nginx + acme.sh 自动管理SSL证书

准备nginx环境

建立目录专门用作ssl的证书申请

1
2
mkdir -p /www/sites/le_root/.well-known/acme-challenge
chown -R root:www-data /www/sites/le_root

新建一个nginx配置文档/www/nginx/acme-challenge.conf,用作申请证书时的认证

1
2
3
location /.well-known/acme-challenge/ {
alias /www/sites/le_root/.well-known/acme-challenge/;
}

想让哪个网站配置ssl之前,先编辑对应的配置文件,相当于apache的vhost

1
2
3
4
5
6
7
server {
listen 80;
server_name mydomain.com;
# ....
# Let's Encrypt webroot
include /www/nginx/acme-challenge.conf;
}

重启nginx
systemctl reload nginx.service

证书申请与安装

acme.sh的安装很简单,不重复了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# acme.sh --issue  -d mydomain.com -w /www/sites/le_root/

[Wed Nov 28 23:16:55 CST 2018] Your cert is in  /root/.acme.sh/mydomain.com/mydomain.com.cer 
[Wed Nov 28 23:16:55 CST 2018] Your cert key is in  /root/.acme.sh/mydomain.com/mydomain.com.key 
[Wed Nov 28 23:16:55 CST 2018] The intermediate CA cert is in  /root/.acme.sh/mydomain.com/ca.cer 
[Wed Nov 28 23:16:55 CST 2018] And the full chain certs is there:  /root/.acme.sh/mydomain.com/fullchain.cer 


# acme.sh --install-cert -d mydomain.com \
--cert-file /etc/nginx/certs/mydomain.com/cert \
--key-file /etc/nginx/certs/mydomain.com/key \
--fullchain-file /etc/nginx/certs/mydomain.com/fullchain \
--reloadcmd "systemctl reload nginx.service"
[Wed Nov 28 23:36:31 CST 2018] Installing cert to:/etc/nginx/certs/mydomain.com/cert
[Wed Nov 28 23:36:31 CST 2018] Installing key to:/etc/nginx/certs/mydomain.com/key
[Wed Nov 28 23:36:31 CST 2018] Installing full chain to:/etc/nginx/certs/mydomain.com/fullchain

nginx环境启用https

配置域名的配置文件,启用https,并将http默认跳转到https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
server {
listen 80;
server_name mydomain.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
#------- Start SSL config with http2 support ----#
#listen 443 http2;
listen 443;
server_name mydomain.com;
ssl on;
ssl_certificate /etc/nginx/certs/mydomain.com/fullchain;
ssl_certificate_key /etc/nginx/certs/mydomain.com/key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_cache shared:SSL:10m;
#ssl_dhparam /etc/nginx/ssl/theos.in/dhparams.pem;
ssl_prefer_server_ciphers on;

## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;

## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;

## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;

## SSL logs ##
#access_log /var/log/nginx/theos.in/ssl_access.log;
#error_log /var/log/nginx/theos.in/ssl_error.log;
#-------- END SSL config -------##

# Add rest of your config below like document path and more ##
location / {
root /www/sites/mydomain.com;
index index.html index.htm;
#error_page 404 = /404/index.html;
proxy_pass http://localhost:8000/;
}
include /www/nginx/acme-challenge.conf;
}

证书的更新

1
2
# crontab -u root -l
5 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

acme.sh在安装证书的时候,会创建一个定时任务,自动为你更新,很贴心!