Let’s Encrypt免费https证书证书申请与配置

https 证书申请与配置

# 注："www.yuntap.com"是我的域名，wwwroot那个是web静态目录，替换成自己的即可

// 安装acme
curl https://get.acme.sh | sh

// 重启bash
source ~/.zshrc

// 申请证书 域名+可访问web根目录
acme.sh --issue -d www.yuntap.com -w /data/wwwroot/www.yuntap.com


[Thu Jul  5 15:48:58 CST 2018] Registering account
[Thu Jul  5 15:48:59 CST 2018] Registered
[Thu Jul  5 15:48:59 CST 2018] ACCOUNT_THUMBPRINT='mh6jcBtaB6ozjEOa5rPpNhD5vpZPJJDUb9So3r9uK-Y'
[Thu Jul  5 15:48:59 CST 2018] Creating domain key
[Thu Jul  5 15:48:59 CST 2018] The domain key is here: /root/.acme.sh/www.yuntap.com/www.yuntap.com.key
[Thu Jul  5 15:48:59 CST 2018] Single domain='www.yuntap.com'
[Thu Jul  5 15:48:59 CST 2018] Getting domain auth token for each domain
[Thu Jul  5 15:48:59 CST 2018] Getting webroot for domain='www.yuntap.com'
[Thu Jul  5 15:48:59 CST 2018] Getting new-authz for domain='www.yuntap.com'
[Thu Jul  5 15:49:00 CST 2018] The new-authz request is ok.
[Thu Jul  5 15:49:00 CST 2018] Verifying:www.yuntap.com
[Thu Jul  5 15:49:04 CST 2018] Success
[Thu Jul  5 15:49:04 CST 2018] Verify finished, start to sign.
[Thu Jul  5 15:49:05 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----

│MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
│ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDUwNjQ5MDRaFw0x
....(省略）
│MusElN6AVE3tjIQI
│-----END CERTIFICATE-----
[Thu Jul  5 15:49:05 CST 2018] Your cert is in  /root/.acme.sh/www.yuntap.com/www.yuntap.com.cer 
[Thu Jul  5 15:49:05 CST 2018] Your cert key is in  /root/.acme.sh/www.yuntap.com/www.yuntap.com.key 
[Thu Jul  5 15:49:05 CST 2018] The intermediate CA cert is in  /root/.acme.sh/www.yuntap.com/ca.cer 
[Thu Jul  5 15:49:05 CST 2018] And the full chain certs is there:  /root/.acme.sh/www.yuntap.com/fullchain.cer 

// 把证书挪到/etc目录
cd /etc 
mkdir -p nginx/ssl
cd nginx/ssl
cp  /root/.acme.sh/www.yuntap.com/www.yuntap.com.key  /etc/nginx/ssl/www.yuntap.com.key 
cp  /root/.acme.sh/www.yuntap.com/fullchain.cer /etc/nginx/ssl/fullchain.cer


// 配置自动更新
acme.sh --installcert -d www.yuntap.com \
              --keypath       /etc/nginx/ssl/www.yuntap.com.key  \
              --fullchainpath /etc/nginx/ssl/fullchain.cer \
              --reloadcmd    "service nginx force-reload"

              
// 生成openssl的pem文件
openssl dhparam -out /root/.acme.sh/www.yuntap.com/dhparam.pem 2048


// nginx 配置

http {
  # 新增
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  # 兼容其他老浏览器的 ssl_ciphers 设置请访问 https://wiki.mozilla.org/Security/Server_Side_TLS

  server {
  
    // 在具体的vhost里面加
    listen 80 default_server;
    # 新增
    listen 443 ssl;
    ssl_certificate        /root/.acme.sh/www.yuntap.com/fullchain.cer;
    ssl_certificate_key    /root/.acme.sh/www.yuntap.com/www.yuntap.com.key;
    # ssl_dhparam 
    ssl_dhparam            /root/.acme.sh/www.yuntap.com/dhparam.pem;

    # 其他省略
  }
}


// 重启nginx
service nginx restart

// 检测定时任务对不对
crontab -l
// 有下面这条表示成功
25 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

// 运行更新流程测试
/root/.acme.sh//acme.sh --cron -f

// 如果显示：
...
[Fri Jul  6 10:49:15 CST 2018] Your cert is in  /root/.acme.sh/www.yuntap.com/www.yuntap.com.cer 
[Fri Jul  6 10:49:15 CST 2018] Your cert key is in  /root/.acme.sh/www.yuntap.com/www.yuntap.com.key 
[Fri Jul  6 10:49:15 CST 2018] The intermediate CA cert is in  /root/.acme.sh/www.yuntap.com/ca.cer 
[Fri Jul  6 10:49:15 CST 2018] And the full chain certs is there:  /root/.acme.sh/www.yuntap.com/fullchai
n.cer 
[Fri Jul  6 10:49:15 CST 2018] Installing key to:/etc/nginx/ssl/www.yuntap.com.key
[Fri Jul  6 10:49:15 CST 2018] Installing full chain to:/etc/nginx/ssl/fullchain.cer
[Fri Jul  6 10:49:15 CST 2018] Run reload cmd: service nginx force-reload
                                                          [  OK  ]
[Fri Jul  6 10:49:16 CST 2018] Reload success
[Fri Jul  6 10:49:16 CST 2018] ===End cron===

// 表示成功

商务洽谈