教你如何在let's encrypt申請免費證書---開啓網站的https之路

時間 2019-12-20

標籤如何 let's let encrypt 申請免費證書開啓網站 https 之路欄目網站開發简体版

原文原文鏈接

最近谷歌和火狐封殺了國內大部分的CA機構，致使使用國內CA辦法的證書在chrome瀏覽器顯示爲不安全的網站，國外的證書又比較貴，發現了一款開源免費的證書機構let's encrypt， nginx

是由Mozilla、Cisco、Akamai、IdenTrust、EFF等組織人員發起，比較有權威性，下面的例子是nginxweb

實例上的部署安裝過程。chrome

1. 安裝客戶端腳本瀏覽器

curl https://get.acme.sh | sh安全

安裝完成後會自動在計劃任務中增長一條任務自動更新證書，自動申請由於證書有效期應該是90天服務器

須要自動續簽session

44 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/nullapp

配置域名的80端口，使let's encrypt能夠驗證域名所在的服務器屬於你管理dom

server {curl

listen 80;

server_name app.lhz.cc;

location ^~ /.well-known/acme-challenge/ {

alias /var/www/challenges/.well-known/acme-challenge/;

}

location /{

rewrite ^(.*)$ https://app.lhz.cc permanent;

}

access_log /var/log/nginx/emmaapp80.log main;

}

2. 生成證書key等

/root/.acme.sh/acme.sh --issue -d app.lhz.cc -w /var/www/challenges/

[Fri Aug 4 15:58:13 CST 2017] Registering account

[Fri Aug 4 15:58:15 CST 2017] Registered

[Fri Aug 4 15:58:16 CST 2017] Update account tos info success.

[Fri Aug 4 15:58:16 CST 2017] ACCOUNT_THUMBPRINT='Kzgy....sG9.......KxZOhj_PWj0U'

[Fri Aug 4 15:58:16 CST 2017] Creating domain key

[Fri Aug 4 15:58:16 CST 2017] The domain key is here: /root/.acme.sh/app.lhz.cc/app.lhz.cc.key

[Fri Aug 4 15:58:16 CST 2017] Single domain='app.lhz.cc'

[Fri Aug 4 15:58:16 CST 2017] Getting domain auth token for each domain

[Fri Aug 4 15:58:16 CST 2017] Getting webroot for domain='app.lhz.cc'

[Fri Aug 4 15:58:16 CST 2017] Getting new-authz for domain='app.lhz.cc'

[Fri Aug 4 15:58:18 CST 2017] The new-authz request is ok.

[Fri Aug 4 15:58:18 CST 2017] Verifying:app.lhz.cc

[Fri Aug 4 15:58:23 CST 2017] Success

[Fri Aug 4 15:58:23 CST 2017] Verify finished, start to sign.

[Fri Aug 4 15:58:25 CST 2017] Cert success.

-----BEGIN CERTIFICATE-----

MIIE9zCCA9+gAwIBAgISBKXWtHLEJcIiJT9O9+FllCgFMA0GCSqGSIb3DQEBCwUA

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDQwNjU4MDBaFw0x

NzExMDIwNjU4MDBaMBUxEzARBgNVBAMTCmFwcC5yaWQuY2MwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDwMUoaFCycC9kzad96XAeh/5aUhx5a4U3m5DFl

此處省略1萬字..............................................................................................................................

Y8XoJMDKrmNK427ZkUjhe7yZcSxQai7pQEII

-----END CERTIFICATE-----

[Fri Aug 4 15:58:25 CST 2017] Your cert is in /root/.acme.sh/app.lhz.cc/app.lhz.cc.cer

[Fri Aug 4 15:58:25 CST 2017] Your cert key is in /root/.acme.sh/app.lhz.cc/app.lhz.cc.key

[Fri Aug 4 15:58:25 CST 2017] The intermediate CA cert is in /root/.acme.sh/app.lhz.cc/ca.cer

[Fri Aug 4 15:58:25 CST 2017] And the full chain certs is there: /root/.acme.sh/app.lhz.cc/fullchain.cer

3. 安裝證書到nginx配置中指定位置，命令執行完成以後，會將下面的路徑文件名稱都會記錄下來，方便自動更新證書

acme.sh --installcert -d app.lhz.cc \

> --keypath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key \

> --fullchainpath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt \

> --reloadcmd "/usr/local/nginx-1.8/sbin/nginx -s reload"

[Fri Aug 4 16:31:40 CST 2017] Installing key to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key

[Fri Aug 4 16:31:40 CST 2017] Installing full chain to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt

[Fri Aug 4 16:31:40 CST 2017] Run reload cmd: /usr/local/nginx-1.8/sbin/nginx -s reload

[Fri Aug 4 16:31:40 CST 2017] Reload success

4.生成dhparam

openssl dhparam -out /root/.acme.sh/app.lhz.cc/dhparam.pem 2048

5. 證書在Nginx中的配置

server {

listen 443;

server_name app.lhz.cc;

ssl on;

#配置生成的證書

ssl_certificate /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt;

ssl_certificate_key /usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;

ssl_dhparam /usr/local/nginx-1.8/conf/ssl/dhparam.pem;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

ssl_prefer_server_ciphers on;

error_page 497 "https://$host$uri?$args";

location / {

proxy_pass http://app80_server_pool;

proxy_set_header Host app.lhz.cc;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-Proto https;

}

access_log /var/log/nginx/app.log main;

}

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。