獲取API密鑰
騰訊云
https://console.dnspod.cn/account/token/token
image.png
阿里云(為了安全請(qǐng)創(chuàng)建子賬號(hào),授權(quán)DNS相關(guān)權(quán)限)
https://ram.console.aliyun.com/users
image.png
下載腳本
自動(dòng)下載
curl https://get.acme.sh | sh
image.png
注冊(cè)一個(gè)賬號(hào)
acme.sh --register-account -m xxx@xx.com
放入密鑰
騰訊云
export DP_Id=""
export DP_Key=""
阿里云蹂楣,子賬號(hào)令牌和密鑰
export Ali_Key=""
export Ali_Secret=""
生成證書(shū)
終端中鍵入(關(guān)閉一次終端才有acme.sh命令):
騰訊云
acme.sh --issue --dns dns_dp -d *.xxx.com
阿里云
acme.sh --issue --dns dns_ali -d *.xxx.com
請(qǐng)?zhí)鎿Q成自己的域名,*是通配符,支持任何一級(jí)子域名煌珊。
終端中會(huì)輸出證書(shū)存放的位置掸掏,可以按圖索驥找到證書(shū)文件琼腔。
安裝證書(shū)或者手動(dòng)復(fù)制
acme.sh --install-cert -d *.xxx.com --key-file /data/nginx/conf/*.xxx.com.key.pem --fullchain-file /data/nginx/conf/*.xxx.com.cert.pem
更新acme.sh
升級(jí) acme.sh 到最新版 :
acme.sh --upgrade
如果你不想手動(dòng)升級(jí), 可以開(kāi)啟自動(dòng)升級(jí):
acme.sh --upgrade --auto-upgrade
關(guān)閉自動(dòng)更新:
acme.sh --upgrade --auto-upgrade 0
server {
listen 80;
server_name *.xxx.com;
#return 301 https://$server_name$request_uri;
rewrite ^(.*) https://$host$uri permanent;
}
server {
listen 443 ssl;
server_name *.xxx.com; #填寫(xiě)綁定證書(shū)的域名
#騰訊云
ssl_certificate /etc/nginx/conf.d/*.xxx.com.cert.pem;
ssl_certificate_key /etc/nginx/conf.d/*.xxx.com.key.pem;
#阿里云
#ssl_certificate /etc/nginx/conf.d/*.xxx.com.cer;
#ssl_certificate_key /etc/nginx/conf.d/*.xxx.com.key;
ssl_session_timeout 5m;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ciphers HIGH:!NULL:!aNULL:!ADH:!3DES:!RC4;
ssl_prefer_server_ciphers on;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
if ( $host ~* (\b(?!www\b)\w+)\.\w+\.\w+ ) {
set $subdomain /$1;
}
location / {
root /usr/share/nginx/html/$subdomain;
try_files $uri $uri/ /index.html;
}
}
附加:雙證書(shū)批量處理命令【阿里云】
#!/bin/sh
DOMAIN="xxx.com" # 域名
CERT_FOLDER="/etc/nginx/certs" # 證書(shū)存放的目錄,結(jié)尾不能是"/"字符
export Ali_Key="xxx" # 阿里云RAM用戶(hù)賬戶(hù)
export Ali_Secret="xxx" # 阿里云RAM用戶(hù)密碼
#######################################################################
# 安裝acme.sh
# apt install socat # 僅stand alone模式需要
curl https://get.acme.sh | sh
alias acme.sh='/root/.acme.sh/acme.sh'
acme.sh --upgrade --auto-upgrade # 更新acme.sh
acme.sh --set-default-ca --server letsencrypt # 設(shè)置默認(rèn)CA為let's Encrypt
# 申請(qǐng)RSA證書(shū)
acme.sh --issue -d ${DOMAIN} -d *.${DOMAIN} --dns dns_ali \
--dnssleep 30 --ocsp --days 30 --keylength 2048
# 申請(qǐng)ECC證書(shū)
acme.sh --issue -d ${DOMAIN} -d *.${DOMAIN} --dns dns_ali \
--dnssleep 30 --ocsp --days 30 --keylength ec-256
# 創(chuàng)建證書(shū)安裝所需要的目錄
mkdir ${CERT_FOLDER}
mkdir ${CERT_FOLDER}/rsa
mkdir ${CERT_FOLDER}/ecc
# 安裝RSA證書(shū)
acme.sh --install-cert -d ${DOMAIN} \
--cert-file ${CERT_FOLDER}/rsa/cert.pem \
--key-file ${CERT_FOLDER}/rsa/key.pem \
--fullchain-file ${CERT_FOLDER}/rsa/fullchain.pem \
--reloadcmd "systemctl restart nginx"
# 安裝ECC證書(shū)
acme.sh --install-cert -d ${DOMAIN} --ecc \
--cert-file ${CERT_FOLDER}/ecc/cert.pem \
--key-file ${CERT_FOLDER}/ecc/key.pem \
--fullchain-file ${CERT_FOLDER}/ecc/fullchain.pem \
--reloadcmd "systemctl restart nginx"
# 手動(dòng)更新證書(shū)
#acme.sh --renew -d xxx.com --force
#acme.sh --renew -d *.xxx.com --force --ecc
nginx 雙證書(shū)配置
需要版本
NGNIX>1.10
Openssl>1.02
ssl_certificate example.com.rsa.crt;
ssl_certificate_key example.com.rsa.key;
ssl_certificate example.com.ecdsa.crt;
ssl_certificate_key example.com.ecdsa.key;
算法3選1
僅限嚴(yán)格的算法
ssl_ciphers HIGH:!NULL:!aNULL:!ADH:!3DES:!RC4;
檢測(cè)ssl證書(shū)穷蛹,進(jìn)入myssl.com
myssl.com
