轉(zhuǎn)載請(qǐng)注明文章出處：https://shiwenyuan.github.io/cjzuok7km000mrrs6ji3qrwex.html

網(wǎng)站https

網(wǎng)站https化已是大勢(shì)所趨火诸，個(gè)人blog也都可以把https玩兒起來(lái)庆尘！

Let's Encrypt

這個(gè)免費(fèi)酣衷、自動(dòng)化、開(kāi)放的證書簽發(fā)服務(wù)。它由 ISRG（Internet Security Research Group板壮，互聯(lián)網(wǎng)安全研究小組）提供服務(wù)夺巩，而 ISRG 是來(lái)自于美國(guó)加利福尼亞州的一個(gè)公益組織。Let's Encrypt 得到了 Mozilla乍构、Cisco甜无、Akamai、Electronic Frontier Foundation 和 Chrome 等眾多公司和機(jī)構(gòu)的支持哥遮，發(fā)展十分迅猛岂丘。
申請(qǐng) Let's Encrypt 證書不但免費(fèi)，還非常簡(jiǎn)單眠饮，雖然每次只有 90 天的有效期奥帘，但可以通過(guò)腳本定期更新，配好之后一勞永逸仪召。經(jīng)過(guò)一段時(shí)間的觀望寨蹋，我也正式啟用 Let's Encrypt 證書了松蒜，本文記錄本站申請(qǐng)過(guò)程和遇到的問(wèn)題。
我沒(méi)有使用 Let's Encrypt 官網(wǎng)提供的工具來(lái)申請(qǐng)證書已旧，而是用了 [acme.sh](http://https://github.com/Neilpang/acme.sh "acme.sh") 這個(gè)更為小巧的開(kāi)源工具秸苗。以下內(nèi)容基本按照 acme的說(shuō)明文檔寫的，省略了一些我不需要的步驟评姨。

配置驗(yàn)證服務(wù)

傳統(tǒng) CA 的驗(yàn)證方式一般是往 admin@youremail.com 發(fā)驗(yàn)證郵件难述，而 Let's Encrypt 是在你的服務(wù)器上生成一個(gè)隨機(jī)驗(yàn)證文件，再通過(guò)創(chuàng)建 CSR 時(shí)指定的域名訪問(wèn)吐句，如果可以訪問(wèn)則表明你對(duì)這個(gè)域名有控制權(quán)胁后。

配置前提

1. nginx安裝了https模塊

通過(guò)web訪問(wèn)check域名權(quán)限

步驟1（建立目錄或者nginx訪問(wèn)規(guī)則）

CA認(rèn)證

location ^~ /.well-known/acme-challenge/ {
    # 注：這里的$challenges_dir請(qǐng)?zhí)鎿Q成你自己的真實(shí)目錄，如：/home/work/www/challenges/
    alias $challenges_dir;
    try_files $uri =404;
}

or

在項(xiàng)目根目錄添加.well-known/acme-challenge
Let's Encrypt 用來(lái)校驗(yàn)網(wǎng)站權(quán)限

步驟二 生成證書

./acme.sh --issue -d diancan.xiaochengxu.phpblog.com.cn --webroot /home/www/xiaochengxu/diancan

步驟三 cp證書到指定位置

acme.sh --installcert -d www.your-app.com \
               --keypath       /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn.key  \
               --fullchainpath /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn.key.pem \
               --reloadcmd     " /usr/local/nginx/sbin/nginx -s reload"

步驟四 配置nginx

server {
        listen       80;
        server_name  diancan.xiaochengxu.phpblog.com.cn;
        location / {
            rewrite ^/(.*)$ https://diancan.xiaochengxu.phpblog.com.cn;
        }
}
server {
    listen    443 ssl;
    server_name diancan.xiaochengxu.phpblog.com.cn;
    include  /usr/local/nginx/ssl/ssl_params;
    ssl_certificate    /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn/diancan.xiaochengxu.phpblog.com.cn.cer;
    ssl_certificate_key    /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn/diancan.xiaochengxu.phpblog.com.cn.key;
    root /home/www/diancan/xiaochengxu; # 該項(xiàng)要修改為你準(zhǔn)備存放相關(guān)網(wǎng)頁(yè)的路徑
    include /usr/local/nginx/ssl/ssl_headers;
    
   location / {
         try_files $uri $uri/ /index.php?$query_string;
         index  index.php index.html index.htm;
    }
    location ~ \.php$ {
        include /usr/local/nginx/conf/fastcgi.conf;
        fastcgi_intercept_errors on;
        fastcgi_pass  127.0.0.1:9000;
    } 
}

# out  /usr/local/nginx/ssl/ssl_headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# out  /usr/local/nginx/ssl/ssl_params
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /usr/local/nginx/ssl/dhparam.pem; # See https://weakdh.org/sysadmin.html for more details
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers   on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";

dhparam.pem這個(gè)文件是我之前就生成好的嗦枢，生成命令
openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048

