acme.sh安装SSL证书

发表于 分类于 阅读次数:

通过 acme.sh 来安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# 1. 安装acme.sh
curl https://get.acme.sh | sh -s email=username@example.com

# 2. 重载
source ~/.bashrc

# 3. 开启自动更新
acme.sh --upgrade --auto-upgrade

# 4. 选择默认的CA(letsencrypt是免费的)
acme.sh --set-default-ca --server letsencrypt

# 5. 把对应域名的服务开启,智能生成证书(不需要指定任何根目录)
## nginx
acme.sh --issue -d mydomain.com --nginx
## apache
acme.sh --issue -d mydomain.com --apache

# 6. 生成的证书在/root/.acme.sh/中,用install命令将其复制移动到指定位置,进行使用
## apache示例(没有相关目录则新建)
acme.sh --install-cert -d domain.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"
## nginx示例(没有相关目录则新建)
acme.sh --install-cert -d domain.com \
--key-file       /etc/nginx/certs/domain.com/key.pem  \
--fullchain-file /etc/nginx/certs/domain.com/cert.pem \
--reloadcmd     "service nginx force-reload"

# 7. 于服务器设置处配置证书路径,开启SSL(nginx)
server {
     listen 443 ssl;
     server_name domain.com;
     ssl_certificate /etc/nginx/certs/domain.com/cert.pem;
     ssl_certificate_key /etc/nginx/certs/domain.com/key.pem;
     location / {
         proxy_pass http://localhost:1002; # 代理的服务端口
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }
}
server {
      listen 80;
      server_name domain.com;   # HTTP重定向到HTTPS
      return 301 https://$server_name$request_uri;
}

# 8. 重启服务以生效
sudo systemctl restart nginx