为服务器配置自动更新SSL证书

以我 youcute.cn 为例,首先安装 acme 脚本 https://github.com/Neilpang/acme.sh。然后生成证书,将证书拷贝到相应的目录。

  • 因为我的 nginx 的配置只有 root 有权限,所以为图方便,acme.sh 也是安装在 root 的用户目录下
  • nginx 是从一个普通用户目录里读取 ssl 证书文件

生成多个证书

acme.sh --issue  -d youcute.cn -d liulidun.youcute.cn -d blog.youcute.cn -d jenkins.youcute.cn   --nginx

将证书拷到对应目录

acme.sh --installcert  -d  youcute.cn --key-file /home/jy/ssl/youcute.cn.key --fullchain-file /home/jy/ssl/fullchain.cer --reloadcmd  "service nginx force-reload"

Nginx 配置

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    gzip on;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # 导入其他反向代理域名 server 配置
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  youcute.cn www.youcute.cn;
        root         /home/jy/static_web/index/;
        rewrite  ^(.*)  https://$server_name$1 permanent;

        # 导入配置,例如 ssl.conf
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  youcute.cn www.youcute.cn;
        root         /home/jy/static_web/index/;

        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

SSL 配置放在了 default.d/ssl.conf

ssl_certificate "/home/jy/ssl/fullchain.cer";
ssl_certificate_key "/home/jy/ssl/youcute.cn.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout  10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

每个子域名的配置

例如 blog.youcute.cn。

每个子域名也会去读取上面的 ssl 配置

server {
        listen       80;
        listen       [::]:80;
        server_name  blog.youcute.cn;
        root         /home/jy/static_web/blog/;
        #rewrite  ^(.*)  https://$server_name$1 permanent;

        location / {
        }
 }

server {
    listen 443;
    listen [::]:443;
    server_name blog.youcute.cn;
    root /home/jy/static_web/blog/;
    include /etc/nginx/default.d/*.conf;
}

你可能感兴趣的:(建站)