“懒人“ HTTPS 证书申请指南

1. 安装 acme.sh

Mac/Unix 终端下执行 curl https://get.acme.sh | sh

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   775    0   775    0     0    341      0 --:--:--  0:00:02 --:--:--   341
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  201k  100  201k    0     0   8055      0  0:00:25  0:00:25 --:--:--  8801
[Fri 06 Nov 2020 10:04:59 PM CST] Installing from online archive.
[Fri 06 Nov 2020 10:04:59 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Fri 06 Nov 2020 10:05:38 PM CST] Extracting master.tar.gz
[Fri 06 Nov 2020 10:05:38 PM CST] It is recommended to install socat first.
[Fri 06 Nov 2020 10:05:38 PM CST] We use socat for standalone server if you use standalone mode.
[Fri 06 Nov 2020 10:05:38 PM CST] If you don't use standalone mode, just ignore this warning.
[Fri 06 Nov 2020 10:05:38 PM CST] Installing to /root/.acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installed to /root/.acme.sh/acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installing alias to '/root/.bashrc'
[Fri 06 Nov 2020 10:05:38 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Fri 06 Nov 2020 10:05:38 PM CST] Installing cron job
[Fri 06 Nov 2020 10:05:38 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Fri 06 Nov 2020 10:05:38 PM CST] OK
[Fri 06 Nov 2020 10:05:38 PM CST] Install success!

2. 申请 HTTPS 证书.

查看更多DNS API 使用方式, 请查看 https://github.com/acmesh-official/acme.sh/wiki/dnsapi

我们这里通过DNS API来验证DNS证书, 我们采用的是阿里云DNS API.

打开 https://usercenter.console.aliyun.com/#/manage/ak . 获取 AccessKey ID 和 AccessKey Secret
配置环境变量

root@tencent-4C-8G-115-159-203-32:~# export Ali_Key=---------(换成你自己的AccessKey ID)
root@tencent-4C-8G-115-159-203-32:~# export Ali_Secret=-------(换成你自己的AccessKey Secret)

~/.acme.sh/acme.sh --issue --dns dns_ali -d jansora.com -d *.jansora.com -d *.pancake.jansora.com -d *.local.jansora.com -d *.hj.jansora.com -d *.imac.jansora.com -d *.iwhalecloud.jansora.com

[Fri 06 Nov 2020 10:30:31 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri 06 Nov 2020 10:30:31 PM CST] Multi domain='DNS:jansora.com,DNS:*.jansora.com,DNS:*.pancake.jansora.com'
[Fri 06 Nov 2020 10:30:31 PM CST] Getting domain auth token for each domain
[Fri 06 Nov 2020 10:30:43 PM CST] Getting webroot for domain='jansora.com'
[Fri 06 Nov 2020 10:30:43 PM CST] Getting webroot for domain='*.jansora.com'
[Fri 06 Nov 2020 10:30:43 PM CST] Getting webroot for domain='*.pancake.jansora.com'
[Fri 06 Nov 2020 10:30:43 PM CST] Adding txt value: ipdduy4orL7bwjeYeacITCkyikQQcJBGpz6HMuIm-hA for domain:  _acme-challenge.jansora.com
[Fri 06 Nov 2020 10:30:45 PM CST] The txt record is added: Success.
[Fri 06 Nov 2020 10:30:46 PM CST] Adding txt value: ZSZTsgohN-mtAxROvg27V-mPpiByYoXYm6XALhuQ for domain:  _acme-challenge.jansora.com
[Fri 06 Nov 2020 10:30:48 PM CST] The txt record is added: Success.
[Fri 06 Nov 2020 10:30:48 PM CST] Adding txt value: 69ks7vpnW6xldl5Toc8Hk5ZuFF_m5OC2011QlcU for domain:  _acme-challenge.pancake.jansora.com
[Fri 06 Nov 2020 10:30:50 PM CST] The txt record is added: Success.
[Fri 06 Nov 2020 10:30:50 PM CST] Let's check each DNS record now. Sleep 20 seconds first.
[Fri 06 Nov 2020 10:31:12 PM CST] Checking jansora.com for _acme-challenge.jansora.com
[Fri 06 Nov 2020 10:31:14 PM CST] Domain jansora.com '_acme-challenge.jansora.com' success.
[Fri 06 Nov 2020 10:31:14 PM CST] Checking jansora.com for _acme-challenge.jansora.com
[Fri 06 Nov 2020 10:31:18 PM CST] Domain jansora.com '_acme-challenge.jansora.com' success.
[Fri 06 Nov 2020 10:31:18 PM CST] Checking pancake.jansora.com for _acme-challenge.pancake.jansora.com
[Fri 06 Nov 2020 10:31:21 PM CST] Domain pancake.jansora.com '_acme-challenge.pancake.jansora.com' success.
[Fri 06 Nov 2020 10:31:21 PM CST] All success, let's return
[Fri 06 Nov 2020 10:31:21 PM CST] Verifying: jansora.com
[Fri 06 Nov 2020 10:31:26 PM CST] Success
[Fri 06 Nov 2020 10:31:26 PM CST] Verifying: *.jansora.com
[Fri 06 Nov 2020 10:31:33 PM CST] Success
[Fri 06 Nov 2020 10:31:33 PM CST] Verifying: *.pancake.jansora.com
[Fri 06 Nov 2020 10:32:13 PM CST] Success
[Fri 06 Nov 2020 10:32:13 PM CST] Removing DNS records.
[Fri 06 Nov 2020 10:32:13 PM CST] Removing txt: ipdduy4orL7bwjeYeacITCkyikQQcJBGpz6HMuIm-hA for domain: _acme-challenge.jansora.com
[Fri 06 Nov 2020 10:32:15 PM CST] Removed: Success
[Fri 06 Nov 2020 10:32:15 PM CST] Removing txt: ZSZTsg_PCohN-mtAxROvg27V-mPpiByYoXYm6XALhuQ for domain: _acme-challenge.jansora.com
[Fri 06 Nov 2020 10:32:18 PM CST] Removed: Success
[Fri 06 Nov 2020 10:32:18 PM CST] Removing txt: 69ks7vpnW6xldl5Toc8Hk5ZThlEuFF_m5OC2011QlcU for domain: _acme-challenge.pancake.jansora.com
[Fri 06 Nov 2020 10:32:22 PM CST] Removed: Success
[Fri 06 Nov 2020 10:32:22 PM CST] Verify finished, start to sign.
[Fri 06 Nov 2020 10:32:22 PM CST] Lets finalize the order.
[Fri 06 Nov 2020 10:32:22 PM CST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/101508184/6069931970'
[Fri 06 Nov 2020 10:32:23 PM CST] Downloading cert.
[Fri 06 Nov 2020 10:32:23 PM CST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04c29a1ee1dee0434fc1034ab57827faf20f'
[Fri 06 Nov 2020 10:32:31 PM CST] Cert success.

