linux-免费ssl证书
linux-免费ssl证书
前篇
- 33种免费获取SSL证书的方式 - https://zhuanlan.zhihu.com/p/174755007
HTTPS 证书文件格式转换
- HTTPS证书文件格式转换 - https://ohttps.com/docs/certformat
Let’s Encrypt颁发的HTTPS证书一般包括以下几个文件:
- cert.key(PEM格式):私钥文件
- cert.cer(PEM格式):证书文件
- fullchain.cer(PEM格式):包含证书和中间证书
自动更新脚本
- 官方: https://github.com/acmesh-official/acme.sh
- 一个脚本就把系统升级到 https了,还永久免费 - https://segmentfault.com/a/1190000038367115
以使用 阿里云 域名为例
下载自动更新脚本:
curl https://get.acme.sh | sh -s email=my@example.com1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24$ curl https://get.acme.sh | sh -s email=my@example.com
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 937 0 937 0 0 1741 0 --:--:-- --:--:-- --:--:-- 1738
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 212k 100 212k 0 0 231k 0 --:--:-- --:--:-- --:--:-- 231k
[Wed Sep 14 02:32:00 UTC 2022] Installing from online archive.
[Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz
[Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first.
[Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode.
[Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning.
[Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh
[Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh
[Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc'
[Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
[Wed Sep 14 02:32:02 UTC 2022] Installing cron job
no crontab for root
no crontab for root
[Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Sep 14 02:32:03 UTC 2022] OK
[Wed Sep 14 02:32:03 UTC 2022] Install success!- 这里为啥要指定一个邮箱呢?
- 因为默认使用的 ZeroSSL, 就需要指定邮箱. 参考: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html
- 这里为啥要指定一个邮箱呢?
创建一个脚本执行:
vim a_start.sh1
2
3
4
5
6
7export Ali_Key="LTAIabz495kBdxpB"
export Ali_Secret="sK60WVA5cR8k1kf1YJHGHa4iMitWeG"
./acme.sh --issue --force --dns dns_ali -d *.wilker.cn \
--key-file /opt/nginx-cert/any.wilker.cn/any.wilker.cn.key \
--fullchain-file /opt/nginx-cert/any.wilker.cn/any.wilker.cn.cer \
--reloadcmd "service nginx force-reload"- Ali_Key 和 Ali_Secret 是阿里云的秘钥
--dns dns_ali指的是使用 dnsapi/dns_ali.sh 脚本-d *.aaa.com是泛域名, 也多个可以 -d 单域名- key-file 和 –fullchain-file 就是新生成证书的存放地址
- –reloadcmd 指的是要执行的命令, 注意如果在定时器执行这个脚本, 需要将 nginx 可执行文件的路径添加到环境变量 !!!
执行
a_start.sh1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18$ ./a_start.sh
[Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Sep 14 06:20:17 UTC 2022] Creating domain key
...
[Wed Sep 14 06:21:31 UTC 2022] Success
...
[Wed Sep 14 06:22:22 UTC 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
....
ei94GjqO39Wo5w==
-----END CERTIFICATE-----
[Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer
[Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key
[Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer
[Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer生成之后, nginx 要重启加载新证书才生效
```json
$ service nginx force-reload
生成到指定路径
生成前, 路径所在的目录必须先存在, 生成后可以执行命令重启 nginx
```json
./acme.sh –issue –force –dns dns_ali -d *.aaa.cn
–key-file /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key
–fullchain-file /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer
–reloadcmd “service nginx force-reload”
重新生成无效问题
- 可能是因为已经存在了文件夹
*.aaa.cn, 删掉重新生成即可
ohttps
使用这两个文件
配置 nginx
```json
cdn 服务
server
{listen 443 ssl; server_name aaa.bbb.cn; root /webapps/cdn; # 存放文件的目录 location / { autoindex on; # 索引 autoindex_exact_size on; # 显示文件大小 autoindex_localtime on; # 显示文件时间 limit_rate 0; } # ssl ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer; ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/aaa.bbb.cn.log;}