Nginx 网站使用 acme配置 https证书访问步骤

https://blog.ekanshu.com.cn 使用 acme配置 https访问

Nginx 网站使用 acme配置 https证书访问步骤

错误信息

由于之前配置过,从新使用名称更新配置文件的时候发现报错,信息如下做个记录,我们不深究先从新生成证书


acme.sh --renew -d blog.ekanshu.com.cn
[Tue Sep  1 17:15:35 CST 2020] Renew: 'blog.ekanshu.com.cn'
[Tue Sep  1 17:15:36 CST 2020] Single domain='blog.ekanshu.com.cn'
[Tue Sep  1 17:15:36 CST 2020] Getting domain auth token for each domain
[Tue Sep  1 17:15:41 CST 2020] Getting webroot for domain='blog.ekanshu.com.cn'
[Tue Sep  1 17:15:41 CST 2020] Verifying: blog.ekanshu.com.cn
[Tue Sep  1 17:15:47 CST 2020] blog.ekanshu.com.cn:Verify error:Invalid response from http://blog.ekanshu.com.cn/.well-known/acme-challenge/Q1dPp6i2-NodYMUkNEieD1kt_BLiNE1S1h7u0u_7-cs [118.24.54.134]: 
[Tue Sep  1 17:15:47 CST 2020] Please add '--debug' or '--log' to check more details.
[Tue Sep  1 17:15:47 CST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh



acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证。

(1)http方式生成证书,(忽略dns方式安装)

acme.sh --issue -d blog.ekanshu.com.cn --webroot /var/www/html/laravel-ekanshu-blog/public

