acme.sh的nginx模式生成證書測試
阿新 • • 發佈:2018-12-24
參考:https://github.com/Neilpang/acme.sh/wiki/說明
準備材料:
備案的域名一個:uscwifi.com.cn
帶公網的伺服器一臺
優勢:
1.簡單,方便。一條命令就搞定。
2.會自動續期,每60天好像
缺點:
1.必須在伺服器上進行,虛擬機器不行
2.進行操作的伺服器為自己的網站伺服器
3.生成的證書不是萬用字元證書
適用於:
小型部落格網站,一個伺服器就跑一兩個網站,基本不需要通配證書。如果公司裡面一個主域名下面有大量的二級域名用於測試或者線上用途,隨時有可能在某臺測試機上測試,則使用通配證書。
例如:公司要搭建gitlab做程式碼倉庫。gitlab會一直跑在該伺服器上,所以使用nginx模式(或者指定webroot目錄)生成證書就行,並且它會自動續期,此處不需要通配證書。
例如:開發人員需要某域名的證書檔案。此時應使用通配證書,且最好是買的證書,因為開發部門可能需要將證書應用於各種線上測試環境,使用免費通配證書每3個月就得續簽(開發不可能沒事找運維換證書)。
先搭建好一個簡單的web服務:
nginx配置檔案:
[email protected]:~# cat /etc/nginx/conf.d/uscwifi.com.cn.conf server { listen 80 ; server_name test.uscwifi.com.cn; root /var/www/uscwifi.com.cn; index index.html; }
網站目錄:
[email protected]:~# ls /var/www/uscwifi.com.cn/
index.html
[email protected]:~# cat /var/www/uscwifi.com.cn/index.htmlDNS解析(IP打碼):
reload
[email protected]:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
效果:
使用acme.sh的nginx生成證書
安裝參考:https://github.com/Neilpang/acme.sh
錯誤的使用:指定的域名不是配置檔案中指定的:
[email protected]:~# acme.sh --issue --nginx -d uscwifi.com.cn
[Sat Dec 22 18:10:08 CST 2018] Creating domain key
[Sat Dec 22 18:10:08 CST 2018] The domain key is here: /root/.acme.sh/uscwifi.com.cn/uscwifi.com.cn.key
[Sat Dec 22 18:10:08 CST 2018] Single domain='uscwifi.com.cn'
[Sat Dec 22 18:10:08 CST 2018] Getting domain auth token for each domain
[Sat Dec 22 18:10:08 CST 2018] Getting webroot for domain='uscwifi.com.cn'
[Sat Dec 22 18:10:08 CST 2018] Getting new-authz for domain='uscwifi.com.cn'
[Sat Dec 22 18:10:12 CST 2018] The new-authz request is ok.
[Sat Dec 22 18:10:12 CST 2018] Verifying:uscwifi.com.cn
[Sat Dec 22 18:10:12 CST 2018] Nginx mode for domain:uscwifi.com.cn
[Sat Dec 22 18:10:12 CST 2018] Can not find conf file for domain uscwifi.com.cn
[Sat Dec 22 18:10:13 CST 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log正確的使用:指定的域名和配置檔案中一樣
[email protected]:~# acme.sh --issue --nginx -d test.uscwifi.com.cn
[Sat Dec 22 18:10:52 CST 2018] Creating domain key
[Sat Dec 22 18:10:52 CST 2018] The domain key is here: /root/.acme.sh/test.uscwifi.com.cn/test.uscwifi.com.cn.key
[Sat Dec 22 18:10:52 CST 2018] Single domain='test.uscwifi.com.cn'
[Sat Dec 22 18:10:52 CST 2018] Getting domain auth token for each domain
[Sat Dec 22 18:10:52 CST 2018] Getting webroot for domain='test.uscwifi.com.cn'
[Sat Dec 22 18:10:52 CST 2018] Getting new-authz for domain='test.uscwifi.com.cn'
[Sat Dec 22 18:10:55 CST 2018] The new-authz request is ok.
[Sat Dec 22 18:10:55 CST 2018] Verifying:test.uscwifi.com.cn
[Sat Dec 22 18:10:55 CST 2018] Nginx mode for domain:test.uscwifi.com.cn
[Sat Dec 22 18:10:56 CST 2018] Found conf file: /etc/nginx/conf.d/uscwifi.com.cn.conf
[Sat Dec 22 18:10:56 CST 2018] Backup /etc/nginx/conf.d/uscwifi.com.cn.conf to /root/.acme.sh/test.uscwifi.com.cn/backup/test.uscwifi.com.cn.nginx.conf
[Sat Dec 22 18:10:56 CST 2018] Check the nginx conf before setting up.
[Sat Dec 22 18:10:56 CST 2018] OK, Set up nginx config file
[Sat Dec 22 18:10:56 CST 2018] nginx conf is done, let's check it again.
[Sat Dec 22 18:10:56 CST 2018] Reload nginx
[Sat Dec 22 18:11:02 CST 2018] Pending
[Sat Dec 22 18:11:05 CST 2018] Success
[Sat Dec 22 18:11:05 CST 2018] Restoring from /root/.acme.sh/test.uscwifi.com.cn/backup/test.uscwifi.com.cn.nginx.conf to /etc/nginx/conf.d/uscwifi.com.cn.conf
[Sat Dec 22 18:11:05 CST 2018] Reload nginx
[Sat Dec 22 18:11:05 CST 2018] Verify finished, start to sign.
[Sat Dec 22 18:11:08 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
......此處省略廢話......
-----END CERTIFICATE-----
[Sat Dec 22 18:11:08 CST 2018] Your cert is in /root/.acme.sh/test.uscwifi.com.cn/test.uscwifi.com.cn.cer
[Sat Dec 22 18:11:08 CST 2018] Your cert key is in /root/.acme.sh/test.uscwifi.com.cn/test.uscwifi.com.cn.key
[Sat Dec 22 18:11:09 CST 2018] The intermediate CA cert is in /root/.acme.sh/test.uscwifi.com.cn/ca.cer
[Sat Dec 22 18:11:09 CST 2018] And the full chain certs is there: /root/.acme.sh/test.uscwifi.com.cn/fullchain.cer 配置好就可以用了:
複製證書使用(官方建議複製後使用):
[email protected]:~# mkdir /etc/nginx/ssl
[email protected]:~# cp .acme.sh/test.uscwifi.com.cn/fullchain.cer /etc/nginx/ssl/test.uscwifi.com.cn.cer
[email protected]:~# cp .acme.sh/test.uscwifi.com.cn/test.uscwifi.com.cn.key /etc/nginx/ssl/
[email protected]:~# ls /etc/nginx/ssl
test.uscwifi.com.cn.cer test.uscwifi.com.cn.keynginx配置:
[email protected]:~# cat /etc/nginx/conf.d/uscwifi.com.cn.conf
server {
listen 80 ;
server_name test.uscwifi.com.cn;
if ($host ~ test.uscwifi.com.cn)
{
rewrite ^/(.*)$ https://test.uscwifi.com.cn$request_uri? permanent;
}
}
server {
listen 443;
server_name test.uscwifi.com.cn;
root /var/www/uscwifi.com.cn;
index index.html index.htm index.php;
ssl on ;
ssl_certificate /etc/nginx/ssl/test.uscwifi.com.cn.cer;
ssl_certificate_key /etc/nginx/ssl/test.uscwifi.com.cn.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
location ~ \.(gif|jpg|jpeg|png|css|js|ico)$ {
}
location ~ /.git{
deny all;
}
}
[email protected]:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[email protected]:~# nginx -s reload訪問測試:
