https nginx

生成证书步骤

1. 添加上传文件至OSS的配置文件

# ll /root/.ossutilconfig
-rw-rw-r-- 1 root root 149 Feb  1 14:51 /root/.ossutilconfig

2. 创建认证所需钩子脚本

# cat /opt/shell_app/authenticator.sh
#!/bin/bash
CERTBOT_DIR="/opt/nginx/html/.well-known/acme-challenge"
mkdir -p ${CERTBOT_DIR}
echo $CERTBOT_VALIDATION > ${CERTBOT_DIR}/$CERTBOT_TOKEN
/opt/oss/ossutil64 -c /root/.ossutilconfig cp -f ${CERTBOT_DIR}/$CERTBOT_TOKEN oss://js-djstatics-example-com/.well-known/acme-challenge/
# cat /opt/shell_app/cleanup.sh
#!/bin/bash
CERTBOT_DIR="/opt/nginx/html/.well-known/acme-challenge"
rm -f ${CERTBOT_DIR}/$CERTBOT_TOKEN

3. 获取cerbot代码

# cd /usr/local/src/
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt

4. 创建证书

mannual for js-sts.example.com

由于js-sts.example.com后端文件在OSS，需要将challenge文件sync至OSS，故选用mannual方式，添加sync钩子

# ./letsencrypt-auto certonly --manual --manual-auth-hook /opt/shell_app/authenticator.sh --manual-cleanup-hook /opt/shell_app/cleanup.sh -m example@example -d js-sts.example.com --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for js-sts.example.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Output from authenticator.sh:

Total num: 1, size: 88. Dealed num: 0, OK size: 0, Progress: 0%
Total num: 1, size: 88. Dealed num: 0, OK size: 88, Progress: 100%

Succeed: Total num: 1, size: 88. OK num: 1(upload 1 files).
0.066282(s) elapsed

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/js-sts.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/js-sts.example.com/privkey.pem
   Your cert will expire on 2018-05-02. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

webroot for js-ds.example.com

在js-ds.example.com后端所有nginx添加rewrite，访问challenge文件重定向至js-gray.example.com，在js-gray.example.com后端添加访问challenge文件逻辑

./letsencrypt-auto certonly --webroot -w /opt/nginx/html/ -d js-ds.example.com -m example@example
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for js-ds.example.com
Using the webroot path /opt/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /opt/nginx/html/.well-known/acme-challenge

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/js-ds.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/js-ds.example.com/privkey.pem
   Your cert will expire on 2018-05-02. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

5. 上传证书

将/etc/letsencrypt/live/js-sts.example.com/fullchain.pem和/etc/letsencrypt/live/js-sts.example.com/privkey.pem（公钥和私钥）分别粘贴至https://cdn.console.aliyun.com/?spm=5176.8466010.0.0.37df1649mg6epQ#/DomainDetail/detail/js-sts.example.com

6. 更新证书

待补充

7. 测试链接

以下三种场景链接均正常
SSL_STATIC_URL: https://js-sts.example.com/statics/html5_player/template_js/base_js/jquery-1.9.1.js
SSL_API_SERVER_URL: https://js-ds.example.com/store/render_native_play/?template_id=15000462§ion_id=15119054&do_type=play&render_type=sg
SSL_PHOTO_URL: https://js-ds.example.com/file/v2/d/58fcba4d0b5032540f09b9bf.jpeg

参考链接：
配置方法1
配置方法2