最近谷歌和火狐封杀了国内大部分的CA机构,导致使用国内CA办法的证书在chrome浏览器显示为不安全的网站,国外的证书又比较贵,发现了一款开源免费的证书机构let's encrypt,
是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,比较有权威性,下面的例子是nginx
实例上的部署安装过程。
1. 安装客户端脚本
curl https://get.acme.sh | sh
安装完成后会自动在计划任务中增加一条任务自动更新证书,自动申请 因为证书有效期应该是90天
需要自动续签
44 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
配置域名的80端口,使let's encrypt可以验证域名所在的服务器属于你管理
server {
listen 80;
server_name app.lhz.cc;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/challenges/.well-known/acme-challenge/;
}
location /{
rewrite ^(.*)$ https://app.lhz.cc permanent;
}
access_log /var/log/nginx/emmaapp80.log main;
}
2. 生成证书key等
/root/.acme.sh/acme.sh --issue -d app.lhz.cc -w /var/www/challenges/
[Fri Aug 4 15:58:13 CST 2017] Registering account
[Fri Aug 4 15:58:15 CST 2017] Registered
[Fri Aug 4 15:58:16 CST 2017] Update account tos info success.
[Fri Aug 4 15:58:16 CST 2017] ACCOUNT_THUMBPRINT='Kzgy....sG9.......KxZOhj_PWj0U'
[Fri Aug 4 15:58:16 CST 2017] Creating domain key
[Fri Aug 4 15:58:16 CST 2017] The domain key is here: /root/.acme.sh/app.lhz.cc/app.lhz.cc.key
[Fri Aug 4 15:58:16 CST 2017] Single domain='app.lhz.cc'
[Fri Aug 4 15:58:16 CST 2017] Getting domain auth token for each domain
[Fri Aug 4 15:58:16 CST 2017] Getting webroot for domain='app.lhz.cc'
[Fri Aug 4 15:58:16 CST 2017] Getting new-authz for domain='app.lhz.cc'
[Fri Aug 4 15:58:18 CST 2017] The new-authz request is ok.
[Fri Aug 4 15:58:18 CST 2017] Verifying:app.lhz.cc
[Fri Aug 4 15:58:23 CST 2017] Success
[Fri Aug 4 15:58:23 CST 2017] Verify finished, start to sign.
[Fri Aug 4 15:58:25 CST 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIE9zCCA9+gAwIBAgISBKXWtHLEJcIiJT9O9+FllCgFMA0GCSqGSIb3DQEBCwUA
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDQwNjU4MDBaFw0x
NzExMDIwNjU4MDBaMBUxEzARBgNVBAMTCmFwcC5yaWQuY2MwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDwMUoaFCycC9kzad96XAeh/5aUhx5a4U3m5DFl
此处省略1万字..............................................................................................................................
Y8XoJMDKrmNK427ZkUjhe7yZcSxQai7pQEII
-----END CERTIFICATE-----
[Fri Aug 4 15:58:25 CST 2017] Your cert is in /root/.acme.sh/app.lhz.cc/app.lhz.cc.cer
[Fri Aug 4 15:58:25 CST 2017] Your cert key is in /root/.acme.sh/app.lhz.cc/app.lhz.cc.key
[Fri Aug 4 15:58:25 CST 2017] The intermediate CA cert is in /root/.acme.sh/app.lhz.cc/ca.cer
[Fri Aug 4 15:58:25 CST 2017] And the full chain certs is there: /root/.acme.sh/app.lhz.cc/fullchain.cer
3. 安装证书到nginx配置中指定位置,命令执行完成之后,会将下面的路径文件名称都会记录下来,方便自动更新证书
acme.sh --installcert -d app.lhz.cc \
> --keypath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key \
> --fullchainpath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt \
> --reloadcmd "/usr/local/nginx-1.8/sbin/nginx -s reload"
[Fri Aug 4 16:31:40 CST 2017] Installing key to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key
[Fri Aug 4 16:31:40 CST 2017] Installing full chain to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt
[Fri Aug 4 16:31:40 CST 2017] Run reload cmd: /usr/local/nginx-1.8/sbin/nginx -s reload
[Fri Aug 4 16:31:40 CST 2017] Reload success
4.生成dhparam
openssl dhparam -out /root/.acme.sh/app.lhz.cc/dhparam.pem 2048
5. 证书在Nginx中的配置
server {
listen 443;
server_name app.lhz.cc;
ssl on;
#配置生成的证书
ssl_certificate /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt;
ssl_certificate_key /usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;
ssl_dhparam /usr/local/nginx-1.8/conf/ssl/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
error_page 497 "https://$host$uri?$args";
location / {
proxy_pass http://app80_server_pool;
proxy_set_header Host app.lhz.cc;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
access_log /var/log/nginx/app.log main;
}