点击这里给我发消息QQ客服

Centos7 Let's Encrypt

云之渝 2020-09-10

          系统环境
nginx version: nginx/1.12.2
centos 7.6
www.yunzhiyutest.com

参考
https://www.cnblogs.com/esofar/p/9291685.html
https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E


#安装 acme.sh
curl https://get.acme.sh | sh

整个安装过程进行了以下几步,了解一下即可:

把 acme.sh 安装到当前用户的主目录$HOME下的.acme.sh文件夹中,即~/.acme.sh/,之后所有生成的证书也会放在这个目录下;
创建了一个指令别名alias acme.sh=~/.acme.sh/acme.sh,这样我们可以通过acme.sh命令方便快速地使用 acme.sh 脚本;
自动创建cronjob定时任务, 每天 0:00 点自动检测所有的证书,如果快过期了,则会自动更新证书。
安装命令执行完毕后,执行acme.sh --version确认是否能正常使用acme.sh命令。

#生成证书
acme.sh --issue -d esofar.cn -d www.esofar.cn -w /usr/share/nginx/html

--issue是 acme.sh 脚本用来颁发证书的指令;
-d是--domain的简称,其后面须填写已备案的域名;
-w是--webroot的简称,其后面须填写网站的根目录


root@iZpk32a2yj84bfZ html]# acme.sh --issue -d yunzhiyutest.com -d www.yunzhiyutest.com -w /usr/share/nginx/html/
[Mon May 20 10:54:41 CST 2019] Multi domain='DNS:yunzhiyutest.com,DNS:www.yunzhiyutest.com'
[Mon May 20 10:54:41 CST 2019] Getting domain auth token for each domain
[Mon May 20 10:54:45 CST 2019] Getting webroot for domain='yunzhiyutest.com'
[Mon May 20 10:54:45 CST 2019] Getting webroot for domain='www.yunzhiyutest.com'
[Mon May 20 10:54:45 CST 2019] Verifying: yunzhiyutest.com
[Mon May 20 10:54:48 CST 2019] yunzhiyutest.com:Verify error:Fetching http://yunzhiyutest.com/.well-known/acme-challenge/ZcG3TGLTNG57r9s_3WnAOt0lAIS1se7F_LJyFW0aUHA: Connection refused
[Mon May 20 10:54:48 CST 2019] Please add '--debug' or '--log' to check more details.
[Mon May 20 10:54:48 CST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[root@iZpk32a2yj84bfZ html]# ping yunzhiyutest.com
PING yunzhiyutest.com (47.105.194.80) 56(84) bytes of data.
64 bytes from 47.105.194.80 (47.105.194.80): icmp_seq=1 ttl=121 time=1.15 ms
64 bytes from 47.105.194.80 (47.105.194.80): icmp_seq=2 ttl=121 time=1.06 ms
^C
--- yunzhiyutest.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.067/1.108/1.150/0.053 ms
[root@iZpk32a2yj84bfZ html]# ping yunzhiyutest.com
PING yunzhiyutest.com (47.105.121.71) 56(84) bytes of data.
64 bytes from 47.105.121.71 (47.105.121.71): icmp_seq=1 ttl=64 time=0.887 ms
64 bytes from 47.105.121.71 (47.105.121.71): icmp_seq=2 ttl=64 time=0.922 ms
^C
--- yunzhiyutest.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.887/0.904/0.922/0.034 ms
[root@iZpk32a2yj84bfZ html]# acme.sh --issue -d yunzhiyutest.com -d www.yunzhiyutest.com -w /usr/share/nginx/html/
[Mon May 20 10:56:09 CST 2019] Multi domain='DNS:yunzhiyutest.com,DNS:www.yunzhiyutest.com'
[Mon May 20 10:56:09 CST 2019] Getting domain auth token for each domain
[Mon May 20 10:56:13 CST 2019] Getting webroot for domain='yunzhiyutest.com'
[Mon May 20 10:56:13 CST 2019] Getting webroot for domain='www.yunzhiyutest.com'
[Mon May 20 10:56:13 CST 2019] Verifying: yunzhiyutest.com
[Mon May 20 10:56:17 CST 2019] Success
[Mon May 20 10:56:17 CST 2019] Verifying: www.yunzhiyutest.com
[Mon May 20 10:56:21 CST 2019] Success
[Mon May 20 10:56:21 CST 2019] Verify finished, start to sign.
[Mon May 20 10:56:21 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/57426906/460547471
[Mon May 20 10:56:24 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/035f6b882fd54af0839335104eb8528931bb
[Mon May 20 10:56:24 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgISA19riC/VSvCDkzUQTrhSiTG7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA1MjAwMTU2MjJaFw0x
OTA4MTgwMTU2MjJaMBsxGTAXBgNVBAMTEHl1bnpoaXl1dGVzdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvCzmkUQ5FMo6/9xHe2+evO2cAYxbf
TvTZ56eKxbKoCZ7MYOSxD0BGy6j9dzq5acL7dLDCb5yRVGjwZmINrRqgzoz9+wVj
rBe7N4zwlQYbNXQvRzTFxxgMvDDw7xVnGcjSCsKuBNW7aSqc4AHde1ucwo0zHZ+Y
1plX6GL2pE4SFkcHti6qAPa/Iqic8mTr2i/+3yUdRigVciCZ98+AfXma9iE1Rsbv
7F2ECV4heJ8bPPLAIlQFWSmFj/aqdM5DCYx9Lqvwsa1XjvD7I8R3wFRVD6huYvKI
yYnKU6TLfC+1FqXP3jRKixHiqjEZYQBvkfmpKzscYM/YK5agg0X8ubBDAgMBAAGj
ggJ6MIICdjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEURCIOlEE0Kha56RtPGh+zX
PqF7MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wMQYDVR0RBCowKIIUd3d3Lnl1bnpoaXl1dGVzdC5jb22CEHl1bnpoaXl1
dGVzdC5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEE
AdZ5AgQCBIH0BIHxAO8AdQDiaUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb
/gAAAWrTKyrmAAAEAwBGMEQCIBMlXMQ8ZhVv3Q77Dg00vHEGM/2id//wbBbAdLF4
twGvAiATZPH1JnuegBbJ9kMgLogWjXHpPzPGR0h7FOytW7wj4gB2ACk8UZZUyDll
uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABatMrLMsAAAQDAEcwRQIge/jDgicG
nwZeRjjax5xlWQaEEfROBFTyJBqsHf97jtsCIQDE2Pv3JhDqaWAtjCeICb+xHxYy
drVmVfFp0X1Zogn9RjANBgkqhkiG9w0BAQsFAAOCAQEAA2AzsEUYrnoov8hd/EpU
ILLMCQnVu7PR/+YykN3e4T8K/MtCZYFuYtNnbzMCtgGY3LgcElAH3j6Xo9B5UrER
dA3ddPeEw9cRVGrbMw7tCxa5IPEsqKsyMg1f4TyJD99pPRB0dd+aITLPv96qOl7e
xjoS8jiXR/qz/2wcB4hnw8Mgv/31RlO4tgRePwMRTvJ9yH1fdBZqncSoEfhR/wzg
wbGvhimLaZTW9ELUrQpzZLt5Q21t1YFM5GeSDnCo3LjKIE+jp7HStubu+5tByj8R
zbhd1IzRS0dFsM+tBqfnSVrFl2OkqMzjPXzB/gjx7OTAEXE94RVU9aiUUUUEmlW8
3A==
-----END CERTIFICATE-----
[Mon May 20 10:56:24 CST 2019] Your cert is in  /root/.acme.sh/yunzhiyutest.com/yunzhiyutest.com.cer
[Mon May 20 10:56:24 CST 2019] Your cert key is in  /root/.acme.sh/yunzhiyutest.com/yunzhiyutest.com.key
[Mon May 20 10:56:24 CST 2019] The intermediate CA cert is in  /root/.acme.sh/yunzhiyutest.com/ca.cer
[Mon May 20 10:56:24 CST 2019] And the full chain certs is there:  /root/.acme.sh/yunzhiyutest.com/fullchain.cer

