HTTPS - Let's Encrypt

参考链接

Let’s Encrypt，免费好用的 HTTPS 证书

获取网站证书

sudo mkdir /var/www/challenges
sudo mkdir /var/www/ssl

cd /var/www/ssl

openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

编辑 Nginx 配置文件

1	vi /etc/nginx/sites-available/default

server {

    listen 443 default_server;
    listen [::]:443 default_server;

    root /var/www/xxx.com;

    index index.html index.htm index.php;

    ssl on;
    ssl_certificate     /var/www/ssl/chained.pem;
    ssl_certificate_key /var/www/ssl/domain.key;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
    }

    location ~ /\.ht {
        deny all;
    }
}

server {
    listen 80;
    server_name xxx.com;

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/challenges/;
        try_files $uri =404;
    }
    
    location / {
        rewrite ^/(.*)$ https://$server_name/$1 permanent;
    }
}

重启服务

1	sudo systemctl reload nginx

自动更新脚本

以 root 用户运行 crontab

#!/bin/bash

__DIR__=`cd "$(dirname "$0")"; pwd`
cd "${__DIR__}"

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

sudo systemctl reload nginx