雾非雾 - 证书

雾非雾 - 证书 https://www.941741.xyz/tag/%E8%AF%81%E4%B9%A6/ SSL证书的申请 https://www.941741.xyz/archives/8.html 2022-10-07T10:47:00+08:00 昨天折腾了一通，主站的 SSL 搞定了；但是子目录 php 竟然无法运行，只好暂时终止。今天来折腾了一下这个子域名，顺便记录一下申请过程。1、先安装 acme.sh登录 SSH 后，切换到 root 帐号后面的 email 换成自己的邮箱地址curl https://get.acme.sh | sh -s email=申请用的电子邮箱安装完成后，要重启加载一下；或者关闭 SSH 重新登录一下source ~/.bashrc如果想保持 acme.sh 为最新，可开启自动更新acme.sh --upgrade --auto-upgrade2、创建用于存放证书的目录mkdir -p /var/www/letsencrypt3、acme.sh 支持 Let's Encrypt、Buypass、ZeroSSL 和 SSL.com，默认使用 ZeroSSL，切换命令：Let's Encryptacme.sh --set-default-ca --server letsencryptBuypassacme.sh --set-default-ca --server buypassSSL.comacme.sh --set-default-ca --server ssl.comZeroSSLacme.sh --set-default-ca --server zerossl4、配置 Nginx，用 HTTP 来验证证书签发域名、验证目录根据自己需求自定义server { listen 80; listen [::]:80; server_name 自己的域名; location /.well-known/acme-challenge { # 自己定义的位置，用于校验服务器所有权 root /www/wwwroot/809022.xyz; # 自己的网站目录 } location / { rewrite ^/(.*)$ https://$host/$1 permanent; } }5、申请证书--webroot 申请网站的根目录acme.sh --issue -d 自己的域名 --webroot /www/wwwroot/rj.809022.xyz如果有多个域名，之间用空格隔开；至于是不是支持泛域名，请自己 googleacme.sh --issue -d 域名1 -d 域名2 -w /www/wwwroot/rj.809022.xyz6、申请成功后显示[root@80smus ~]# acme.sh --issue -d rj.809022.xyz --webroot /www/wwwroot/rj.809022.xyz [Thu Oct 6 16:59:46 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu Oct 6 16:59:46 CST 2022] Single domain='rj.809022.xyz' [Thu Oct 6 16:59:46 CST 2022] Getting domain auth token for each domain [Thu Oct 6 17:00:09 CST 2022] Getting webroot for domain='rj.809022.xyz' [Thu Oct 6 17:00:09 CST 2022] Verifying: rj.809022.xyz [Thu Oct 6 17:00:12 CST 2022] Pending, The CA is processing your order, please just wait. (1/30) [Thu Oct 6 17:00:17 CST 2022] Success [Thu Oct 6 17:00:17 CST 2022] Verify finished, start to sign. [Thu Oct 6 17:00:17 CST 2022] Lets finalize the order. [Thu Oct 6 17:00:17 CST 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/762972326/132022859836' [Thu Oct 6 17:00:21 CST 2022] Downloading cert. [Thu Oct 6 17:00:21 CST 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03763b64c7f5f1a8cf1c65c70af0f87700d2' [Thu Oct 6 17:00:24 CST 2022] Cert success. -----BEGIN CERTIFICATE----- 这里显示的是密钥 -----END CERTIFICATE----- [Thu Oct 6 17:00:24 CST 2022] Your cert is in: /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.cer [Thu Oct 6 17:00:24 CST 2022] Your cert key is in: /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.key [Thu Oct 6 17:00:24 CST 2022] The intermediate CA cert is in: /root/.acme.sh/rj.809022.xyz/ca.cer [Thu Oct 6 17:00:24 CST 2022] And the full chain certs is there: /root/.acme.sh/rj.809022.xyz/fullchain.cer7、安装申请到的证书从上面返回的信息判断证书的保存目录在 /root/.acme.sh/rj.809022.xyz/一般不推荐证书放到 root 目录使用，所以新建个目录把证书 cer key 复制过去（或者在网站根目录下建立 cert 目录用于存放：mkdir -p /www/nginx/ssl cp /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.cer /www/nginx/ssl/rj.809022.xyz.cer cp /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.key /www/nginx/ssl/rj.809022.xyz.key听说安卓手机验证可能会有问题，所以运行一下下面的命令acme.sh --installcert -d rj.809022.xyz --keypath /www/nginx/ssl/rj.809022.xyz.key --fullchainpath /www/nginx/ssl/rj.809022.xyz.cer8、重新配置 Nginxserver { listen 443 ssl http2; server_name rj.809022.xyz; ssl on; ssl_certificate /www/nginx/ssl/rj.809022.xyz.cer; # 证书路径 ssl_certificate_key /www/nginx/ssl/rj.809022.xyz.key; # 证书路径 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; root /www/wwwroot/rj.809022.xyz; index index.html index.htm; location / { try_files $uri $uri/ =404; } } # 强制 http 跳转 https server { listen 80; server_name rj.809022.xyz; return 301 https://$server_name$request_uri; }9、重启 Nginx我因为安装了宝塔，所以上面的一些建立目录、复制、包括现在重启服务，都是在宝塔下鼠标点击操作之后重启打开自己的网站就会发现上锁了10、附加一些命令手动更新证书acme.sh --renew -d 这里填写你的域名 --force证书列表acme.sh --list停止更新acme.sh --remove -d 要停止服务的域名