Lilong Zhang / 生成免费证书

Created Sat, 28 Dec 2024 15:56:30 +0800
281 Words

使用 acme.sh 来生成免费的证书

使用说明

推荐使用 root 用户来安装和操作!!!

操作步骤

安装 acme.sh

运行以下命令安装 acme.sh: curl https://get.acme.sh | sh -s email=my@example.com

然后,加载环境变量: source ~/.bashrc

使用 Cloudflare 的 DNS 来签发证书

配置 Cloudflare API 令牌和邮箱:

  • export CF_Token="你的API令牌"
  • export CF_Email="你的邮箱"

执行一下命令: acme.sh --issue --dns dns_cf -d example.com -d *.example.com

安装证书

acme.sh --install-cert -d example.com \
--key-file /etc/nginx/ssl/example.com.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "systemctl reload nginx"

查看已安装证书信息

acme.sh --info -d example.com

nginx 配置

  • 静态文件代理
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

    root /data/projects/your-website;
    index index.html;
    location / {
        try_files $uri $uri/ =404;
    }
}
  • 反向代理
server {
    listen 80;
    server_name sub.example.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name sub.example.com;

    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass  http://127.0.0.1:8075;
    }
}