使用acme.sh为nginx配置https

使用acme.sh一键安装Let's Encrypt提供的免费SSL证书
并为nginx配置https
本文章使用derror.com域名作为示例

安装nginx

正常配置并启动nginx保证http能够正常访问:
配置好root目录, 比如: /home/work/local/www/

安装acme.sh

$ curl https://get.acme.sh | sh

开始生成证书(issue a cert)

$ acme.sh --issue -d derror.com -w /home/work/local/www

成功应该会得到以下消息

[Mon Oct 29 08:12:04 EDT 2018] Your cert is in  /root/.acme.sh/derror.com/mrnil.com.cer
[Mon Oct 29 08:12:04 EDT 2018] Your cert key is in  /root/.acme.sh/derror.com/mrnil.com.key
[Mon Oct 29 08:12:05 EDT 2018] The intermediate CA cert is in  /root/.acme.sh/derror.com/ca.cer
[Mon Oct 29 08:12:05 EDT 2018] And the full chain certs is there:  /root/.acme.sh/derror.com/fullchain.cer

配置自动更新证书

$ acme.sh --install-cert -d derror.com \
--key-file       /home/work/local/cert/derror.com/key.pem  \
--fullchain-file /home/work/local/cert/derror.com/cert.pem \
--reloadcmd     "systemctl restart nginx"

--reloadcmd "systemctl restart nginx" 更新后自动重启nginx激活新证书

生成 dhparan.pem

$ openssl dhparam -out /home/work/local/cert/derror.com/dhparam.pem 2048

nginx配置ssl

www.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    listen       443 ssl;
    server_name  _;

    ssl_certificate         /home/work/local/cert/derror.com/cert.pem;
    ssl_certificate_key     /home/work/local/cert/derror.com/key.pem;
    # ssl_dhparam
    ssl_dhparam             /home/work/local/cert/derror.com/dhparam.pem;

    root         /home/work/local/www;
    index index.html index.htm;
    location / {
    }
}

重启nginx即可

$ systemctl restart nginx

验证ssl

https://derror.com

image

https://ssllabs.com/ssltest/analyze.html?d=derror.com

image

文章来源: https://www.derror.com/log/configure-https-for-nginx-using-acmesh