运行结果


[root@VM_0_12_centos .acme.sh]# acme.sh --issue -d blog.ekanshu.com.cn --webroot /var/www/html/laravel-ekanshu-blog/public
[Tue Sep  1 17:20:19 CST 2020] Single domain='blog.ekanshu.com.cn'
[Tue Sep  1 17:20:19 CST 2020] Getting domain auth token for each domain
[Tue Sep  1 17:20:26 CST 2020] Getting webroot for domain='blog.ekanshu.com.cn'
[Tue Sep  1 17:20:26 CST 2020] Verifying: blog.ekanshu.com.cn
[Tue Sep  1 17:20:31 CST 2020] Pending
[Tue Sep  1 17:20:34 CST 2020] Pending
[Tue Sep  1 17:20:37 CST 2020] Pending
[Tue Sep  1 17:20:40 CST 2020] Pending
[Tue Sep  1 17:20:44 CST 2020] Success
[Tue Sep  1 17:20:44 CST 2020] Verify finished, start to sign.
[Tue Sep  1 17:20:44 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/72146190/4966272616
[Tue Sep  1 17:20:46 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03de44c2a21a5cceebdd2f9d3bd518fe1ce1
[Tue Sep  1 17:20:48 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISA95EwqIaXM7r3S+dO9UY/hzhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MDEwODIwNDVaFw0y
MDExMzAwODIwNDVaMB4xHDAaBgNVBAMTE2Jsb2cuZWthbnNodS5jb20uY24wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkoYxp0aM7dTGmKFeomrp0w7OC
2qRhTGRiKcAUV5DvvAlhVGvCWbh3ol3bXpwjPM1Qnz46Kpr9e90VvzrW25lWGGI6
+nc1pSPMpu73sOPV0p0uy4zI/KQt+cupNYygLsDE4beyLAWZv7BGgVmE0wufdbKN
2HyTUerjqymihUWuFpqOn54YjcJHOwLSiwZcWWG3N42KqgD7uB94ZB9cx5nvMevf
i1MqFrjW1nLmE652S+OgnkhntwBrixRTuH2/i5Q+XmH8Y7MkTNI4zoCh2/He6ohg
jOczzjJg0QZZ/dvMINlw9vPceJtyRhYG59I1IDUTnJmsa2g7jxMJZKdXdD8NAgMB
AAGjggJpMIICZTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO4gh+SUJPT+Z7a2YpKl
cTV8iqboMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wHgYDVR0RBBcwFYITYmxvZy5la2Fuc2h1LmNvbS5jbjBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3
APCVpFnyANGCQBAtL5OIjq1L/h1H45nh0DSmsKiqjrJzAAABdEj3/DkAAAQDAEgw
RgIhAOwtotqZ1iCx3/GqCNF+sJUw2QbUc3ddXSzavhNcJyS9AiEAxsuOyiH8jh/g
YcZrmD6BbcStxlyZKLbR6svR930M9rMAdgCyHgXMi6LNiiBOh2b5K7mKJSBna9r6
cOeySVMt74uQXgAAAXRI9/w5AAAEAwBHMEUCIF+E/+TUqhmXn15IL3rfGWeG2xyc
08UrgrM/+dxWjc/cAiEAj/c09r9xFHF0iOCLfORlCT8dXrpX1FzKfVuMPA89CjMw
DQYJKoZIhvcNAQELBQADggEBAGLVJAaqIEUlx2oR3JE0IU8Q0sn67v6OAABtdKF3
Cvd6FWdejw7rIk10vz31MtWi3YtsIVk6LmJ9q0r97gCQa20BC44CUGjVPurBKsIH
zWrFrvl1rMWEmMFzxOHV2qdNKA5uOKhL80yxzBkOLSNdcuvQPDs6rHMA1sTIHc6Y
KK3owq+Ah/8xWwNMVjXYsUvHWsM/Vk8gkcSUEvpF+Lb4Tel0Wl6pvWNppWt0TIYH
QDWEXQRin0S51slA6HObdE2vQWimkgMv7KYnDMxVBWNorkY6ApqhKIg3W1pciOpL
4k3aRD55KPMjPZAuoHXutOQYAQEJGlZpWzOIeSPw2jCDQDc=
-----END CERTIFICATE-----
[Tue Sep  1 17:20:48 CST 2020] Your cert is in  /root/.acme.sh/blog.ekanshu.com.cn/blog.ekanshu.com.cn.cer 
[Tue Sep  1 17:20:48 CST 2020] Your cert key is in  /root/.acme.sh/blog.ekanshu.com.cn/blog.ekanshu.com.cn.key 
[Tue Sep  1 17:20:48 CST 2020] The intermediate CA cert is in  /root/.acme.sh/blog.ekanshu.com.cn/ca.cer 
[Tue Sep  1 17:20:48 CST 2020] And the full chain certs is there:  /root/.acme.sh/blog.ekanshu.com.cn/fullchain.cer 


(2)copy/安装 证书


Apache example
acme.sh --installcert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"

Nginx example
acme.sh --installcert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "service nginx force-reload"


以blog.ekanshu.com.cn为例


apache方式

acme.sh --installcert -d blog.ekanshu.com.cn \
--cert-file      /etc/httpd/ssl/blog.ekanshu.com.cn.crt  \
--key-file       /etc/httpd/ssl/blog.ekanshu.com.cn.key  \
--fullchain-file /etc/httpd/ssl/fullchain.cer \
--reloadcmd     "systemctl restart httpd"

nginx方式

acme.sh --installcert -d blog.ekanshu.com.cn \
--cert-file       /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/blog.ekanshu.com.cn.cer  \
--key-file        /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/blog.ekanshu.com.cn.key  \
--fullchain-file  /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/fullchain.cer \
--reloadcmd     "nginx -s reload"

(3)nginx配置方案

443端口兼容


server {
        listen          443 ssl;
        server_name     blog.ekanshu.com.cn;
        
        ssl_certificate /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/fullchain.cer;
        ssl_certificate_key     /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/blog.ekanshu.com.cn.key;
        ssl_session_timeout     5m;
        # 指定SSL服务器端支持的协议版本
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;       指定加密算法
        ssl_ciphers  HIGH:!aNULL:!MD5;
        # 在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算法
        ssl_prefer_server_ciphers   on;
        root /var/www/html/laravel-ekanshu-blog/public/;

        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
    
        index index.html index.htm index.php;
    
        charset utf-8;
    
