共计 14006 个字符,预计需要花费 36 分钟才能阅读完成。
前言
国内的各大云厂,例如阿里云 & 华为云 & 腾讯云,都可以申请到免费的 OV级别 https 证书。但是有几个小缺陷。
- 证书的有效期为一年,到期后需要手动再次申请
- 免费额度为每年20个
- 仅能申请单域名证书
如果域名较多,或者同一域名下的子域名较多,上述云厂提供的方式就不是那么好用,更新多个证书是个麻烦事。
本文介绍如何使用 acme 自动获取免费且不限量的泛域名证书。
acme 是什么
🙂 来问问万能的GPT:
顺便补充,是一个纯Shell脚本实现的ACME协议客户端,后文的操作都会在 Ubuntu 环境下实现。
链接:acme.sh
acme 工作流
一般来说,证书厂商验证域名所有权有两种方式:
- txt 文件验证
证书颁发机构会提供一个特定的路径和令牌,需要在该路径下创建一个名为特定文件名的TXT文件,并将令牌作为文件的内容。然后,证书颁发机构将尝试通过HTTP或HTTPS访问该文件来验证令牌的存在。
如果验证成功,证书颁发机构确认您对域名的控制权,并继续颁发证书。
-
dns 验证
证书颁发机构会提供一个随机的令牌(token),需要将该令牌添加到域名的DNS记录中。然后,证书颁发机构通过查询DNS记录来验证该令牌是否存在。
如果验证成功,证书颁发机构确认域名的控制权,并继续颁发证书。
acme 对于这两种方式都是支持的,下面演示如何使用 dns方式 获取证书。
演示
前置准备
既然选择了 dns 方式进行域名所有权的认证,那么就需要使 acme 有权限在域名托管商处对你的域名添加 dns 记录。
以 cloudflare 和 阿里云 作为域名托管商为示例。
tips:为了安全,请合理控制从云注册的密钥权限。以最小化原则授予和分配。即只授予密钥修改 dns 的权限即可。
cloudflare
- 登录 cloudflare 控制台
-
获取 API 令牌
========= 分割线 ========
然后一直下一步即可,保存获取的令牌,格式例如:
JGwL_0WIiQ**********PIH5qkm3a4SpcilL
阿里云
- 登录阿里云控制台
链接:阿里云
-
创建 子用户 AccessKey
======= 分割线 ==========
保存
AccessKey ID 和AccessKey Secret 。格式例如:LTAI********sExJAjto 和nmAbWiLeRB*********IjwwPe2jWC。 -
授予子用户权限
acme 脚本配置
一键安装
root@ali-gz-relay:~# curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1032 0 1032 0 0 426 0 --:--:-- 0:00:02 --:--:-- 426
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 216k 100 216k 0 0 40381 0 0:00:05 0:00:05 --:--:-- 53559
[Sat 12 Aug 2023 11:42:55 PM CST] Installing from online archive.
[Sat 12 Aug 2023 11:42:55 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat 12 Aug 2023 11:42:58 PM CST] Extracting master.tar.gz
[Sat 12 Aug 2023 11:42:58 PM CST] It is recommended to install socat first.
[Sat 12 Aug 2023 11:42:58 PM CST] We use socat for standalone server if you use standalone mode.
[Sat 12 Aug 2023 11:42:58 PM CST] If you don't use standalone mode, just ignore this warning.
[Sat 12 Aug 2023 11:42:58 PM CST] Installing to /root/.acme.sh
[Sat 12 Aug 2023 11:42:58 PM CST] Installed to /root/.acme.sh/acme.sh
[Sat 12 Aug 2023 11:42:58 PM CST] Installing alias to '/root/.bashrc'
[Sat 12 Aug 2023 11:42:58 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Sat 12 Aug 2023 11:42:58 PM CST] Installing cron job
[Sat 12 Aug 2023 11:42:58 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Sat 12 Aug 2023 11:42:59 PM CST] OK
[Sat 12 Aug 2023 11:42:59 PM CST] Install success!
