获取API密钥
腾讯云
https://console.dnspod.cn/account/token/token
image.png
阿里云(为了安全请创建子账号,授权DNS相关权限)
https://ram.console.aliyun.com/users
image.png
下载脚本
自动下载
curl https://get.acme.sh | sh
image.png
注册一个账号
acme.sh --register-account -m xxx@xx.com
放入密钥
腾讯云
export DP_Id=""
export DP_Key=""
阿里云,子账号令牌和密钥
export Ali_Key=""
export Ali_Secret=""
生成证书
终端中键入(关闭一次终端才有acme.sh命令):
腾讯云
acme.sh --issue --dns dns_dp -d *.xxx.com
阿里云
acme.sh --issue --dns dns_ali -d *.xxx.com
请替换成自己的域名,*是通配符,支持任何一级子域名。
终端中会输出证书存放的位置,可以按图索骥找到证书文件。
安装证书或者手动复制
acme.sh --install-cert -d *.xxx.com --key-file /data/nginx/conf/*.xxx.com.key.pem --fullchain-file /data/nginx/conf/*.xxx.com.cert.pem
更新acme.sh
升级 acme.sh 到最新版 :
acme.sh --upgrade
如果你不想手动升级, 可以开启自动升级:
acme.sh --upgrade --auto-upgrade
关闭自动更新:
acme.sh --upgrade --auto-upgrade 0
server {
listen 80;
server_name *.xxx.com;
#return 301 https://$server_name$request_uri;
rewrite ^(.*) https://$host$uri permanent;
}
server {
listen 443 ssl;
server_name *.xxx.com; #填写绑定证书的域名
#腾讯云
ssl_certificate /etc/nginx/conf.d/*.xxx.com.cert.pem;
ssl_certificate_key /etc/nginx/conf.d/*.xxx.com.key.pem;
#阿里云
#ssl_certificate /etc/nginx/conf.d/*.xxx.com.cer;
#ssl_certificate_key /etc/nginx/conf.d/*.xxx.com.key;
ssl_session_timeout 5m;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ciphers HIGH:!NULL:!aNULL:!ADH:!3DES:!RC4;
ssl_prefer_server_ciphers on;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
if ( $host ~* (\b(?!www\b)\w+)\.\w+\.\w+ ) {
set $subdomain /$1;
}
location / {
root /usr/share/nginx/html/$subdomain;
try_files $uri $uri/ /index.html;
}
}
附加:双证书批量处理命令【阿里云】
#!/bin/sh
DOMAIN="xxx.com" # 域名
CERT_FOLDER="/etc/nginx/certs" # 证书存放的目录,结尾不能是"/"字符
export Ali_Key="xxx" # 阿里云RAM用户账户
export Ali_Secret="xxx" # 阿里云RAM用户密码
#######################################################################
# 安装acme.sh
# apt install socat # 仅stand alone模式需要
curl https://get.acme.sh | sh
alias acme.sh='/root/.acme.sh/acme.sh'
acme.sh --upgrade --auto-upgrade # 更新acme.sh
acme.sh --set-default-ca --server letsencrypt # 设置默认CA为let's Encrypt
# 申请RSA证书
acme.sh --issue -d ${DOMAIN} -d *.${DOMAIN} --dns dns_ali \
--dnssleep 30 --ocsp --days 30 --keylength 2048
# 申请ECC证书
acme.sh --issue -d ${DOMAIN} -d *.${DOMAIN} --dns dns_ali \
--dnssleep 30 --ocsp --days 30 --keylength ec-256
# 创建证书安装所需要的目录
mkdir ${CERT_FOLDER}
mkdir ${CERT_FOLDER}/rsa
mkdir ${CERT_FOLDER}/ecc
# 安装RSA证书
acme.sh --install-cert -d ${DOMAIN} \
--cert-file ${CERT_FOLDER}/rsa/cert.pem \
--key-file ${CERT_FOLDER}/rsa/key.pem \
--fullchain-file ${CERT_FOLDER}/rsa/fullchain.pem \
--reloadcmd "systemctl restart nginx"
# 安装ECC证书
acme.sh --install-cert -d ${DOMAIN} --ecc \
--cert-file ${CERT_FOLDER}/ecc/cert.pem \
--key-file ${CERT_FOLDER}/ecc/key.pem \
--fullchain-file ${CERT_FOLDER}/ecc/fullchain.pem \
--reloadcmd "systemctl restart nginx"
# 手动更新证书
#acme.sh --renew -d xxx.com --force
#acme.sh --renew -d *.xxx.com --force --ecc
nginx 双证书配置
需要版本
NGNIX>1.10
Openssl>1.02
ssl_certificate example.com.rsa.crt;
ssl_certificate_key example.com.rsa.key;
ssl_certificate example.com.ecdsa.crt;
ssl_certificate_key example.com.ecdsa.key;
算法3选1
仅限严格的算法
ssl_ciphers HIGH:!NULL:!aNULL:!ADH:!3DES:!RC4;
检测ssl证书,进入myssl.com
myssl.com
网友评论