申请证书后, key 和秘钥会被明文保存在 ~/.acme.sh/account.conf , 请妥善保管

3. 拷贝证书

申请证书后, 在 ~/.acme.sh/jansora.com 下能看到该域名的证书.

root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# tree /root/.acme.sh/jansora.com
.
├── ca.cer
├── fullchain.cer
├── jansora.com.cer
├── jansora.com.conf
├── jansora.com.csr
├── jansora.com.csr.conf
└── jansora.com.key

0 directories, 7 files

拷贝到 nginx 目录.

仅供参考,请根据具体的域名进行替换

root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# mkdir -p /etc/nginx/certs
root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# mkdir -p /etc/nginx/certs/lets-encrypt-jansora.com
root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# cp ~/.acme.sh/jansora.com/* /etc/nginx/certs/lets-encrypt-jansora.com/
root@tencent-4C-8G-115-159-203-32:~/.acme.sh/jansora.com# tree /etc/nginx/certs/lets-encrypt-jansora.com
/etc/nginx/certs/lets-encrypt-jansora.com
├── ca.cer
├── fullchain.cer
├── jansora.com.cer
├── jansora.com.conf
├── jansora.com.csr
├── jansora.com.csr.conf
└── jansora.com.key

0 directories, 7 files

4. 配置证书.

以 Ubuntu 环境为例, 其他环境未测试,但是应该比较类似.

新建nginx配置文件 vim /etc/nginx/sites-available/pancake.conf
写入以下内容

server {
    listen 443 ssl;
    server_name test.jansora.com;
    ssl_ciphers    ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols    TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate     /etc/nginx/certs/lets-encrypt-jansora.com/jansora.com.cer;
    ssl_certificate_key /etc/nginx/certs/lets-encrypt-jansora.com/jansora.com.key;
    root html;
}

加载该证书.

修改配置nginx文件 vim /etc/nginx/nginx.conf , 在 http 域中添加以下三行.

主要关注 include sites-available/* ;

http {
  其他的...
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;
  include sites-available/*;
  其他的...
}

5. 验证证书配置成功.

打开浏览器 https://test.jansora.com 验证 HTTPS 证书

6. 配置自动更新证书

编写自动配置脚本 vim ~/.acme.sh/auto-udate-ca.sh

/root/.acme.sh/acme.sh --issue --dns dns_ali -d jansora.com -d *.jansora.com -d *.pancake.jansora.com -d *.vs.jansora.com
cp ~/.acme.sh/jansora.com/* /etc/nginx/certs/lets-encrypt-jansora.com/
systemctl restart nginx

配置每两个月更新一次 vim /etc/crontab

* * * */2 * root /root/.acme.sh/auto-udate-ca.sh > /dev/null

“懒人“ HTTPS 证书申请指南

“懒人“ HTTPS 证书申请指南

1. 安装 acme.sh

2. 申请 HTTPS 证书.

3. 拷贝证书

4. 配置证书.

5. 验证证书配置成功.

6. 配置自动更新证书

Recommend

CubeMX 的一些坑

多域名线程并发与

前端开发 - 环境搭建

Windows上比较方便的一款查看文件夹大小的软件

豆瓣高分外国文学图书 TOP 20

How I Hacked Facebook, and Found Someone's Backdoor Script

PanList：S

ATTiny85 调试记录

Defcon CTF Quals 2014 - Nonameyet write up

HAL 库开发笔记（一）- 环境配置

About Joyk