搜索到
1
篇与
的结果
-
免费DV数字证书申请及ssl配置 注册用户并下载配置 Let's Encrypt 数字证书创建存放 ssl dv 证书目录 #指定目录名称 mkdir ${dir}创建 Let's Encrypt 账号 openssl genrsa 4096 > account.key创建域名的CSR #创建普通域名私钥 openssl genrsa 4096 > domain.key #单个域名 openssl req -new -sha256 -key domain.key -subj "/CN=www.photonshalo.com" > domain.csr #多个域名(如果你有多个域名,比如:www.photonshalo.com 和 www.photonshalo.net,使用这种方式) openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:www.photnshalo.com,DNS:www.photonshalo.net")) > domain.csr配置域名验证 server { listen 80; server_name www.photonshalo.com; location ^~ /.well-known/acme-challenge/ { alias $证书路径/; try_files $uri =404; } ...the rest of your config }获取网站证书a. 下载 acme-tiny 脚本 wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.pyb. 指定账户私钥、CSR 以及验证目录,执行脚本 python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ./ > ./signed.crt安装证书a. Nginx需要追加一个Let's Encrypt的中间证书,把中间证书和网站证书合并 wget -O - https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pemb. 修改 Nginx 中有关证书的配置并 reload 服务 server { listen 443 ssl; server_name www.photonshalo.com; ssl_certificate $path/chained.pem; ssl_certificate_key $path/domain.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; ...the rest of your config }定期更新证书(Let’s Encrypt 签发的证书有90天有效期,需要脚本定期更新)a. 新建脚本 renew_cert.sh #编辑 shell 脚本 vi renew_cert.sh #!/usr/bin/sh #定义脚本根路径 path="/home/application/ssl_www" dt=$(date +%Y_%m_%d) if [ -d $path ];then if [ -f "${path}/acme_tiny.py" ];then if [ -f "${path}/account.key" ];then if [ -f "${path}/domain.csr" ];then if [ -d "${path}/tmp/" ];then python ${path}/acme_tiny.py --account-key ${path}/account.key --csr ${path}/domain.csr --acme-dir $path > ${path}/tmp/signed_${dt}.crt || exit if [ -f "${path}/tmp/signed_${dt}.crt" ];then wget -O - https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem > ${path}/tmp/intermediate_${dt}.pem cat ${path}/tmp/signed_${dt}.crt ${path}/tmp/intermediate_${dt}.pem > ${path}/chained.pem nginx -s reload else echo "文件 ${path}/tmp/signed_${dt}.crt 拉取不成功" fi else mkdir ${path}/tmp python ${path}/acme_tiny.py --account-key ${path}/account.key --csr ${path}/domain.csr --acme-dir $path > ${path}/tmp/signed_${dt}.crt || exit if [ -f "${path}/tmp/signed_${dt}.crt" ];then wget -O - https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem > ${path}/tmp/intermediate_${dt}.pem cat ${path}/tmp/signed_${dt}.crt ${path}/tmp/intermediate_${dt}.pem > ${path}/chained.pem nginx -s reload else echo "文件 ${path}/tmp/signed_${dt}.crt 拉取不成功" fi fi else echo "必要文件 ${path}/domain.csr 不存在" fi else echo "必要文件 ${path}/account.key 不存在" fi else echo "必要文件 ${path}/acme_tiny.py 不存在" fi else echo "文件夹不存在" fib. 设置 crontab 定时任务 #查看当前用户下的所有定时任务 crontab -l #编辑定时任务 crontab -e #每个月执行一次 0 0 1 * * /home/application/ssl_www/renew_cert.sh 2>> /home/application/ssl_www/acme_tiny.log参考教程地址:Let's Encrypt参考教程链接地址https://foofish.net/https-free-for-lets-encrypt.htmllinux 定时任务https://www.cnblogs.com/intval/p/5763929.html
