0%

使用acme.sh申请letsencrypt泛域名证书

发表于 2020-04-18 更新于 2020-06-07 分类于 coding 阅读次数： Valine：

环境
CentOS 8
nginx/1.14.1

参考
https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E

安装 acme.sh

1	curl https://get.acme.sh \| sh

生成证书

以下3种选一种即可，通常直接使用 Http 验证

Http 验证

适合有外部可以直接访问的服务器的情况

1	acme.sh --issue -d mydomain.com -d "*.example.com" --nginx

DNS API 验证

适合没有外部可以直接访问的服务器的情况，比如内网域名

1
2
3

export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"
acme.sh --issue -d example.com -d "*.example.com" --dns dns_cf

手动 DNS 验证

和 DNS API 验证相同，差别在于需要手动添加一条 txt 解析记录

acme.sh --issue -d example.com -d "*.example.com" --dns \
 --yes-I-know-dns-manual-mode-enough-go-ahead-please

# Domains have changed.
# Multi domain='DNS:example.com,DNS:*.example.com'
# Getting domain auth token for each domain
# Getting webroot for domain='example.com'
# Getting webroot for domain='*.example.com'
# Add the following TXT record:
# Domain: '_acme-challenge.example.com'
# TXT value: 'xxxxxx'
# Please be aware that you prepend _acme-challenge. before your domain
# so the resulting subdomain will be: _acme-challenge.example.com
# Please add the TXT records to the domains, and re-run with --renew.
# Please add '--debug' or '--log' to check more details.
# See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

记录下上面的 TXT value: 'xxxxxx'

去 DNS 解析中，新增一条 txt 记录，域名为 _acme-challenge.example.com，值为 xxxxxx

1 2	acme.sh --renew -d example.com -d "*.example.com" \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

安装证书

新建目录存放证书

1	mkdir /etc/nginx/ssl/example.com

安装证书

acme.sh --install-cert -d example.com \
--key-file       /etc/nginx/ssl/example.com/key.pem  \
--fullchain-file /etc/nginx/ssl/example.com/cert.pem \
--reloadcmd     "systemctl force-reload nginx.service"

配置 Nginx

新增 options-ssl-nginx.conf

# vim /etc/nginx/ssl/options-ssl-nginx.conf
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

生成 dhparam.pem

1	openssl dhparam -out /etc/nginx/ssl/example.com/dhparam.pem 2048

修改 nginx 配置

# conf 中追加
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/example.com/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/example.com/key.pem;
    include /etc/nginx/ssl/options-ssl-nginx.conf;
    ssl_dhparam /etc/nginx/ssl/example.com/dhparam.pem;

    if ($scheme != "https"){
        return 301 https://$host$request_uri;
    }

更新 acme.sh

1	acme.sh --upgrade