Aws ec2申请 Let's Encrypt SSL证书

用 Let's Encrypt 官方推荐的 certbot 客户端申请证书的过程中报错 python 依赖错误,Google 一番发现有国外的小伙伴提到 aws 的服务器不支持 certbot安装,并推荐了另外一个客户端,测试后可用,特记录于此

服务器环境: Awi Linux + Nginx

安装脚本

curl https://get.acme.sh | sh  
source ~/.bashrc

或者直接从 github 上下载并安装

git clone https://github.com/Neilpang/acme.sh.git  
cd ./acme.sh  
./acme.sh --install  
source ~/.bashrc

申请 ssl 证书
这里只列举了单域名,而且已经将域名指向到服务器, 其他更多情况请查阅下面的参考链接
acme.sh --issue -d example.com --webroot /var/www/example.com

执行过后会看到已经在自动申请了

[Fri Mar 13 03:50:46 UTC 2020] Create account key ok.
[Fri Mar 13 03:50:46 UTC 2020] Registering account
[Fri Mar 13 03:50:46 UTC 2020] Registered
[Fri Mar 13 03:50:46 UTC 2020] ACCOUNT_THUMBPRINT='OQTFfLllQ1LlCOl4Tw9W2faVubxuP73mMHrY3SpUAEg'
[Fri Mar 13 03:50:46 UTC 2020] Creating domain key
[Fri Mar 13 03:50:46 UTC 2020] The domain key is here: /home/ec2-user/.acme.sh/www.****.com/www.****.com.key
[Fri Mar 13 03:50:46 UTC 2020] Single domain='www.****.com'
[Fri Mar 13 03:50:46 UTC 2020] Getting domain auth token for each domain
[Fri Mar 13 03:50:47 UTC 2020] Getting webroot for domain='www.****.com'
[Fri Mar 13 03:50:47 UTC 2020] Verifying: www.****.com
[Fri Mar 13 03:50:50 UTC 2020] Pending
[Fri Mar 13 03:50:52 UTC 2020] Pending
[Fri Mar 13 03:51:14 UTC 2020] Pending
[Fri Mar 13 03:51:16 UTC 2020] Pending
[Fri Mar 13 03:51:19 UTC 2020] Success
[Fri Mar 13 03:51:19 UTC 2020] Verify finished, start to sign.
[Fri Mar 13 03:51:19 UTC 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/80463906/2638416705
[Fri Mar 13 03:51:19 UTC 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03ed023419526b17a0863537b61bd5954723
[Fri Mar 13 03:51:20 UTC 2020] Cert success.

跑完以后会给出已生成的证书和私钥存放在本地的路径

注意: 这个生成的文件是内部使用的,不能直接 copy 出来用,需要用命令导出目标文件后才可在 nginx 上配置

导出的命令如下:
配置好导出的路径和 nginx reload 的命令就 OK 了

acme.sh --install-cert \
        --domain example.com \ 
        --cert-file /path/to/cert/cert.pem \
        --key-file /path/to/keyfile/key.pem \
        --fullchain-file /path/to/fullchain/fullchain.pem \
        --reloadcmd "sudo systemctl reload nginx.service"

最后把导出的文件配置到 Nginx
记得把 80 和 443 端口对外开放哦

server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    index index.html;
    location / {
        root /opt/nginx_root;
    }
    ssl_certificate      /path/to/cert/cert.pem;
    ssl_certificate_key  /path/to/keyfile/key.pem;
    
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
}

最后在浏览器访问并查看证书,chrome地址栏标绿并加锁:

ssl.png

Let's Encrypt的 ssl 证书有效期是三个月,到时候需要刷新,acme已经在 crontab 配置好了,不过也可以用下面的命令强制刷新

acme.sh --renew -d example.com --force

参考:
https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/

Aws ec2申请 Let's Encrypt SSL证书

安装脚本

你可能感兴趣的:(Aws ec2申请 Let's Encrypt SSL证书)