title: linux-免费ssl证书
categories: Linux
tags: [linux, xshell]
date: 2022-09-10 19:29:55
comments: false
mathjax: true
toc: true
linux-免费ssl证书
前篇
- 33种免费获取SSL证书的方式 - https://zhuanlan.zhihu.com/p/174755007
HTTPS 证书文件格式转换
- HTTPS证书文件格式转换 - https://ohttps.com/docs/certformat
Let’s Encrypt颁发的HTTPS证书一般包括以下几个文件:
- cert.key(PEM格式):私钥文件
- cert.cer(PEM格式):证书文件
- fullchain.cer(PEM格式):包含证书和中间证书
自动更新脚本
- 官方: https://github.com/acmesh-official/acme.sh
- 一个脚本就把系统升级到 https了,还永久免费 - https://segmentfault.com/a/1190000038367115
以使用 阿里云 域名为例
-
下载自动更新脚本:
curl https://get.acme.sh | sh -s [email protected]$ curl https://get.acme.sh | sh -s email=my@example.com % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 937 0 937 0 0 1741 0 --:--:-- --:--:-- --:--:-- 1738 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 212k 100 212k 0 0 231k 0 --:--:-- --:--:-- --:--:-- 231k [Wed Sep 14 02:32:00 UTC 2022] Installing from online archive. [Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz [Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first. [Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode. [Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning. [Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh [Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh [Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc' [Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh [Wed Sep 14 02:32:02 UTC 2022] Installing cron job no crontab for root no crontab for root [Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred. [Wed Sep 14 02:32:03 UTC 2022] OK [Wed Sep 14 02:32:03 UTC 2022] Install success!- 这里为啥要指定一个邮箱呢?
- 因为默认使用的 ZeroSSL, 就需要指定邮箱. 参考: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html
- 这里为啥要指定一个邮箱呢?
-
创建一个脚本执行:
vim a_start.shexport Ali_Key="123123123" export Ali_Secret="456456456" ./acme.sh --issue --force --dns dns_ali -d *.aaa.com- Ali_Key 和 Ali_Secret 是阿里云的秘钥
--dns dns_ali指的是使用 dnsapi/dns_ali.sh 脚本-d *.aaa.com是泛域名, 也多个可以 -d 单域名
-
执行
a_start.sh$ ./a_start.sh [Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90 [Wed Sep 14 06:20:17 UTC 2022] Creating domain key ... [Wed Sep 14 06:21:31 UTC 2022] Success ... [Wed Sep 14 06:22:22 UTC 2022] Cert success. -----BEGIN CERTIFICATE----- MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T .... ei94GjqO39Wo5w== -----END CERTIFICATE----- [Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer [Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key [Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer [Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer
生成到指定路径
-
生成前, 路径所在的目录必须先存在, 生成后可以执行命令重启 nginx
./acme.sh --issue --force --dns dns_ali -d *.aaa.cn \ --key-file /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key \ --fullchain-file /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer \ --reloadcmd "service nginx force-reload"
ohttps
- https://ohttps.com/
-
使用这两个文件
-
配置 nginx
# cdn 服务 server { listen 443 ssl; server_name aaa.bbb.cn; root /webapps/cdn; # 存放文件的目录 location / { autoindex on; # 索引 autoindex_exact_size on; # 显示文件大小 autoindex_localtime on; # 显示文件时间 limit_rate 0; } # ssl ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer; ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/aaa.bbb.cn.log; }