配置 Let’s Encrypt SSL https 证书

Posted by 小炒肉 on January 24, 2017

配置 Let’s Encrypt SSL https 证书

一、安装acme.sh

1
2
3
4
5
6
7
curl  https://get.acme.sh | sh


#安装成功以后目录如下

/root/.acme.sh/

二、通过验证DNS签发证书

1
2
3
4
5
6
7
8
9
# GoDaddy 的域名

https://developer.godaddy.com/keys/


# 配置 两个变量
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"

三、生成DNS TXT记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
acme.sh --issue --dns dns_gd -d jicki.me


# 如果报错 可使用

acme.sh  --issue  --dns -d jicki.me


# 会提示,手动创建一条 txt 记录

Add the following TXT record:
Domain: '_acme-challenge.jicki.me'
TXT value: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.jicki.me
Please add the TXT records to the domains, and retry again.



# 等待解析完成之后, 重新生成证书:

acme.sh  --renew  -d jicki.me

Renew: 'jicki.me'
Single domain='jicki.me'
Getting domain auth token for each domain
Verifying:jicki.me
Success
Verify finished, start to sign.
Cert success.



# 如果解析未完成会提示

jicki.me:Verify error:DNS problem: query timed out looking up CAA for jicki.me

四、配置证书

1
2
3
4
5
6
7
8
acme.sh  --installcert  -d  jicki.me   \
        --keypath   /etc/nginx/ssl/jicki.me.key \
        --fullchainpath /etc/nginx/ssl/jicki.me.cer
		
		
# 提示
Installing key to:/etc/nginx/ssl/jicki.me.key
Installing full chain to:/etc/nginx/ssl/jicki.me.cer

配置nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# 修改 nginx.conf 配置 增加 ssl

server {
    listen 80;
    listen [::]:80;
    server_name jicki.me;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server
{
  listen     443;
  server_name www.jicki.me jicki.me;


  if ($http_user_agent ~ ApacheBench|WebBench|Jmeter){
       return 403;
     }

### Begin of SSL config
                ssl on;
                ssl_certificate /etc/nginx/ssl/jicki.me.cer;
                ssl_certificate_key /etc/nginx/ssl/jicki.me.key;
                ssl_session_timeout 1d;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_prefer_server_ciphers on;
                ssl_ciphers                EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
                ssl_session_cache shared:SSL:50m;
                ssl_session_tickets      on;
                ssl_stapling      on;
                ssl_stapling_verify      on;
                resolver                 114.114.114.114 valid=300s;
                resolver_timeout         10s;

### End of SSL config
  location / {
     proxy_buffer_size 64k;
     proxy_buffers   32 32k;
     proxy_busy_buffers_size 256k;
     proxy_pass http://jekyll;
     proxy_cache one;
     }
 }

FAQ:

官方文档

1
https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E

关于证书自动更新

1
2
官方提示
目前证书在 60 天以后会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.