步驟五 重啟nginx查看

https配置成功后web訪問(wèn)界面

證書自動(dòng)更新

申請(qǐng)下來(lái)的證書有效期只有90天

在crontab 中添加一條命令
0 0 * * *  /home/work/opbin/ssl/acme.sh-master/acme.sh --cron --home /home/work/opbin/ssl/acme.sh-master/acme.sh
此處就是每天凌晨檢查證書  證書會(huì)在60天的時(shí)候更新 因?yàn)閍cme會(huì)記住之前執(zhí)行的installcert攀芯，所以更新完證書之后他會(huì)自動(dòng)重啟一下nginx 如果之前運(yùn)行installcert的時(shí)候沒(méi)有輸入reloadcmd,則需要更新之后自己手動(dòng)重啟(這樣就沒(méi)有自動(dòng)更新的意義了)

通過(guò)dns配置check權(quán)限

手動(dòng)配置

步驟1

[work@iZ25ndyf9bxZ acme.sh-master]$ !1019
./acme.sh --issue --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Sep 11 21:24:56 CST 2018] Creating domain key
[Tue Sep 11 21:24:56 CST 2018] The domain key is here: /home/work/.acme.sh/*.test.com/*.test.com.key
[Tue Sep 11 21:24:56 CST 2018] Multi domain='DNS:*.test.com,test.com'
[Tue Sep 11 21:24:56 CST 2018] Getting domain auth token for each domain
[Tue Sep 11 21:24:59 CST 2018] Getting webroot for domain='*.test.com'
[Tue Sep 11 21:25:00 CST 2018] Getting webroot for domain='test.com'
[Tue Sep 11 21:25:00 CST 2018] Add the following TXT record:
[Tue Sep 11 21:25:00 CST 2018] Domain: '_acme-challenge.test.com'
[Tue Sep 11 21:25:00 CST 2018] TXT value: 'Oe0iBXj3QvUErZOpROldRLx5jpyXbazsX36lkI46C_Y'
[Tue Sep 11 21:25:00 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue Sep 11 21:25:00 CST 2018] so the resulting subdomain will be: _acme-challenge.test.com
[Tue Sep 11 21:25:00 CST 2018] Add the following TXT record:
[Tue Sep 11 21:25:00 CST 2018] Domain: '_acme-challenge.test.com'
[Tue Sep 11 21:25:00 CST 2018] TXT value: 'qVFtVzCnBsj1omQcdU1m8180rUBO8V5AHDczFUHqsMY'
[Tue Sep 11 21:25:00 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue Sep 11 21:25:00 CST 2018] so the resulting subdomain will be: _acme-challenge.test.com
[Tue Sep 11 21:25:00 CST 2018] Please add the TXT records to the domains, and re-run with --renew.
[Tue Sep 11 21:25:00 CST 2018] Please check log file for more details: /home/work/.acme.sh/acme.sh.log
[work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --renew --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Sep 11 21:31:18 CST 2018] Renew: '*.test.com'
[Tue Sep 11 21:31:19 CST 2018] Multi domain='DNS:*.test.com,test.com'
[Tue Sep 11 21:31:19 CST 2018] Getting domain auth token for each domain
[Tue Sep 11 21:31:19 CST 2018] Verifying:*.test.com
[Tue Sep 11 21:31:24 CST 2018] Success
[Tue Sep 11 21:31:24 CST 2018] Verifying:test.com
[Tue Sep 11 21:31:27 CST 2018] Success
[Tue Sep 11 21:31:27 CST 2018] Verify finished, start to sign.
[Tue Sep 11 21:31:30 CST 2018] Cert success.
這個(gè)上面說(shuō)的是需要在dns中添加
Domain: '_acme-challenge.test.com'
TXT value: 'Oe0iBXj3QvUErZOpROldRLx5jpyXbazsX36lkI46C_Y'
與
 Domain: '_acme-challenge.test.com'
TXT value: 'qVFtVzCnBsj1omQcdU1m8180rUBO8V5AHDczFUHqsMY'