cloudflare 示例
# cd /root/.acme.sh/
# 查看版本
# ./acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.7
# 注册你自己的邮箱至acme
# ./acme.sh --register-account -m testaccount@gmail.com
# 编辑账号配置文件,填入 账号注册邮箱 和 获取的API令牌
# vim ../acme.sh-bak/account.conf
SAVED_CF_Key='JGwL_0WIiQW2oWaqN_2qoFY5OIH5qkm3a4SpcilL'
SAVED_CF_Email='testaccount@gmail.com'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
# 获取泛域名证书
# ./acme.sh --issue --dns dns_cf -d *.bwbit.com -d bwbit.com --force
[Sat 12 Aug 2023 11:54:41 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Sat 12 Aug 2023 11:54:41 PM CST] Multi domain='DNS:*.bwbit.com,DNS:bwbit.com'
[Sat 12 Aug 2023 11:54:41 PM CST] Getting domain auth token for each domain
[Sat 12 Aug 2023 11:54:53 PM CST] Getting webroot for domain='*.bwbit.com'
[Sat 12 Aug 2023 11:54:53 PM CST] Getting webroot for domain='bwbit.com'
[Sat 12 Aug 2023 11:54:53 PM CST] Adding txt value: pnwUtJhuqA_Zd0Eifr2toQbbdoWaFCuVANex7DT9i3g for domain: _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:54:58 PM CST] Adding record
[Sat 12 Aug 2023 11:55:00 PM CST] Added, OK
[Sat 12 Aug 2023 11:55:00 PM CST] The txt record is added: Success.
[Sat 12 Aug 2023 11:55:00 PM CST] Adding txt value: iS0uXFsZ5an7N99sETMTmce2mCkVCOMI7fDQ9CReEWk for domain: _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:55:06 PM CST] Adding record
[Sat 12 Aug 2023 11:55:07 PM CST] Added, OK
[Sat 12 Aug 2023 11:55:07 PM CST] The txt record is added: Success.
[Sat 12 Aug 2023 11:55:07 PM CST] Let's check each DNS record now. Sleep 20 seconds first.
[Sat 12 Aug 2023 11:55:28 PM CST] You can use '--dnssleep' to disable public dns checks.
[Sat 12 Aug 2023 11:55:28 PM CST] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sat 12 Aug 2023 11:55:28 PM CST] Checking bwbit.com for _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:55:30 PM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sat 12 Aug 2023 11:55:40 PM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Sat 12 Aug 2023 11:55:41 PM CST] Domain bwbit.com '_acme-challenge.bwbit.com' success.
[Sat 12 Aug 2023 11:55:41 PM CST] Checking bwbit.com for _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:55:41 PM CST] Domain bwbit.com '_acme-challenge.bwbit.com' success.
[Sat 12 Aug 2023 11:55:41 PM CST] All success, let's return
[Sat 12 Aug 2023 11:55:41 PM CST] Verifying: *.bwbit.com
[Sat 12 Aug 2023 11:55:44 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sat 12 Aug 2023 11:55:52 PM CST] Success
[Sat 12 Aug 2023 11:55:52 PM CST] Verifying: bwbit.com
[Sat 12 Aug 2023 11:55:54 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sat 12 Aug 2023 11:55:59 PM CST] Success
[Sat 12 Aug 2023 11:55:59 PM CST] Removing DNS records.
[Sat 12 Aug 2023 11:55:59 PM CST] Removing txt: pnwUtJhuqA_Zd0Eifr2toQbbdoWaFCuVANex7DT9i3g for domain: _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:56:05 PM CST] Removed: Success
[Sat 12 Aug 2023 11:56:05 PM CST] Removing txt: iS0uXFsZ5an7N99sETMTmce2mCkVCOMI7fDQ9CReEWk for domain: _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:56:10 PM CST] Removed: Success
[Sat 12 Aug 2023 11:56:10 PM CST] Verify finished, start to sign.
[Sat 12 Aug 2023 11:56:10 PM CST] Lets finalize the order.
