acme.sh申请证书

Page breadcrumbsEnd of page breadcrumbs

安装脚本

wget -O - https://get.acme.sh | sh
source ~/.bashrc
acme.sh --auto-upgrade

添加DNS记录

在Cloudfare中添加CAA记录:0 issue "letsencrypt.org"

创建目录使acme.sh访问

mkdir -p /usr/share/nginx/html/letsencrypt/
chown -R nginx /usr/share/nginx/html/letsencrypt/

修改nginx配置文件

vi /etc/nginx/nginx.conf
+        location /.well-known/acme-challenge {
+            root /usr/share/nginx/html/letsencrypt;
+        }
+        location / {
+            return 301 https://hostrequest_uri;
+        }

重启nginx

nginx -t
nginx -s reload

获取证书

acme.sh --issue -d arabidopsis.space -d www.arabidopsis.space -w /usr/share/nginx/html/letsencrypt/ --log
#若因为权限,验证失败,先赋权限
chmod 777 /usr/share/nginx/html/letsencrypt/
#最后记得改权限
chmod 400 /usr/share/nginx/html/letsencrypt/

安装证书

#创建证书和其他参数文件的存放路径
mkdir -p /etc/nginx/ssl
acme.sh --install-cert -d arabidopsis.com \
--key-file /etc/nginx/ssl/arabidopsis.space.key \
--fullchain-file /etc/nginx/ssl/arabidopsis.space.cert \
--reloadcmd "systemctl restart nginx"

生成DHE参数文件

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

编辑nginx配置文件,使证书生效

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  arabidopsis.space;
        root         /usr/share/nginx/html/wp/;
        index index.php index.html index.htm;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;        
        ssl_stapling on;#开启证书吊销状态检查
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        # 此处是证书文件
        ssl_certificate /etc/nginx/ssl/arabidopsis.space.cert;
        ssl_certificate_key /etc/nginx/ssl/arabidopsis.space.key;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
            try_files uri uri/ /index.php?args;          }          add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";           add_header X-Frame-Options SAMEORIGIN;          add_header X-Content-Type-Options nosniff;          add_header X-XSS-Protection "1; mode=block";          location ~ \.php {
            try_files uri =404;              #fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;              fastcgi_pass 127.0.0.1:9000;              fastcgi_param SCRIPT_FILENAME document_root$fastcgi_script_name;
            fastcgi_index index.php;
            include fastcgi_params;
        }        
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

重载nginx

nginx -t
nginx -s reload

参考

  1. Linux 下使用 acme.sh 配置 Lets Encrypt 免费 SSL 证书 + 通配符证书
  2. nginx增强SSL安全配置

发表评论

电子邮件地址不会被公开。 必填项已用*标注

nine × one =