# 查看证书列表
acme.sh --list

# 删除证书
acme.sh remove <SAN_Domains>

安装证书#
我的站点是由 Nginx 承载的,所以本节内容重点记录如何将证书安装到 Nginx,其他 webserver 请参考 acme.sh 文档自行实践。废话不多说,进入本节正题。

上一小节,生成的证书放在了/root/.acme.sh/esofar.cn目录,因为这是 acme.sh 脚本的内部使用目录,而且目录结构可能会变化,所以我们不能让 Nginx 的配置文件直接读取该目录下的证书文件。

正确的做法就是使用--installcert命令,指定目标位置,然后证书文件会被 copy 到相应的位置。

一条命令即可解决:

acme.sh  --installcert -d esofar.cn \
         --key-file /etc/nginx/ssl/esofar.cn.key \
         --fullchain-file /etc/nginx/ssl/fullchain.cer \
         --reloadcmd "service nginx force-reload"
这里我将证书放到了/etc/nginx/ssl/目录下

[root@iZpk32a2yj84bfZ nginx]# acme.sh --installcert -d yunzhiyutest.com \
> --key-file /etc/nginx/ssl/yunzhiyutest.com.key \
> --fullchain-file /etc/nginx/ssl/yunzhiyutest.com.cer \
> --reloadcmd "service nginx reload"
[Mon May 20 11:10:02 CST 2019] Installing key to:/etc/nginx/ssl/yunzhiyutest.com.key
/root/.acme.sh/acme.sh: line 5069: /etc/nginx/ssl/yunzhiyutest.com.key: No such file or directory
[root@iZpk32a2yj84bfZ nginx]# mkdie -p /etc/nginx/ssl
-bash: mkdie: command not found
[root@iZpk32a2yj84bfZ nginx]# mkdir -p /etc/nginx/ssl
[root@iZpk32a2yj84bfZ nginx]# acme.sh --installcert -d yunzhiyutest.com --key-file /etc/nginx/ssl/yunzhiyutest.com.key --fullchain-file /etc/nginx/ssl/yunzhiyutest.com.cer --reloadcmd "service nginx reload"
[Mon May 20 11:10:38 CST 2019] Installing key to:/etc/nginx/ssl/yunzhiyutest.com.key
[Mon May 20 11:10:38 CST 2019] Installing full chain to:/etc/nginx/ssl/yunzhiyutest.com.cer
[Mon May 20 11:10:38 CST 2019] Run reload cmd: service nginx reload
Redirecting to /bin/systemctl reload nginx.service
[Mon May 20 11:10:38 CST 2019] Reload success
[root@iZpk32a2yj84bfZ nginx]# ls


最后一步就是,修改 Nginx 配置文件启用 ssl,修改完成后需要重启下 Nginx,这一块不再详述。Nginx 配置请参考:

server {
        listen 443 ssl;
        server_name esofar.cn;
       
        ssl on;
        ssl_certificate      /etc/nginx/ssl/fullchain.cer;
        ssl_certificate_key  /etc/nginx/ssl/esofar.cn.key;

        root /home/wwwroot/esofar.cn;
        index index.html;
   
        location / {
            try_files $uri $uri/ @router;
            index index.html;
        }
   
        location @router {
            rewrite ^.*$ /index.html last;
        }
    }
   
    server {
        listen 80;
        server_name esofar.cn;
        return 301 https://$server_name$request_uri;
    }
   
   
更新证书#
目前 Let's Encrypt 的证书有效期是90天,时间到了会自动更新,您无需任何操作。 今后有可能会缩短这个时间, 不过都是自动的,不需要您关心。

但是,您也可以强制续签证书:

Copy
acme.sh --renew -d example.com --force
更新 acme.sh#
目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步。

升级 acme.sh 到最新版:

Copy
acme.sh --upgrade
如果您不想手动升级,,可以开启自动升级:

Copy
acme.sh  --upgrade  --auto-upgrade
您也可以随时关闭自动更新:

Copy
acme.sh --upgrade  --auto-upgrade  0