教你如何在let's encrypt申请免费证书---开启网站的https之路

标签：免费证书   acme.sh nginx   

最近谷歌和火狐封杀了国内大部分的CA机构，导致使用国内CA办法的证书在chrome浏览器显示为不安全的网站，国外的证书又比较贵，发现了一款开源免费的证书机构let‘s encrypt， 

是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起，比较有权威性，下面的例子是nginx

实例上的部署安装过程。

1. 安装客户端脚本

curl https://get.acme.sh | sh

安装完成后会自动在计划任务中增加一条任务自动更新证书，自动申请 因为证书有效期应该是90天

需要自动续签

44 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

配置域名的80端口，使let‘s encrypt可以验证域名所在的服务器属于你管理

server {

      listen 80;

      server_name  app.lhz.cc;

      location ^~ /.well-known/acme-challenge/ {

      alias  /var/www/challenges/.well-known/acme-challenge/;

    }

      location /{

            rewrite ^(.*)$  https://app.lhz.cc permanent;           

       }

     access_log  /var/log/nginx/emmaapp80.log main;

   }

2. 生成证书key等

 /root/.acme.sh/acme.sh  --issue -d app.lhz.cc -w /var/www/challenges/

[Fri Aug  4 15:58:13 CST 2017] Registering account

[Fri Aug  4 15:58:15 CST 2017] Registered

[Fri Aug  4 15:58:16 CST 2017] Update account tos info success.

[Fri Aug  4 15:58:16 CST 2017] ACCOUNT_THUMBPRINT=‘Kzgy....sG9.......KxZOhj_PWj0U‘

[Fri Aug  4 15:58:16 CST 2017] Creating domain key

[Fri Aug  4 15:58:16 CST 2017] The domain key is here: /root/.acme.sh/app.lhz.cc/app.lhz.cc.key

[Fri Aug  4 15:58:16 CST 2017] Single domain=‘app.lhz.cc‘

[Fri Aug  4 15:58:16 CST 2017] Getting domain auth token for each domain

[Fri Aug  4 15:58:16 CST 2017] Getting webroot for domain=‘app.lhz.cc‘

[Fri Aug  4 15:58:16 CST 2017] Getting new-authz for domain=‘app.lhz.cc‘

[Fri Aug  4 15:58:18 CST 2017] The new-authz request is ok.

[Fri Aug  4 15:58:18 CST 2017] Verifying:app.lhz.cc

[Fri Aug  4 15:58:23 CST 2017] Success

[Fri Aug  4 15:58:23 CST 2017] Verify finished, start to sign.

[Fri Aug  4 15:58:25 CST 2017] Cert success.

-----BEGIN CERTIFICATE-----

MIIE9zCCA9+gAwIBAgISBKXWtHLEJcIiJT9O9+FllCgFMA0GCSqGSIb3DQEBCwUA

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDQwNjU4MDBaFw0x

NzExMDIwNjU4MDBaMBUxEzARBgNVBAMTCmFwcC5yaWQuY2MwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDwMUoaFCycC9kzad96XAeh/5aUhx5a4U3m5DFl

此处省略1万字..............................................................................................................................

Y8XoJMDKrmNK427ZkUjhe7yZcSxQai7pQEII

-----END CERTIFICATE-----

[Fri Aug  4 15:58:25 CST 2017] Your cert is in  /root/.acme.sh/app.lhz.cc/app.lhz.cc.cer 

[Fri Aug  4 15:58:25 CST 2017] Your cert key is in  /root/.acme.sh/app.lhz.cc/app.lhz.cc.key 

[Fri Aug  4 15:58:25 CST 2017] The intermediate CA cert is in  /root/.acme.sh/app.lhz.cc/ca.cer 

[Fri Aug  4 15:58:25 CST 2017] And the full chain certs is there:  /root/.acme.sh/app.lhz.cc/fullchain.cer 

3. 安装证书到nginx配置中指定位置，命令执行完成之后，会将下面的路径文件名称都会记录下来，方便自动更新证书

acme.sh --installcert -d app.lhz.cc \

>                --keypath  /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key  \

>                --fullchainpath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt \

>                --reloadcmd     "/usr/local/nginx-1.8/sbin/nginx -s reload"

[Fri Aug  4 16:31:40 CST 2017] Installing key to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key

[Fri Aug  4 16:31:40 CST 2017] Installing full chain to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt

[Fri Aug  4 16:31:40 CST 2017] Run reload cmd: /usr/local/nginx-1.8/sbin/nginx -s reload

[Fri Aug  4 16:31:40 CST 2017] Reload success

4.生成dhparam

openssl dhparam -out /root/.acme.sh/app.lhz.cc/dhparam.pem 2048

5. 证书在Nginx中的配置

  server {

       listen 443;

       server_name app.lhz.cc;

       ssl on;

       #配置生成的证书

       ssl_certificate /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt;

       ssl_certificate_key /usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;

       ssl_dhparam  /usr/local/nginx-1.8/conf/ssl/dhparam.pem;

       ssl_session_cache    shared:SSL:10m;

       ssl_session_timeout  10m;

       ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

       ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

       ssl_prefer_server_ciphers   on;

       error_page 497 "https://$host$uri?$args";

       location / {

   proxy_pass http://app80_server_pool;

   proxy_set_header Host app.lhz.cc;

            proxy_set_header X-Forwarded-For $remote_addr;

   proxy_set_header X-Forwarded-Proto https;

}

access_log  /var/log/nginx/app.log main; 

    }

本文出自 “影子骑士” 博客，请务必保留此出处http://andylhz2009.blog.51cto.com/728703/1953665

教你如何在let's encrypt申请免费证书---开启网站的https之路

标签：免费证书   acme.sh nginx   

原文地址：http://andylhz2009.blog.51cto.com/728703/1953665