使用 acme-tiny 建立 Let’s Encrypt 證書

下載 acme-tiny

下載 acme_tiny.py 腳本，https://github.com/diafygi/acme-tiny

此腳本須要 python 和 openssl，沒有的話請先行安裝。

以域名 sdk4.com 爲例，工做目錄爲：/etc/nginx/sites-enabled/ssl/sdk4

建立一個 Let's Encrypt 帳戶私鑰，以便讓其識別你的身份

cd /etc/nginx/sites-enabled/ssl/sdk4
openssl genrsa 4096 > account.key

建立域名證書請求文件(CSR)

openssl genrsa 4096 > domain.key

#for a single domain
openssl req -new -sha256 -key domain.key -subj "/CN=sdk4.com" > domain.csr

#for multiple domains (use this one if you want both www.sdk4.com and sdk4.com)
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:sdk4.com,DNS:www.sdk4.com")) > domain.csr

配置驗證域名全部權的服務

• 建立驗證目錄

  mkdir -p /var/www/challenges

• 配置一個 HTTP 服務讓 LETSENCRYPT 能下載驗證文件

  server {
        listen 80;
        server_name sdk4.com www.sdk4.com;
  
        location /.well-known/acme-challenge {
            alias /var/www/challenges;
        }
  
        ......
    }

獲取簽名證書

python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /var/www/challenges/ > signed.crt || exit

轉化 crt 到 pem 文件

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

更新證書

此證書只有 3 個月有效期，咱們創建一個腳原本進行證書更新：renew_cert.sh

#!/bin/bash

cd /etc/nginx/sites-enabled/nrcapp_api
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /var/www/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

加入crontab

0 0 1 * * /etc/nginx/sites-enabled/ssl/sdk4/www.ssl/renew_cert.sh 2>> /var/log/acme_tiny.log

配置nginx

server {
    listen 443;

    server_name sdk4.com www.sdk4.com;

    include /etc/nginx/sites-enabled/ssl/sdk4/www.ssl;

    location / { try_files $uri @proxy_to_app; }
    location @proxy_to_app {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_pass http://127.0.0.1:8080;
    }
}

• /etc/nginx/sites-enabled/ssl/sdk4/www.ssl 文件配置

  ssl on;
    ssl_certificate /etc/nginx/sites-enabled/sdk4/chained.pem;
    ssl_certificate_key /etc/nginx/sites-enabled/sdk4/domain.key;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/sites-enabled/dh4096.pem;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;