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
    
        #location /api.php{
        #   proxy_pass http://127.0.0.1:8090/api/v1;
        #}
        location = /favicon.ico { access_log off; log_not_found off; }
        location = /robots.txt  { access_log off; log_not_found off; }
    
        error_page 404 /index.php;
    
        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9001;
            fastcgi_index index.php;
            #fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
    
        location ~ /\.(?!well-known).* {
            deny all;
        }

    }

    server {
        listen          80;
        server_name     blog.ekanshu.com.cn www.humengxu.com;

        if ($host != blog.ekanshu.com.cn){
           rewrite ^/(.*)$ https://blog.ekanshu.com.cn/$1 permanent;
           # return  301 blog.ekanshu.com.cn;
        }
        
        return 301 https://blog.ekanshu.com.cn$request_uri;
    }


纯80端


server {
    listen 80;

    server_name  blog.ekanshu.com.cn www.humengxu.com;

    if ($host != blog.ekanshu.com.cn){
       rewrite ^/(.*)$ http://blog.ekanshu.com.cn/$1 permanent;
       # return  301 blog.ekanshu.com.cn;
    }

    root /var/www/html/laravel-ekanshu-blog/public/;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    #location /api.php{
    #   proxy_pass http://127.0.0.1:8090/api/v1;
    #}
    
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9001;
        fastcgi_index index.php;
        #fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

(4)apache 方案


配置http,直接跳转https

    ServerAdmin [email protected]
    DocumentRoot "/var/www/html/robot"
    ServerName robot.xxx.com
    RedirectMatch ^/$ https://robot.xxx.com
    ErrorLog "logs/robot.xxx.com-error_log"
    CustomLog "logs/robot.xxx.com-access_log" common

    #ProxyRequests On
    #ProxyPass /api/ http://127.0.0.1:5000/
    #ProxyPassReverse /api/ http://127.0.0.1:5000/



配置https


    DocumentRoot "/var/www/html/gkmobile/public"
    ServerName yimai.xxx.com:443
    Header set Access-Control-Allow-Origin "http://127.0.0.1"
    ErrorLog "logs/yimai.xxx.com-error_log"
    CustomLog "logs/yimai.xxx.com-access_log" common
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/httpd/conf/genekang-ssl/genekang.com.cer
    SSLCertificateKeyFile /etc/httpd/conf/genekang-ssl/genekang.com.key
    SSLCertificateChainFile /etc/httpd/conf/genekang-ssl/fullchain.cer
    
        SSLOptions +StdEnvVars
    
    
        SSLOptions +StdEnvVars
    
    BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"




(5)定制任务

运行完会自动设置定制任务,如下:

46 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

(6)续期证书

目前证书在 60 天以后会自动续期, 你无需任何操作。今后有可能会缩短这个时间, 不过都是自动的, 你不用关心。
强制手动续期:

acme.sh --renew -d example.com --force

(7)更新 acme.sh

目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步。
升级 acme.sh 到最新版 :

acme.sh --upgrade

如果你不想手动升级, 可以开启自动升级:

acme.sh  --upgrade  --auto-upgrade

之后, acme.sh 就会自动保持更新了。

你也可以随时关闭自动更新:

acme.sh --upgrade  --auto-upgrade  0

(8)泛域名的http跳转https

apache

在网站的根目录配置 .htaccess


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
或者

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]


nginx

upstream tomcat9 {
	server 127.0.0.1:8080;
}
server {
	listen 80;
	server_name *.xxxx.cn;
	return 301 https://$http_host$request_uri;
}
server {
	listen 443 ssl http2;
	server_name *.xxxxx.cn;
	
	ssl_certificate  	cert/xxxx.cn/fullchina.cer;
	ssl_certificate_key cert/xxxx.cn/xxxx.cn.key;
	ssl_session_timeout 5m;
	ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_prefer_server_ciphers on;
	
	access_log logs/easex.cn_access.log;
	error_log  logs/easex.cn_error.log;
				
	location / {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;

		proxy_pass http://tomcat9/;
	}

}

你可能感兴趣的:(工具,https,nginx,http)