0%

使用acme.sh为nginx配置https

使用acme.sh一键安装Let’s Encrypt提供的免费SSL证书
并为nginx配置https

本文章使用derror.com域名作为示例

安装nginx

正常配置并启动nginx保证http能够正常访问:
配置好root目录, 比如: /home/work/local/www/

安装acme.sh

1
$ curl https://get.acme.sh | sh

开始生成证书(issue a cert)

1
$ acme.sh --issue -d derror.com -w /home/work/local/www

成功应该会得到以下消息

1
2
3
4
[Mon Oct 29 08:12:04 EDT 2018] Your cert is in  /root/.acme.sh/derror.com/mrnil.com.cer
[Mon Oct 29 08:12:04 EDT 2018] Your cert key is in /root/.acme.sh/derror.com/mrnil.com.key
[Mon Oct 29 08:12:05 EDT 2018] The intermediate CA cert is in /root/.acme.sh/derror.com/ca.cer
[Mon Oct 29 08:12:05 EDT 2018] And the full chain certs is there: /root/.acme.sh/derror.com/fullchain.cer

配置自动更新证书

1
2
3
4
$ acme.sh --install-cert -d derror.com \
--key-file /home/work/local/cert/derror.com/key.pem \
--fullchain-file /home/work/local/cert/derror.com/cert.pem \
--reloadcmd "systemctl restart nginx"

--reloadcmd "systemctl restart nginx" 更新后自动重启nginx激活新证书

生成 dhparan.pem

1
$ openssl dhparam -out /home/work/local/cert/derror.com/dhparam.pem 2048

nginx配置ssl

www.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
server_name _;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl on;
ssl_certificate /home/work/local/cert/derror.com/cert.pem;
ssl_certificate_key /home/work/local/cert/derror.com/key.pem;
# ssl_dhparam
ssl_dhparam /home/work/local/cert/derror.com/dhparam.pem;

root /home/work/local/www;
index index.html index.htm;
location / {
}
}

重启nginx即可

1
$ systemctl restart nginx

验证ssl

https://derror.com

https://ssllabs.com/ssltest/analyze.html?d=derror.com

添加二级域名

上面的操作基本就完成了. 下面我们来尝试再添加一个二级域名lab.derror.com

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ acme.sh --issue -d lab.derror.com -w /home/work/local/www
...
[Wed Nov 21 04:19:14 EST 2018] Your cert is in /root/.acme.sh/lab.derror.com/lab.derror.com.cer
[Wed Nov 21 04:19:14 EST 2018] Your cert key is in /root/.acme.sh/lab.derror.com/lab.derror.com.key
[Wed Nov 21 04:19:16 EST 2018] The intermediate CA cert is in /root/.acme.sh/lab.derror.com/ca.cer
[Wed Nov 21 04:19:16 EST 2018] And the full chain certs is there: /root/.acme.sh/lab.derror.com/fullchain.cer

$ mkdir -p /home/work/local/cert/lab.derror.com

$ acme.sh --install-cert -d lab.derror.com \
--key-file /home/work/local/cert/lab.derror.com/key.pem \
--fullchain-file /home/work/local/cert/lab.derror.com/cert.pem \
--reloadcmd "systemctl restart nginx"

[Wed Nov 21 04:21:57 EST 2018] Installing key to:/home/work/local/cert/lab.derror.com/key.pem
[Wed Nov 21 04:21:57 EST 2018] Installing full chain to:/home/work/local/cert/lab.derror.com/cert.pem
[Wed Nov 21 04:21:57 EST 2018] Run reload cmd: systemctl restart nginx
[Wed Nov 21 04:22:04 EST 2018] Reload success

$ openssl dhparam -out /home/work/local/cert/lab.derror.com/dhparam.pem 2048

nginx配置: lab.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
server {
listen 80;
listen 443 ssl;
server_name lab.derror.com;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /home/work/local/cert/lab.derror.com/cert.pem;
ssl_certificate_key /home/work/local/cert/lab.derror.com/key.pem;
# ssl_dhparam
ssl_dhparam /home/work/local/cert/lab.derror.com/dhparam.pem;

root /home/work/local/www;
index index.html index.htm;
location / {
}
}
1
$ systemctl restart nginx