使用acme.sh获取Let's Encrypt免费RSA/ECC双SSL通配符证书,使用cron自动续期

分类:笔记 日期:2020-08-05 作者:caocaofff 浏览:1020

要求服务器的nginx和openssl版本是最新稳定版,推荐编译源码安装,别使用apt或yum自动安装

#安装acme工具
curl  https://get.acme.sh | sh
#申请证书时,需要验证域名属于你,这里直接使用文件验证
#开始自动申请RSA
~/.acme.sh/acme.sh --issue -d ccpe.net -d *.ccpe.net --webroot /data/wwwroot
#开始自动申请ECC
~/.acme.sh/acme.sh --issue -d ccpe.net -d *.ccpe.net -k ec-256 --webroot /data/wwwroot/
#准备证书目录
mkdir /etc/nginx/conf/cert_rsa -p
mkdir /etc/nginx/conf/cert_ecc
#开始复制RSA到目录
~/.acme.sh/acme.sh --installcert -d ccpe.net --key-file /etc/nginx/conf/cert_rsa/ccpe.net.key --fullchain-file /etc/nginx/conf/cert_rsa/ccpe.net.cer --reloadcmd "service nginx force-reload"
#开始复制ECC到目录
~/.acme.sh/acme.sh --installcert -d ccpe.net --ecc --key-file /etc/nginx/conf/cert_ecc/ccpe.net.key --fullchain-file /etc/nginx/conf/cert_ecc/ccpe.net.cer --reloadcmd "service nginx force-reload"
#DH密钥协商
openssl dhparam -out /etc/nginx/dhparam.pem 2048
#开始配置nginx
vim /etc/nginx/conf.d/default.conf

nginx配置文件示例:

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
       server_name  ccpe.net ccpe.net;

    
    ssl_certificate   /etc/nginx/conf/cert_rsa/ccpe.net.cer;
        ssl_certificate_key  /etc/nginx/conf/cert_rsa/ccpe.net.key;
        ssl_certificate   /etc/nginx/conf/cert_ecc/ccpe.net.cer;
        ssl_certificate_key  /etc/nginx/conf/cert_ecc/ccpe.net.key;
    ssl_dhparam /etc/nginx/dhparam.pem;

    ssl_prefer_server_ciphers       on;
    ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        keepalive_timeout    75s;
        keepalive_requests   100;
    ssl_protocols   TLSv1.2 TLSv1.3;
    ssl_ciphers   EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
    ssl_early_data  on;
    
    gzip            on;
        gzip_comp_level 6;
        gzip_min_length 1k;
        gzip_types      text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;

    root    /data/www/typecho;
        index  index.php index.html;

    location / {
        #
        }


        location ~ \.php(/|$) {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        fastcgi_buffers      8 4K;
        fastcgi_buffer_size  4K;
        fastcgi_index  index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
        }
}

最后可以用www.myssl.com跑个分
{03E2BFD9-08DB-4F54-B461-0560F55928F5}_20200805163121.jpg
{CD824E9C-37A1-48F1-8A88-F771DE8DC67E}_20200805163204.jpg

CC版权: 本篇博文采用《CC 协议》,转载必须注明作者和本文链接

评论 (暂无评论)

发表评论

昵称:  
邮箱:  
网址: