroot
    include /usr/local/nginx/conf/blog.68hub.com-webroot;
}

重启nginx。systemctl reload nginx.service

颁发证书

acme.sh --issue -d blog.68hub.com -w /data/wwwroot/blog.68hub.com

安装证书

将证书存储在/usr/local/nginx/conf/ssl目录中(事先需要创建该目录)

acme.sh --install-cert -d blog.68hub.com \
--cert-file /usr/local/nginx/conf/ssl/blog.68hub.com.crt \
--key-file /usr/local/nginx/conf/ssl/blog.68hub.com.key \
--fullchain-file /usr/local/nginx/conf/ssl/blog.68hub.com.fullchain \
--reloadcmd "service nginx reload"

以上操作将复制证书文件,并创建cron命令,默认情况下80天更新一次

更新nginx中站点配置

# /usr/local/nginx/conf/vhosts/blog.68hub.com.conf
server {

    ...
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name blog.68hub.com;
    ssl_certificate /usr/local/nginx/conf/ssl/blog.68hub.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/blog.68hub.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 10m;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_buffer_size 1400;
    add_header Strict-Transport-Security max-age=15768000;
    # http 重定向至 https
    if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
    ...
}

重启nginx service nginx reload

参考