竹磬网-邵珠庆の日记 生命只有一次，你可以用它来做些更多伟大的事情–Make the world a little better and easier

使用acme.sh一键安装Let's Encrypt提供的免费SSL证书 并为nginx配置https

本文章使用derror.com域名作为示例

安装nginx

正常配置并启动nginx保证http能够正常访问: 配置好root目录, 比如: /home/work/local/www/

安装acme.sh

$ curl https://get.acme.sh | sh

开始生成证书(issue a cert)

$ acme.sh --issue -d derror.com -w /home/work/local/www

成功应该会得到以下消息

[Mon Oct 29 08:12:04 EDT 2018] Your cert is in  /root/.acme.sh/derror.com/mrnil.com.cer
[Mon Oct 29 08:12:04 EDT 2018] Your cert key is in  /root/.acme.sh/derror.com/mrnil.com.key
[Mon Oct 29 08:12:05 EDT 2018] The intermediate CA cert is in  /root/.acme.sh/derror.com/ca.cer
[Mon Oct 29 08:12:05 EDT 2018] And the full chain certs is there:  /root/.acme.sh/derror.com/fullchain.cer

配置自动更新证书

$ acme.sh --install-cert -d derror.com \
--key-file       /home/work/local/cert/derror.com/key.pem  \
--fullchain-file /home/work/local/cert/derror.com/cert.pem \
--reloadcmd     "systemctl restart nginx"
--reloadcmd "systemctl restart nginx" 更新后自动重启nginx激活新证书

生成 dhparan.pem

$ openssl dhparam -out /home/work/local/cert/derror.com/dhparam.pem 2048

nginx配置ssl

www.conf

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    listen       443 ssl;
    server_name  _;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl on;
    ssl_certificate         /home/work/local/cert/derror.com/cert.pem;
    ssl_certificate_key     /home/work/local/cert/derror.com/key.pem;
    # ssl_dhparam
    ssl_dhparam             /home/work/local/cert/derror.com/dhparam.pem;

    root         /home/work/local/www;
    index index.html index.htm;
    location / {
    }
}

重启nginx即可

$ systemctl restart nginx

验证ssl

https://derror.com

https://ssllabs.com/ssltest/analyze.html?d=derror.com

添加二级域名

上面的操作基本就完成了. 下面我们来尝试再添加一个二级域名lab.derror.com

$ acme.sh --issue -d lab.derror.com -w /home/work/local/www
...
[Wed Nov 21 04:19:14 EST 2018] Your cert is in  /root/.acme.sh/lab.derror.com/lab.derror.com.cer 
[Wed Nov 21 04:19:14 EST 2018] Your cert key is in  /root/.acme.sh/lab.derror.com/lab.derror.com.key 
[Wed Nov 21 04:19:16 EST 2018] The intermediate CA cert is in  /root/.acme.sh/lab.derror.com/ca.cer 
[Wed Nov 21 04:19:16 EST 2018] And the full chain certs is there:  /root/.acme.sh/lab.derror.com/fullchain.cer

$ mkdir -p /home/work/local/cert/lab.derror.com

$ acme.sh --install-cert -d lab.derror.com \
--key-file       /home/work/local/cert/lab.derror.com/key.pem  \
--fullchain-file /home/work/local/cert/lab.derror.com/cert.pem \
--reloadcmd     "systemctl restart nginx"

[Wed Nov 21 04:21:57 EST 2018] Installing key to:/home/work/local/cert/lab.derror.com/key.pem
[Wed Nov 21 04:21:57 EST 2018] Installing full chain to:/home/work/local/cert/lab.derror.com/cert.pem
[Wed Nov 21 04:21:57 EST 2018] Run reload cmd: systemctl restart nginx
[Wed Nov 21 04:22:04 EST 2018] Reload success

$ openssl dhparam -out /home/work/local/cert/lab.derror.com/dhparam.pem 2048

nginx配置: lab.conf

server {
    listen       80;
    listen       443 ssl;
    server_name  lab.derror.com;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_certificate         /home/work/local/cert/lab.derror.com/cert.pem;
    ssl_certificate_key     /home/work/local/cert/lab.derror.com/key.pem;
    # ssl_dhparam
    ssl_dhparam             /home/work/local/cert/lab.derror.com/dhparam.pem;

    root         /home/work/local/www;
    index index.html index.htm;
    location / {
    }
}

$ systemctl restart nginx