|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: 用 acme.sh 签发 Let's Encrypt 证书 |
| 4 | +date: 2018-01-05 |
| 5 | +summary: 个人 SSL 证书使用 Let's Encrypt 签发的一点备忘笔记 |
| 6 | +--- |
| 7 | + |
| 8 | + |
| 9 | +这仅仅是个笔记,虽然[阿里云][1]和[腾讯云][2]等云厂商都提供了为期一年的证书,不过长远并不看好 |
| 10 | + |
| 11 | +关于 [Let's Encrypt][3] 的介绍自己看官网好了,比较蛋疼是其签发的证书只有 90 天,不过很多人根据 ACME 协议写了可以快速使用的[客户端][4] |
| 12 | + |
| 13 | +我用的是 [acme.sh][5],以下备注下常用的操作 |
| 14 | + |
| 15 | +## 安装 |
| 16 | + |
| 17 | +`curl https://get.acme.sh | sh` |
| 18 | + |
| 19 | +## 签发 |
| 20 | + |
| 21 | +使用 acme.sh 有很多种签发证书的方式,考虑到便利,这里使用 [DNS API][6] 的方式 |
| 22 | + |
| 23 | +拿 CloudFlare 举例,需要先拿到 [Global API Key][7],然后 |
| 24 | + |
| 25 | +```bash |
| 26 | +export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
| 27 | +export CF_Email= "[email protected]" |
| 28 | +``` |
| 29 | + |
| 30 | +```bash |
| 31 | +acme.sh --issue --dns dns_cf \ |
| 32 | +-d example.com \ |
| 33 | +-d www.example.com |
| 34 | +``` |
| 35 | + |
| 36 | +之后,每 60 天会自动 renew 一次的 |
| 37 | + |
| 38 | +## 使用 |
| 39 | + |
| 40 | +```bash |
| 41 | +acme.sh --install-cert |
| 42 | +--key-file /path/to/ssl.key \ |
| 43 | +--fullchain-file /path/to/ssl.crt \ |
| 44 | +-d example.com \ |
| 45 | +-d www.example.com |
| 46 | +``` |
| 47 | + |
| 48 | +配合 Nginx |
| 49 | + |
| 50 | +``` |
| 51 | +server { |
| 52 | + listen 80; |
| 53 | + listen 443 ssl http2; |
| 54 | + server_name example.com; |
| 55 | + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; |
| 56 | +
|
| 57 | + ssl_prefer_server_ciphers on; |
| 58 | + ssl_certificate /path/to/ssl.crt; |
| 59 | + ssl_certificate_key /path/to/ssl.key; |
| 60 | + ssl_session_cache shared:SSL:10m; |
| 61 | + ssl_session_timeout 5m; |
| 62 | + ssl_ciphers 'EECDH+AESGCM:AES256+EECDH'; |
| 63 | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| 64 | +
|
| 65 | + location / { |
| 66 | + proxy_pass http://127.0.0.1:8080; |
| 67 | + proxy_set_header Host $host; |
| 68 | + proxy_set_header X-Real-IP $remote_addr; |
| 69 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 70 | + } |
| 71 | +
|
| 72 | + if ($scheme = http) { |
| 73 | + return 301 https://$server_name$request_uri; |
| 74 | + } |
| 75 | +} |
| 76 | +
|
| 77 | +``` |
| 78 | + |
| 79 | +最后,来一个 A+ |
| 80 | + |
| 81 | + |
| 82 | + |
| 83 | + [1]: https://yundun.console.aliyun.com/?p=cas |
| 84 | + [2]: https://console.cloud.tencent.com/ssl |
| 85 | + [3]: https://letsencrypt.org/ |
| 86 | + [4]: https://letsencrypt.org/docs/client-options/ |
| 87 | + [5]: https://github.com/Neilpang/acme.sh |
| 88 | + [6]: https://github.com/Neilpang/acme.sh/tree/master/dnsapi |
| 89 | + [7]: https://www.cloudflare.com/a/profile |
0 commit comments