目前有很多种方式使用Let's Encrypt证书,主流的方式有acme.sh和certbot等
acme.sh
使用脚本安装acme.sh:
1curl https://get.acme.sh | sh -s email=邮箱地址
现在默认acme.sh使用zerossl, 如果出现失败可以改用Let's Encrypt:
1acme.sh --set-default-ca --server letsencrypt
这个脚本会自动向crontab中添加定时任务,可以向后面追加nginx重启命令:
144 0 * * * "/home/ecs-user/.acme.sh"/acme.sh --cron --home "/home/ecs-user/.acme.sh" > /dev/null && sudo nginx -s reload
设置阿里云的access key信息:
1export Ali_Key=access_key_id
2export Ali_Secret=access_key_secret
申请证书:
1acme.sh --issue --dns dns_ali -d huwenqiang.cn -d *.huwenqiang.cn
证书会生成到类似下面的位置:
1/home/ecs-user/.acme.sh/huwenqiang.cn_ecc
Certbot
首先下载 certbot-auto 脚本:
1wget https://dl.eff.org/certbot-auto
2chmod a+x certbot-auto
然后使用 pip 安装 aliyun-python-sdk-alidns,同时新建如下脚本,并将 access_key_id 和 access_key_secret 换掉:
1import os
2from aliyunsdkcore.client import AcsClient
3from aliyunsdkalidns.request.v20150109 import AddDomainRecordRequest
4
5access_key_id = 'access_key_id'
6access_key_secret = 'access_key_secret'
7
8domain = os.environ["CERTBOT_DOMAIN"]
9value = os.environ["CERTBOT_VALIDATION"]
10
11print("--------------->domain=" + domain)
12print("--------------->value=" + value)
13
14client = AcsClient(access_key_id, access_key_secret)
15request = AddDomainRecordRequest.AddDomainRecordRequest()
16request.set_DomainName(domain)
17request.set_RR('_acme-challenge')
18request.set_Type('TXT')
19request.set_Value(value)
20response = client.do_action_with_exception(request)
21
22print(response)
执行下面的脚本创建证书:
1./certbot-auto certonly -d huwenqiang.cn -d *.huwenqiang.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook ./dns.py
执行下面的命令就可以自动续期:
1./certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook ./dns.py
可以使用 crontab 新建定时任务实现自动刷新并重启 nginx 服务器:
10 0 15 */3 * /certbot/certbot-auto renew && /usr/sbin/nginx -s reload
- 附:nginx 配置文件
1map $http_upgrade $connection_upgrade {
2 default upgrade;
3 '' close;
4}
5
6server {
7 listen 443 ssl http2;
8 server_name www.huwenqiang.cn;
9 ssl_certificate /etc/letsencrypt/live/huwenqiang.cn/fullchain.pem;
10 ssl_certificate_key /etc/letsencrypt/live/huwenqiang.cn/privkey.pem;
11
12 ssl_protocols TLSv1.2 TLSv1.3;
13 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
14 ssl_prefer_server_ciphers off;
15
16 gzip on;
17 gzip_min_length 1k;
18 gzip_buffers 4 16k;
19 gzip_comp_level 2;
20 gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
21 gzip_vary off;
22 gzip_disable "MSIE [1-6]\.";
23
24 location / {
25 proxy_pass http://solo:8080;
26 proxy_http_version 1.1;
27 proxy_set_header Upgrade $http_upgrade;
28 proxy_set_header Connection $connection_upgrade;
29 }
30
31 error_page 500 502 503 504 /50x.html;
32 location = /50x.html {
33 root /usr/share/nginx/html;
34 }
35}
36
37server {
38 listen 80;
39 server_name www.huwenqiang.cn;
40 return 301 https://www.huwenqiang.cn$request_uri;
41}