生效后

[work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --renew --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Sep 11 21:31:18 CST 2018] Renew: '*.test.com'
[Tue Sep 11 21:31:19 CST 2018] Multi domain='DNS:*.test.com,DNS:test.com'
[Tue Sep 11 21:31:19 CST 2018] Getting domain auth token for each domain
[Tue Sep 11 21:31:19 CST 2018] Verifying:*.test.com
[Tue Sep 11 21:31:24 CST 2018] Success
[Tue Sep 11 21:31:24 CST 2018] Verifying:test.com
[Tue Sep 11 21:31:27 CST 2018] Success
[Tue Sep 11 21:31:27 CST 2018] Verify finished, start to sign.
[Tue Sep 11 21:31:30 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIGGDCCBQCgAwIBAgISA/ZIZ/p9WiVXaWSVytreKZWhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MTExMjMxMjNaFw0x
ODEyMTAxMjMxMjNaMBoxGDAWBgNVBAMMDyoueG1hbmxlZ2FsLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANnH033ObKrmxX9eLIKqt3kKxcIrcfab
qnLJ0nGnjLRaOXco7B3q865OHx4PTKNT89RSAzfJQ5ZSXBY8QqbZAKv8kAzPA7yE
0wliJ3rYCesVfAR1CgnOc+jQkTjlZp0q138/GDthgplvaziJUTaGL31Dj338oFU3
xmyMxp2JmzUUjD4KkoHPZql5xkQ3pLzxRInWGMfal7f4oHaZQJr1Xwyu5BR/m9G1
+PBlmqGsTka75n5i8uchjIFPAuH48c9fEJXLB0TSUfvAdi9HDpVxXsglmiw4eL5J
F5ORYIKajAXObt/vl2uNbUHYV5Mr74jr7U/YqAA48X/x9jeHaVNSS/sCAwEAAaOC
AyYwggMiMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhLPM1+fVbGsgfc1CFAsRyu96
DUMwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzApBgNVHREEIjAggg8qLnhtYW5sZWdhbC5jb22CDXhtYW5sZWdhbC5jb20w
gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIw
gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5
IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhl
IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0
Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AMEWSuCn
ctLUOS3ICsEHcNTwxJvemRpIQMH6B1Fk9jNgAAABZcjUVQgAAAQDAEcwRQIhALEw
fEJJ6OS6IiWZNXZEO/ymIAgZGpD812KCt484URUHAiAW6FCC+6rYa1AFUdT/vFcC
3nc4MC9IGHLPOKyiyC8pEAB2AKRQEmkFWhVUXmIRqze8ED9irlV2pF5LFxRFPhsi
EGolAAABZcjUVQoAAAQDAEcwRQIgETcbXZ/E5QEB/oRR3xr4B3dZELF4TfnTJJgH
7J8YF9gCIQCKq4jXNwJjCAJDz0K81MaoAZ23CImUYJIHCVJTitzphzANBgkqhkiG
9w0BAQsFAAOCAQEAPWWEp4v4cvU3c+fgt2a0mQXI5q0gmYQAYaxyXubs3HfxFsFX
zroAPH6wvLk/Cw1EciBInnXtvQ+DDfi4FsyhWn598czJ/YEIGiV7ZCi1Ah8NVniS
T+R3nVIBqhSDCGOpmHdvtfCRCoZErAVFvv0ABsQUSQHkEYmiPwEddhU5srOENzcV
4qel/9/bzK3hGlPWB8jLvWQ8uHtSHibGAJsnEG0rMYkFs6pqnzM2EFdRNfm3axDK
D8Gai7V5Ezu31iwvgZXjLmhl6xtH3CzkqmPaDarxJtnZLet8SLaEY0inmbhvupOG
LUuO+EnAXlxk40z8V1/GtWuyYMz38OwCWcB5fA==
-----END CERTIFICATE-----
[Tue Sep 11 21:31:30 CST 2018] Your cert is in  /home/work/.acme.sh/*.test.com/*.test.com.cer 
[Tue Sep 11 21:31:30 CST 2018] Your cert key is in  /home/work/.acme.sh/*.test.com/*.test.com.key 
[Tue Sep 11 21:31:30 CST 2018] The intermediate CA cert is in  /home/work/.acme.sh/*.test.com/ca.cer 
[Tue Sep 11 21:31:30 CST 2018] And the full chain certs is there:  /home/work/.acme.sh/*.test.com/fullchain.cer 
[Tue Sep 11 21:31:30 CST 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Tue Sep 11 21:31:30 CST 2018] Call hook error.

生成成功后配置

[work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh  --installcert  -d *.xmanlegal.com \
> --key-file /mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key \
> --fullchain-file /mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key.cer \
> --reloadcmd "echo "Asdf1234" sudo -S /mnt/usr/sbin/nginx -s reload"
[Tue Sep 11 21:36:31 CST 2018] Installing key to:/mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key
[Tue Sep 11 21:36:31 CST 2018] Installing full chain to:/mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key.cer
[Tue Sep 11 21:36:31 CST 2018] Run reload cmd: echo Asdf1234 sudo -S /mnt/usr/sbin/nginx -s reload
Asdf1234 sudo -S /mnt/usr/sbin/nginx -s reload
[Tue Sep 11 21:36:31 CST 2018] Reload success

末文

證書級(jí)別測(cè)試
相關(guān)技術(shù)博客