[Sat 12 Aug 2023 11:56:10 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/U008F0zf9OyX2RCzyA_qpw/finalize'
[Sat 12 Aug 2023 11:56:13 PM CST] Order status is processing, lets sleep and retry.
[Sat 12 Aug 2023 11:56:13 PM CST] Retry after: 15
[Sat 12 Aug 2023 11:56:29 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/U008F0zf9OyX2RCzyA_qpw
[Sat 12 Aug 2023 11:56:31 PM CST] Downloading cert.
[Sat 12 Aug 2023 11:56:31 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/clzFvKSiM6ULxtaxdx784A'
[Sat 12 Aug 2023 11:56:36 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIEADCCA4egAwIBAgIQT1R05hp/wSt/1MrLRHwbZDAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMDgxMjAwMDAwMFoXDTIzMTEx
MDIzNTk1OVowFjEUMBIGA1UEAwwLKi5id2JpdC5jb20wWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAATpqm4DA6vsFj0HCdP2MQVoTCu2I3E4sSwrDEv2Hlg94aozzl2r
FSi2WmH9Ye49eKY/bx2EQMT+bVB+q6LfAprFo4ICgDCCAnwwHwYDVR0jBBgwFoAU
D2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFD7mecbbzAbdM0HXjmkjRNWW
6vjNMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYI
KwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYI
KwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2Vj
dGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYB
BQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggECBgorBgEE
AdZ5AgQCBIHzBIHwAO4AdQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yC
igAAAYnqdmKDAAAEAwBGMEQCIAxhhV23QntH6PLgiXmZDW81TCFRIAvcHp00vmmn
mQNkAiATACrzyrlt3TNOfiLwbIvx7ZO1iRSX5NU1cVDB5YdwmgB1AHoyjFTYty22
IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiep2YuQAAAQDAEYwRAIgGOMjrciR
S+zzDzsN458ARF4j8GmaRqU2+Yrj9NR9CrkCIFoyiKlSLSMaXGC+lHHpBG+Va7Ur
i32N6c+RaE9cMKdqMCEGA1UdEQQaMBiCCyouYndiaXQuY29tgglid2JpdC5jb20w
CgYIKoZIzj0EAwMDZwAwZAIwVUxQuAy7bmjDDuLB0NtHjC/5uMO98nM9PICRca0H
6yGMWxT8GS2WCEDjq4TNPzm4AjBCoKVKi5lNBhRDyBF0uTp1HEm1ed+FQVX4QHCl
dXjf4FcgdWwiYmZbDmoa4g06k/0=
-----END CERTIFICATE-----
[Sat 12 Aug 2023 11:56:36 PM CST] Your cert is in: /root/.acme.sh/*.bwbit.com_ecc/*.bwbit.com.cer
[Sat 12 Aug 2023 11:56:36 PM CST] Your cert key is in: /root/.acme.sh/*.bwbit.com_ecc/*.bwbit.com.key
[Sat 12 Aug 2023 11:56:36 PM CST] The intermediate CA cert is in: /root/.acme.sh/*.bwbit.com_ecc/ca.cer
[Sat 12 Aug 2023 11:56:36 PM CST] And the full chain certs is there: /root/.acme.sh/*.bwbit.com_ecc/fullchain.cer
# cronta -l
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
阿里云示例
# cd /root/.acme.sh/
# 查看版本
# ./acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.7
# 注册你自己的邮箱至acme
# ./acme.sh --register-account -m testaccount@gmail.com
# 编辑账号配置文件,填入阿里云子用户的`AccessKey ID` 和 `AccessKey Secret`
# vim ../acme.sh-bak/account.conf
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
SAVED_Ali_Key='LTAI5t*******ExJAjto'
SAVED_Ali_Secret='nmAbWiLeR*******CQ1IjwwPe2jWC'
# 获取泛域名证书
# .acme.sh# ./acme.sh --issue --dns dns_ali -d aaaa.zone -d *.aaaa.zone
[Sun 13 Aug 2023 12:02:58 AM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Sun 13 Aug 2023 12:02:58 AM CST] Creating domain key
[Sun 13 Aug 2023 12:02:58 AM CST] The domain key is here: /root/.acme.sh/aaaa.zone_ecc/aaaa.zone.key
[Sun 13 Aug 2023 12:02:58 AM CST] Multi domain='DNS:aaaa.zone,DNS:*.aaaa.zone'
[Sun 13 Aug 2023 12:02:58 AM CST] Getting domain auth token for each domain
[Sun 13 Aug 2023 12:03:11 AM CST] Getting webroot for domain='aaaa.zone'
[Sun 13 Aug 2023 12:03:11 AM CST] Getting webroot for domain='*.aaaa.zone'
[Sun 13 Aug 2023 12:03:12 AM CST] Adding txt value: YI2uGn8WOKDtjjRrgXfIBgvlfFTx25i8vlHJ0LndFTE for domain: _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:14 AM CST] The txt record is added: Success.
