nginx + acme.sh 自动管理SSL证书

Posted on 2018-11-29 Edited on 2022-08-08 In blaa

准备nginx环境

建立目录专门用作ssl的证书申请

1 2	mkdir -p /www/sites/le_root/.well-known/acme-challenge chown -R root:www-data /www/sites/le_root

新建一个nginx配置文档/www/nginx/acme-challenge.conf，用作申请证书时的认证

1
2
3

location /.well-known/acme-challenge/ {
    alias /www/sites/le_root/.well-known/acme-challenge/;
}

想让哪个网站配置ssl之前，先编辑对应的配置文件，相当于apache的vhost

server {
    listen 80;
server_name mydomain.com;
# ....
# Let's Encrypt webroot
    include /www/nginx/acme-challenge.conf;
}

重启nginx
systemctl reload nginx.service

证书申请与安装

acme.sh的安装很简单，不重复了。

# acme.sh --issue  -d mydomain.com -w /www/sites/le_root/

[Wed Nov 28 23:16:55 CST 2018] Your cert is in  /root/.acme.sh/mydomain.com/mydomain.com.cer 
[Wed Nov 28 23:16:55 CST 2018] Your cert key is in  /root/.acme.sh/mydomain.com/mydomain.com.key 
[Wed Nov 28 23:16:55 CST 2018] The intermediate CA cert is in  /root/.acme.sh/mydomain.com/ca.cer 
[Wed Nov 28 23:16:55 CST 2018] And the full chain certs is there:  /root/.acme.sh/mydomain.com/fullchain.cer 


# acme.sh --install-cert -d mydomain.com \
--cert-file /etc/nginx/certs/mydomain.com/cert \
--key-file /etc/nginx/certs/mydomain.com/key \
--fullchain-file /etc/nginx/certs/mydomain.com/fullchain \
--reloadcmd "systemctl reload nginx.service"
[Wed Nov 28 23:36:31 CST 2018] Installing cert to:/etc/nginx/certs/mydomain.com/cert
[Wed Nov 28 23:36:31 CST 2018] Installing key to:/etc/nginx/certs/mydomain.com/key
[Wed Nov 28 23:36:31 CST 2018] Installing full chain to:/etc/nginx/certs/mydomain.com/fullchain

nginx环境启用https

配置域名的配置文件，启用https，并将http默认跳转到https

server {
    listen 80;
    server_name mydomain.com;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
    #------- Start SSL config with http2 support ----#
    #listen 443 http2;
    listen 443;
    server_name mydomain.com;
    ssl on;
    ssl_certificate /etc/nginx/certs/mydomain.com/fullchain;
    ssl_certificate_key /etc/nginx/certs/mydomain.com/key;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_session_cache shared:SSL:10m;
    #ssl_dhparam /etc/nginx/ssl/theos.in/dhparams.pem;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;
 
    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;
 
    ## SSL logs ##
    #access_log /var/log/nginx/theos.in/ssl_access.log;
    #error_log /var/log/nginx/theos.in/ssl_error.log;
    #-------- END SSL config -------##
 
    # Add rest of your config below like document path and more ##
    location / {
                root /www/sites/mydomain.com;
                index  index.html index.htm;
                #error_page 404 = /404/index.html;
                proxy_pass http://localhost:8000/;
        }
        include /www/nginx/acme-challenge.conf;
}

证书的更新

1 2	# crontab -u root -l 5 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

acme.sh在安装证书的时候，会创建一个定时任务，自动为你更新，很贴心！