使用acme.sh一键安装Let's Encrypt提供的免费SSL证书
并为nginx配置https
本文章使用derror.com域名作为示例
安装nginx
正常配置并启动nginx保证http能够正常访问:
配置好root目录, 比如: /home/work/local/www/
安装acme.sh
$ curl https://get.acme.sh | sh
开始生成证书(issue a cert)
$ acme.sh --issue -d derror.com -w /home/work/local/www
成功应该会得到以下消息
[Mon Oct 29 08:12:04 EDT 2018] Your cert is in /root/.acme.sh/derror.com/mrnil.com.cer
[Mon Oct 29 08:12:04 EDT 2018] Your cert key is in /root/.acme.sh/derror.com/mrnil.com.key
[Mon Oct 29 08:12:05 EDT 2018] The intermediate CA cert is in /root/.acme.sh/derror.com/ca.cer
[Mon Oct 29 08:12:05 EDT 2018] And the full chain certs is there: /root/.acme.sh/derror.com/fullchain.cer
配置自动更新证书
$ acme.sh --install-cert -d derror.com \
--key-file /home/work/local/cert/derror.com/key.pem \
--fullchain-file /home/work/local/cert/derror.com/cert.pem \
--reloadcmd "systemctl restart nginx"
--reloadcmd "systemctl restart nginx"更新后自动重启nginx激活新证书
生成 dhparan.pem
$ openssl dhparam -out /home/work/local/cert/derror.com/dhparam.pem 2048
nginx配置ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
server_name _;
ssl_certificate /home/work/local/cert/derror.com/cert.pem;
ssl_certificate_key /home/work/local/cert/derror.com/key.pem;
# ssl_dhparam
ssl_dhparam /home/work/local/cert/derror.com/dhparam.pem;
root /home/work/local/www;
index index.html index.htm;
location / {
}
}
重启nginx即可
$ systemctl restart nginx
验证ssl
https://derror.com
image
https://ssllabs.com/ssltest/analyze.html?d=derror.com
image
文章来源: https://www.derror.com/log/configure-https-for-nginx-using-acmesh
网友评论