[Sun 13 Aug 2023 12:03:14 AM CST] Adding txt value: gV94Cb2D6ZloN3Ulj57UWaJag9Mb411sdv6akWjbOQk for domain: _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:16 AM CST] The txt record is added: Success.
[Sun 13 Aug 2023 12:03:16 AM CST] Let's check each DNS record now. Sleep 20 seconds first.
[Sun 13 Aug 2023 12:03:37 AM CST] You can use '--dnssleep' to disable public dns checks.
[Sun 13 Aug 2023 12:03:37 AM CST] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sun 13 Aug 2023 12:03:37 AM CST] Checking aaaa.zone for _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:39 AM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun 13 Aug 2023 12:03:49 AM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Sun 13 Aug 2023 12:03:50 AM CST] Domain aaaa.zone '_acme-challenge.aaaa.zone' success.
[Sun 13 Aug 2023 12:03:50 AM CST] Checking aaaa.zone for _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:50 AM CST] Domain aaaa.zone '_acme-challenge.aaaa.zone' success.
[Sun 13 Aug 2023 12:03:50 AM CST] All success, let's return
[Sun 13 Aug 2023 12:03:50 AM CST] Verifying: aaaa.zone
[Sun 13 Aug 2023 12:03:51 AM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sun 13 Aug 2023 12:03:57 AM CST] Success
[Sun 13 Aug 2023 12:03:57 AM CST] Verifying: *.aaaa.zone
[Sun 13 Aug 2023 12:03:58 AM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sun 13 Aug 2023 12:04:03 AM CST] Success
[Sun 13 Aug 2023 12:04:03 AM CST] Removing DNS records.
[Sun 13 Aug 2023 12:04:03 AM CST] Removing txt: YI2uGn8WOKDtjjRrgXfIBgvlfFTx25i8vlHJ0LndFTE for domain: _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:04:06 AM CST] Removed: Success
[Sun 13 Aug 2023 12:04:06 AM CST] Removing txt: gV94Cb2D6ZloN3Ulj57UWaJag9Mb411sdv6akWjbOQk for domain: _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:04:09 AM CST] Removed: Success
[Sun 13 Aug 2023 12:04:09 AM CST] Verify finished, start to sign.
[Sun 13 Aug 2023 12:04:09 AM CST] Lets finalize the order.
[Sun 13 Aug 2023 12:04:09 AM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/L8o0rRbNdCsG093pLV1Gtg/finalize'
[Sun 13 Aug 2023 12:04:13 AM CST] Order status is processing, lets sleep and retry.
[Sun 13 Aug 2023 12:04:13 AM CST] Retry after: 15
[Sun 13 Aug 2023 12:04:29 AM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/L8o0rRbNdCsG093pLV1Gtg
[Sun 13 Aug 2023 12:04:33 AM CST] Downloading cert.
