Skip to content

Commit 1d4d867

Browse files
committed
Add post
1 parent bc56da9 commit 1d4d867

File tree

1 file changed

+89
-0
lines changed

1 file changed

+89
-0
lines changed
Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
---
2+
layout: post
3+
title: 用 acme.sh 签发 Let's Encrypt 证书
4+
date: 2018-01-05
5+
summary: 个人 SSL 证书使用 Let's Encrypt 签发的一点备忘笔记
6+
---
7+
8+
9+
这仅仅是个笔记,虽然[阿里云][1][腾讯云][2]等云厂商都提供了为期一年的证书,不过长远并不看好
10+
11+
关于 [Let's Encrypt][3] 的介绍自己看官网好了,比较蛋疼是其签发的证书只有 90 天,不过很多人根据 ACME 协议写了可以快速使用的[客户端][4]
12+
13+
我用的是 [acme.sh][5],以下备注下常用的操作
14+
15+
## 安装
16+
17+
`curl https://get.acme.sh | sh`
18+
19+
## 签发
20+
21+
使用 acme.sh 有很多种签发证书的方式,考虑到便利,这里使用 [DNS API][6] 的方式
22+
23+
拿 CloudFlare 举例,需要先拿到 [Global API Key][7],然后
24+
25+
```bash
26+
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
27+
export CF_Email="[email protected]"
28+
```
29+
30+
```bash
31+
acme.sh --issue --dns dns_cf \
32+
-d example.com \
33+
-d www.example.com
34+
```
35+
36+
之后,每 60 天会自动 renew 一次的
37+
38+
## 使用
39+
40+
```bash
41+
acme.sh --install-cert
42+
--key-file /path/to/ssl.key \
43+
--fullchain-file /path/to/ssl.crt \
44+
-d example.com \
45+
-d www.example.com
46+
```
47+
48+
配合 Nginx
49+
50+
```
51+
server {
52+
listen 80;
53+
listen 443 ssl http2;
54+
server_name example.com;
55+
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
56+
57+
ssl_prefer_server_ciphers on;
58+
ssl_certificate /path/to/ssl.crt;
59+
ssl_certificate_key /path/to/ssl.key;
60+
ssl_session_cache shared:SSL:10m;
61+
ssl_session_timeout 5m;
62+
ssl_ciphers 'EECDH+AESGCM:AES256+EECDH';
63+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
64+
65+
location / {
66+
proxy_pass http://127.0.0.1:8080;
67+
proxy_set_header Host $host;
68+
proxy_set_header X-Real-IP $remote_addr;
69+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
70+
}
71+
72+
if ($scheme = http) {
73+
return 301 https://$server_name$request_uri;
74+
}
75+
}
76+
77+
```
78+
79+
最后,来一个 A+
80+
![](https://cdn.int64ago.org/2tp3jm7.png)
81+
82+
83+
[1]: https://yundun.console.aliyun.com/?p=cas
84+
[2]: https://console.cloud.tencent.com/ssl
85+
[3]: https://letsencrypt.org/
86+
[4]: https://letsencrypt.org/docs/client-options/
87+
[5]: https://github.com/Neilpang/acme.sh
88+
[6]: https://github.com/Neilpang/acme.sh/tree/master/dnsapi
89+
[7]: https://www.cloudflare.com/a/profile

0 commit comments

Comments
 (0)