使用 acme.sh 来生成免费的证书
推荐使用 root 用户来安装和操作!!!
操作步骤
安装 acme.sh
运行以下命令安装 acme.sh:
curl https://get.acme.sh | sh -s email=my@example.com
然后,加载环境变量:
source ~/.bashrc
使用 Cloudflare 的 DNS 来签发证书
配置 Cloudflare API 令牌和邮箱:
export CF_Token="你的API令牌"
export CF_Email="你的邮箱"
执行一下命令:
acme.sh --issue --dns dns_cf -d example.com -d *.example.com
安装证书
acme.sh --install-cert -d example.com \
--key-file /etc/nginx/ssl/example.com.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "systemctl reload nginx"
查看已安装证书信息
acme.sh --info -d example.com
nginx 配置
- 静态文件代理
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
root /data/projects/your-website;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
- 反向代理
server {
listen 80;
server_name sub.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name sub.example.com;
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8075;
}
}