最近谷歌和火狐封杀了国内大部分的CA机构,导致使用国内CA办法的证书在chrome浏览器显示为不安全的网站,国外的证书又比较贵,发现了一款开源免费的证书机构let's encrypt, 

是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,比较有权威性,下面的例子是nginx

实例上的部署安装过程。


1. 安装客户端脚本


curl https://get.acme.sh | sh

安装完成后会自动在计划任务中增加一条任务自动更新证书,自动申请 因为证书有效期应该是90天

需要自动续签

44 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null


配置域名的80端口,使let's encrypt可以验证域名所在的服务器属于你管理


server {

      listen 80;

      server_name  app.lhz.cc;

      location ^~ /.well-known/acme-challenge/ {

      alias  /var/www/challenges/.well-known/acme-challenge/;

    }

      location /{

            rewrite ^(.*)$  https://app.lhz.cc permanent;           

       }

     access_log  /var/log/nginx/emmaapp80.log main;

   }




2. 生成证书key等


 /root/.acme.sh/acme.sh  --issue -d app.lhz.cc -w /var/www/challenges/

[Fri Aug  4 15:58:13 CST 2017] Registering account

[Fri Aug  4 15:58:15 CST 2017] Registered

[Fri Aug  4 15:58:16 CST 2017] Update account tos info success.

[Fri Aug  4 15:58:16 CST 2017] ACCOUNT_THUMBPRINT='Kzgy....sG9.......KxZOhj_PWj0U'

[Fri Aug  4 15:58:16 CST 2017] Creating domain key

[Fri Aug  4 15:58:16 CST 2017] The domain key is here: /root/.acme.sh/app.lhz.cc/app.lhz.cc.key

[Fri Aug  4 15:58:16 CST 2017] Single domain='app.lhz.cc'

[Fri Aug  4 15:58:16 CST 2017] Getting domain auth token for each domain

[Fri Aug  4 15:58:16 CST 2017] Getting webroot for domain='app.lhz.cc'

[Fri Aug  4 15:58:16 CST 2017] Getting new-authz for domain='app.lhz.cc'

[Fri Aug  4 15:58:18 CST 2017] The new-authz request is ok.

[Fri Aug  4 15:58:18 CST 2017] Verifying:app.lhz.cc

[Fri Aug  4 15:58:23 CST 2017] Success

[Fri Aug  4 15:58:23 CST 2017] Verify finished, start to sign.

[Fri Aug  4 15:58:25 CST 2017] Cert success.

-----BEGIN CERTIFICATE-----

MIIE9zCCA9+gAwIBAgISBKXWtHLEJcIiJT9O9+FllCgFMA0GCSqGSIb3DQEBCwUA

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDQwNjU4MDBaFw0x

NzExMDIwNjU4MDBaMBUxEzARBgNVBAMTCmFwcC5yaWQuY2MwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDwMUoaFCycC9kzad96XAeh/5aUhx5a4U3m5DFl

此处省略1万字..............................................................................................................................

Y8XoJMDKrmNK427ZkUjhe7yZcSxQai7pQEII

-----END CERTIFICATE-----

[Fri Aug  4 15:58:25 CST 2017] Your cert is in  /root/.acme.sh/app.lhz.cc/app.lhz.cc.cer 

[Fri Aug  4 15:58:25 CST 2017] Your cert key is in  /root/.acme.sh/app.lhz.cc/app.lhz.cc.key 

[Fri Aug  4 15:58:25 CST 2017] The intermediate CA cert is in  /root/.acme.sh/app.lhz.cc/ca.cer 

[Fri Aug  4 15:58:25 CST 2017] And the full chain certs is there:  /root/.acme.sh/app.lhz.cc/fullchain.cer 


3. 安装证书到nginx配置中指定位置,命令执行完成之后,会将下面的路径文件名称都会记录下来,方便自动更新证书


acme.sh --installcert -d app.lhz.cc \

>                --keypath  /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key  \

>                --fullchainpath /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt \

>                --reloadcmd     "/usr/local/nginx-1.8/sbin/nginx -s reload"

[Fri Aug  4 16:31:40 CST 2017] Installing key to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.key

[Fri Aug  4 16:31:40 CST 2017] Installing full chain to:/usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt

[Fri Aug  4 16:31:40 CST 2017] Run reload cmd: /usr/local/nginx-1.8/sbin/nginx -s reload

[Fri Aug  4 16:31:40 CST 2017] Reload success


4.生成dhparam

openssl dhparam -out /root/.acme.sh/app.lhz.cc/dhparam.pem 2048



5. 证书在Nginx中的配置


  server {

       listen 443;

       server_name app.lhz.cc;


       ssl on;

       #配置生成的证书

       ssl_certificate /usr/local/nginx-1.8/conf/ssl/app_lhz_cc.crt;

       ssl_certificate_key /usr/local/nginx-1.8/conf/ssl/app_rid_cc.key;

       ssl_dhparam  /usr/local/nginx-1.8/conf/ssl/dhparam.pem;


       ssl_session_cache    shared:SSL:10m;

       ssl_session_timeout  10m;

       ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

       ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

       ssl_prefer_server_ciphers   on;

       error_page 497 "https://$host$uri?$args";



       location / {

   proxy_pass http://app80_server_pool;

   proxy_set_header Host app.lhz.cc;

            proxy_set_header X-Forwarded-For $remote_addr;

   proxy_set_header X-Forwarded-Proto https;

}


access_log  /var/log/nginx/app.log main; 

    }