[Sun 13 Aug 2023 12:04:33 AM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/g8jZwKG0bW_Uie-aNPdoaQ'
[Sun 13 Aug 2023 12:04:35 AM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIEAjCCA4egAwIBAgIRAMKv9hcXvspvstS5NeJpeyAwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMzA4MTIwMDAwMDBaFw0yMzEx
MTAyMzU5NTlaMBQxEjAQBgNVBAMTCWFhYWEuem9uZTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABGkRZCgGg6jgdyDaISTH5N1rPd1mw9c3zTCifwG3xLCVvzcAFnxq
eIZgA+sjB6MIk9NdI66+46xEKrypA6sZrUyjggKBMIICfTAfBgNVHSMEGDAWgBQP
a+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4EFgQUoW/7qMYzGjxGc+drpYXIGlbw
IeowDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAk4wJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGIBggr
BgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6Ly96ZXJvc3NsLmNydC5zZWN0
aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2VjdXJlU2l0ZUNBLmNydDArBggrBgEF
BQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0aWdvLmNvbTCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK
AAABiep9tKYAAAQDAEcwRQIhALkP7lRcIPfzhNsOnBYpZ6V4bko8+/GOs1h6cgEm
AIMBAiBVXXWHpmUSUB46NZ5ofgpY5yhuh4l/Gir+gC3T4DMFawB1AHoyjFTYty22
IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiep9tQsAAAQDAEYwRAIgXvVtMeoh
4oAn7XXlRrEIzeVcsv8dVbcZXfshW4MD34ACICOZADMZkdUSL7PSfz3/drlr/04m
vewzLiNZzKxVcdF5MCEGA1UdEQQaMBiCCWFhYWEuem9uZYILKi5hYWFhLnpvbmUw
CgYIKoZIzj0EAwMDaQAwZgIxAOmGUv5tH0BT1glRcp0sksiUJwtbYM2OyZEhK1uF
kcKFiKoG+YWRy6d1MXNu6Nn29AIxANqrj2NxxW/do8CFb/Y+hqb2jA05AGNq/5eP
tqDDf27nrKplXbX56HlgJS+a+VajHg==
-----END CERTIFICATE-----
[Sun 13 Aug 2023 12:04:35 AM CST] Your cert is in: /root/.acme.sh/aaaa.zone_ecc/aaaa.zone.cer
[Sun 13 Aug 2023 12:04:35 AM CST] Your cert key is in: /root/.acme.sh/aaaa.zone_ecc/aaaa.zone.key
[Sun 13 Aug 2023 12:04:35 AM CST] The intermediate CA cert is in: /root/.acme.sh/aaaa.zone_ecc/ca.cer
[Sun 13 Aug 2023 12:04:35 AM CST] And the full chain certs is there: /root/.acme.sh/aaaa.zone_ecc/fullchain.cer
# cronta -l
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
nginx 示例
acme 做了以下事情
- 调用 cloudflare api 添加 dns 记录
- 调用 Let’s Encrypt 的API进行验证与证书的签发
- 获取证书
- 移除 dns 记录
- 添加计划任务,定期renew证书
可以看到,相关证书已经被放在了/root/.acme.sh/*.bwbit.com_ecc下。
tips:
- 在nginx中配置的证书是
fullchain.cer 和*.bwbit.com.key,不能使用 “*.bwbit.com.cer`。 - 默认生成的证书都放在安装目录下:
~/.acme.sh/, 请不要直接使用此目录下的文件, 例如: 不要直接让 nginx/apache 的配置文件使用这下面的文件. 这里面的文件都是内部使用, 而且目录结构可能会变化.正确的使用方法是使用
--install-cert 命令,并指定目标位置, 然后证书文件会被copy到相应的位置, 例如:acme.sh --install-cert -d example.com \ --key-file /path/to/keyfile/in/nginx/key.pem \ --fullchain-file /path/to/fullchain/nginx/cert.pem
在 nginx 中配置使用https:
# 编辑 nginx 配置文件
# vim /etc/nginx/conf.d/bwbit.com.conf
server {
listen 80;
server_name img.bwbit.com;
# # 重定向到 HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name img.bwbit.com;
ssl_certificate /root/.acme.sh/*.bwbit.com_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/*.bwbit.com_ecc/*.bwbit.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Proto https;
proxy_pass https://frps;
}
}
# 重载nginx
nginx -s reload
总结
免费,不限量,泛域名,自动更新。
用起来!
引用链接
正文完
