最近谷歌和火狐封殺了國內大部分的CA機構,導致使用國內CA辦法的證書在chrome瀏覽器顯示爲不安全的網站,國外的證書又比較貴,發現了一款開源免費的證書機構let's encrypt,
是由Mozilla、Cisco、Akamai、IdenTrust、EFF等組織人員發起,比較有權威性,下面的例子是nginx
實例上的部署安裝過程。
1. 安裝客戶端腳本
curl https://get.acme.sh | sh
安裝完成後會自動在計劃任務中增加一條任務自動更新證書,自動申請 因爲證書有效期應該是90天
需要自動續簽
44 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
配置域名的80端口,使let's encrypt可以驗證域名所在的服務器屬於你管理
server {
listen 80;
server_name app.lhz.cc;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/challenges/.well-known/acme-challenge/;
}
location /{
rewrite ^(.*)$ https://app.lhz.cc permanent;
}
access_log /var/log/nginx/emmaapp80.log main;
}
2. 生成證書key等
/root/.acme.sh/acme.sh --issue -d app.lhz.cc -w /var/www/challenges/
[Fri Aug 4 15:58:13 CST 2017] Registering account
[Fri Aug 4 15:58:15 CST 2017] Registered
[Fri Aug 4 15:58:16 CST 2017] Update account tos info success.
[Fri Aug 4 15:58:16 CST 2017] ACCOUNT_THUMBPRINT='Kzgy....sG9.......KxZOhj_PWj0U'
[Fri Aug 4 15:58:16 CST 2017] Creating domain key
[Fri Aug 4 15:58:16 CST 2017] The domain key is here: /root/.acme.sh/app.lhz.cc/app.lhz.cc.key
[Fri Aug 4 15:58:16 CST 2017] Single domain='app.lhz.cc'
[Fri Aug 4 15:58:16 CST 2017] Getting domain auth token for each domain
[Fri Aug 4 15:58:16 CST 2017] Getting webroot for domain='app.lhz.cc'
[Fri Aug 4 15:58:16 CST 2017] Getting new-authz for domain='app.lhz.cc'
[Fri Aug 4 15:58:18 CST 2017] The new-authz request is ok.
[Fri Aug 4 15:58:18 CST 2017] Verifying:app.lhz.cc
[Fri Aug 4 15:58:23 CST 2017] Success
[Fri Aug 4 15:58:23 CST 2017] Verify finished, start to sign.
[Fri Aug 4 15:58:25 CST 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIE9zCCA9+gAwIBAgISBKXWtHLEJcIiJT9O9+FllCgFMA0GCSqGSIb3DQEBCwUA
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDQwNjU4MDBaFw0x
NzExMDIwNjU4MDBaMBUxEzARBgNVBAMTCmFwcC5yaWQuY2MwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDwMUoaFCycC9kzad96XAeh/5aUhx5a4U3m5DFl
此處省略1萬字..............................................................................................................................
Y8XoJMDKrmNK427ZkUjhe7yZcSxQai7pQEII
-----END CERTIFICATE-----
[Fri Aug 4 15:58:25 CST 2017] Your cert is in /root/.acme.sh/app.lhz.cc/app.lhz.cc.cer
[Fri Aug 4 15:58:25 CST 2017] Your cert key is in /root/.acme.sh/app.lhz.cc/app.lhz.cc.key
[Fri Aug 4 15:58:25 CST 2017] The intermediate CA cert is in /root/.acme.sh/app.lhz.cc/ca.cer
[Fri Aug 4 15:58:25 CST 2017] And the full chain certs is there: /root/.acme.sh/app.lhz.cc/fullchain.cer
3. 安裝證書到nginx配置中指定位置,命令執行完成之後,會將下面的路徑文件名稱都會記錄下來,方便自動更新證書
acme.sh --installcert -d app.lhz.cc \
> --keypath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key \
> --fullchainpath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt \
> --reloadcmd "/usr/local/nginx-1.8/sbin/nginx -s reload"
[Fri Aug 4 16:31:40 CST 2017] Installing key to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key
[Fri Aug 4 16:31:40 CST 2017] Installing full chain to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt
[Fri Aug 4 16:31:40 CST 2017] Run reload cmd: /usr/local/nginx-1.8/sbin/nginx -s reload
[Fri Aug 4 16:31:40 CST 2017] Reload success
4.生成dhparam
openssl dhparam -out /root/.acme.sh/app.lhz.cc/dhparam.pem 2048
5. 證書在Nginx中的配置
server {
listen 443;
server_name app.lhz.cc;
ssl on;
#配置生成的證書
ssl_certificate /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt;
ssl_certificate_key /usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;
ssl_dhparam /usr/local/nginx-1.8/conf/ssl/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
error_page 497 "https://$host$uri?$args";
location / {
proxy_pass http://app80_server_pool;
proxy_set_header Host app.lhz.cc;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
access_log /var/log/nginx/app.log main;
}