在谷歌的推動(dòng)下走敌, 網(wǎng)站支持https幾乎成了剛需,而免費(fèi)的https證書(shū)大多只有一年的使用時(shí)間逗噩,且二級(jí)子域名需要單個(gè)申請(qǐng),而遇到https證書(shū)失效的情況跌榔, 基本就是一次生產(chǎn)事故异雁,為了徹底解決以上問(wèn)題, 本文提供一種通用的僧须, 無(wú)限續(xù)期https證書(shū)的教程纲刀。
安裝nginx
# 獲取源
sudo rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# 安裝Nginx
sudo yum install -y nginx
# 設(shè)置開(kāi)機(jī)啟動(dòng)
sudo systemctl enable nginx
# 開(kāi)啟nginx
sudo systemctl start nginx
# 重啟nginx
sudo systemctl restart nginx
# nginx重新加載配置文件
sudo systemctl reload nginx
以配置域名hk.v2fy.com為例, 新建配置文件 /etc/nginx/conf.d/hk.v2fy.com.conf
touch /etc/nginx/conf.d/hk.v2fy.com.conf
在 /etc/nginx/conf.d/hk.v2fy.com 中添加http服務(wù)相關(guān)內(nèi)容
server {
listen 80;
listen [::]:80;
server_name hk.v2fy.com;
root /usr/share/nginx/html/hk.v2fy.com;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
新建hk.v2fy.com對(duì)應(yīng)的網(wǎng)站文件夾
mkdir -p /usr/share/nginx/html/hk.v2fy.com
新建文件
touch /usr/share/nginx/html/hk.v2fy.com/index.html
在/usr/share/nginx/html/hk.v2fy.com/index.html 中輸入
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>V2方圓HK</title>
</head>
<body>
Test
</body>
</html>
重啟nginx
···
sudo systemctl restart nginx
···
訪(fǎng)問(wèn)測(cè)試
http://hk.v2fy.com/
下面開(kāi)始添加https
安裝 acme.sh
curl https://get.acme.sh | sh -s email=zhaoolee@gmail.com
source ~/.bashrc
獲取https證書(shū)
acme.sh --issue -d hk.v2fy.com --nginx
在這一步acme.sh讀取了nginx配置担平,并自動(dòng)生成了證書(shū)
將證書(shū)拷貝到/etc/nginx/ssl文件夾
創(chuàng)建文件夾
mkdir -p /etc/nginx/ssl/hk.v2fy.com
拷貝證書(shū)
acme.sh --install-cert -d hk.v2fy.com \
--key-file /etc/nginx/ssl/hk.v2fy.com/hk.v2fy.com.key \
--fullchain-file /etc/nginx/ssl/hk.v2fy.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
請(qǐng)一定使用以上語(yǔ)法acme.sh --install-cer
進(jìn)行拷貝示绊, 這樣證書(shū)才能保證在新的位置也能自動(dòng)更新。
將 /etc/nginx/ssl/hk.v2fy.com/ 中的證書(shū)手動(dòng)配置到 nginx, 并重啟nginx生效
將/etc/nginx/conf.d/hk.v2fy.com.conf
中的內(nèi)容替換為
server {
listen 80;
listen [::]:80;
server_name hk.v2fy.com;
root /usr/share/nginx/html/hk.v2fy.com;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hk.v2fy.com;
root /usr/share/nginx/html/hk.v2fy.com;
ssl_certificate "/etc/nginx/ssl/hk.v2fy.com/fullchain.cer";
ssl_certificate_key "/etc/nginx/ssl/hk.v2fy.com/hk.v2fy.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
打開(kāi) https://hk.v2fy.com
證書(shū)已生效
由于我們?nèi)淌褂?acme.sh 進(jìn)行安裝暂论,acme.sh會(huì)自動(dòng)為你創(chuàng)建一個(gè)定時(shí)任務(wù), 每天 0:00 點(diǎn)自動(dòng)檢測(cè)所有的證書(shū), 如果快過(guò)期了, 需要更新, 則會(huì)自動(dòng)更新證書(shū).
運(yùn)行ps aux | grep acme可以看到scme一直在后臺(tái)運(yùn)行
ps aux | grep acme
如何實(shí)現(xiàn)多個(gè)證書(shū)同步更新
如果你需要多個(gè)證書(shū)面褐,比如給 api.v2fy.com 配置證書(shū), 重復(fù)本文步驟即可~
acme.sh --issue -d api.v2fy.com --nginx
創(chuàng)建文件夾
mkdir -p /etc/nginx/ssl/api.v2fy.com
拷貝證書(shū)
acme.sh --install-cert -d api.v2fy.com \
--key-file /etc/nginx/ssl/api.v2fy.com/api.v2fy.com.key \
--fullchain-file /etc/nginx/ssl/api.v2fy.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
設(shè)置 /etc/nginx/conf.d/api.v2fy.com.conf
server {
listen 80;
listen [::]:80;
server_name api.v2fy.com;
root /usr/share/nginx/html/api.v2fy.com;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.v2fy.com;
root /usr/share/nginx/html/api.v2fy.com;
ssl_certificate "/etc/nginx/ssl/api.v2fy.com/fullchain.cer";
ssl_certificate_key "/etc/nginx/ssl/api.v2fy.com/api.v2fy.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
打開(kāi) https://api.v2fy.com 查看效果
小結(jié)
免費(fèi)的https證書(shū)取胎,最多只有一年的期限展哭, 而且每個(gè)二級(jí)子域名要單獨(dú)申請(qǐng), 很浪費(fèi)時(shí)間闻蛀,使用本文提供的方法匪傍,可以只配置一次,實(shí)現(xiàn)證書(shū)永久自動(dòng)續(xù)期觉痛。