CentOS使用acme.sh部署Let’s Encrypt免费泛域名ssl证书-追风逐雨

部署 HTTPS 网站的时候需要证书，证书由 CA 机构签发，大部分传统 CA 机构签发证书是需要收费的，但是Let’s Encrypt这个CA机构签发的证书是免费的！利用acme.sh脚本就可以自动生成Let’s Encrypt证书，并且现在支持域名泛解析证书，意思就是*.shileiye.com旗下所有的子域名都可以使用同一个证书，而不用每个域名都得申请单独的证书。

下面我们就开始一步一步使用acme.sh部署Let’s Encrypt免费泛域名ssl证书，并设置证书的自动续期。

一、安装依赖环境

yum -y install curl && yum -y install cron && yum -y install socat

1	yum -y install curl && yum -y install cron && yum -y install socat

二、下载并安装acme.sh

curl https://get.acme.sh | sh

1	curl https://get.acme.sh \| sh

三、获取并设置域名API

1、以阿里云为例，登录阿里云【控制台】—【我的头像】 — 【accesskeys】 —【创建AccessKey】 —【验证手机短信】—【生成并记录AccessKey ID和Access Key Secret】

2、将获取到的AccessKey ID和Access Key Secret使用以下命令设置保存到服务器以便生成证书时调用。

export Ali_Key="AccessKeyID"
export Ali_Secret="AccessKeySecret"

1 2	export Ali_Key="AccessKeyID" export Ali_Secret="AccessKeySecret"

3、可能的话，最好使用以下命令注册自己的电子邮件地址以接收证书过期提示和管理生成的证书，此项非必须。

acme.sh --install --accountemail youmail@xx.com

1	acme.sh --install --accountemail youmail@xx.com

四、生成并保存证书到对应路径

acme.sh --issue --dns dns_ali -d shileiye.com -d *.shileiye.com \
    --renew-hook "acme.sh --install-cert -d shileiye.com" \
    --key-file /home/ssl/acme/shileiye.com.key \
    --fullchain-file /home/ssl/acme/shileiye.com.cer \
    --reloadcmd "service nginx restart"

acme.sh --issue --dns dns_ali -d shileiye.com -d *.shileiye.com \

--renew-hook "acme.sh --install-cert -d shileiye.com" \

--key-file /home/ssl/acme/shileiye.com.key \

--fullchain-file /home/ssl/acme/shileiye.com.cer \

--reloadcmd "service nginx restart"

如果是Apache服务器请将--reloadcmd "service nginx restart" 修改为--reloadcmd "service httpd restart"，此命令意思是在生成证书后执行重启WEB服务器，您也可以删除这句命令，避免出现配置错误，稍后配置好WEB服务器证书配置后再手动重启WEB服务器，不过该处命令也会在续期时执行，如无此句，证书自动续期后可能不会自动重启WEB服务。
acme.sh参数列表：https://github.com/Neilpang/acme.sh/wiki/Options-and-Params
你也可以直接输入命令：acme.sh 则可显示所有命令及选项帮助。

五、手动配置证书到Nginx或Apache

Nginx参考配置：

server {
    listen                     80;
    #侦听443端口
    listen                     443 ssl;
    #绑定域名
    server_name                shileiye.com;
    #站点路径
    root                       /home/www/shileiye.com;
    index                      index.html index.htm index.php;
    #密钥路径
    ssl_certificate            /home/ssl/acme/shileiye.com.cer;
    #证书路径
    ssl_certificate_key        /home/ssl/acme/shileiye.com.key;
    ssl_ciphers                ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers  on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache          shared:SSL:5m;
    ssl_session_timeout        5m;

    #http强制跳转到https
    if ($scheme = http) {
        return  301 https://$host$request_uri;
    }

    location ~ ^/.+\.php {
        fastcgi_index            index.php;
        fastcgi_split_path_info  ^(.+\.php)(.*)$;
        fastcgi_param            SCRIPT_FILENAME $request_filename;
        fastcgi_param            PATH_INFO $fastcgi_path_info;
        fastcgi_param            PATH_TRANSLATED $document_root$fastcgi_path_info;
        include                  fastcgi_params;
        fastcgi_pass             127.0.0.1:9002;
    }
}

server {

listen 80;

#侦听443端口

listen 443 ssl;

#绑定域名

server_name shileiye.com;

#站点路径

root /home/www/shileiye.com;

index index.html index.htm index.php;

#密钥路径

ssl_certificate /home/ssl/acme/shileiye.com.cer;

#证书路径

ssl_certificate_key /home/ssl/acme/shileiye.com.key;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_session_cache shared:SSL:5m;

ssl_session_timeout 5m;

#http强制跳转到https

if ($scheme = http) {

return 301 https://$host$request_uri;

}

location ~ ^/.+\.php {

fastcgi_index index.php;

fastcgi_split_path_info ^(.+\.php)(.*)$;

fastcgi_param SCRIPT_FILENAME $request_filename;

fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

include fastcgi_params;

fastcgi_pass 127.0.0.1:9002;

}

Apache参考配置

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

Mutex sysvsem default

SSLStrictSNIVHostCheck on

H2ModernTLSOnly off

<VirtualHost *:443>
    DocumentRoot "/home/www/shileiye.com"
    ServerName shileiye.com
    ServerAlias *.shileiye.com
    SSLEngine on
    SSLCertificateFile "/home/ssl/acme/shileiye.com.cer"
    SSLCertificateKeyFile "/home/ssl/acme/shileiye.com.key"
    ErrorLog "/home/www/logs/IP-error_log"
    CustomLog "/home/www/logs/IP-access_log" combined
    <Directory "/home/www/shileiye.com">
        SetOutputFilter DEFLATE
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        DirectoryIndex index.html index.php
    </Directory>
</VirtualHost>

Listen 443

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5

SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5

SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3

SSLProxyProtocol all -SSLv2 -SSLv3

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"

SSLSessionCacheTimeout 300

Mutex sysvsem default

SSLStrictSNIVHostCheck on

H2ModernTLSOnly off

DocumentRoot "/home/www/shileiye.com"

ServerName shileiye.com

ServerAlias *.shileiye.com

SSLEngine on

SSLCertificateFile "/home/ssl/acme/shileiye.com.cer"

SSLCertificateKeyFile "/home/ssl/acme/shileiye.com.key"

ErrorLog "/home/www/logs/IP-error_log"

CustomLog "/home/www/logs/IP-access_log" combined

SetOutputFilter DEFLATE

Options FollowSymLinks

AllowOverride All

Order allow,deny

Allow from all

DirectoryIndex index.html index.php

</Directory>

</VirtualHost>

六、重启服务器

#Nginx
service nginx restart

#Apache
service httpd restart

#Nginx

service nginx restart

#Apache

service httpd restart

重启WEB服务成功后，重新打开浏览器访问https://你的域名，页面正常显示、地址栏加锁则配置成功！如存在问题可运行nginx -t检查nginx配置文件是否正确

七、证书续期

生成证书时的acme.sh脚本已经添加自动续期的计划任务，可通过 crontab -l 来查看续期任务是否存在。

转载请注明：追风逐雨 » CentOS使用acme.sh部署Let’s Encrypt免费泛域名ssl证书

CentOS使用acme.sh部署Let’s Encrypt免费泛域名ssl证书

一、安装依赖环境

二、下载并安装acme.sh

三、获取并设置域名API

四、生成并保存证书到对应路径

五、手动配置证书到Nginx或Apache

六、重启服务器

七、证书续期

与本文相关的文章

您必须登录才能发表评论！

一、安装依赖环境

二、下载并安装acme.sh

三、获取并设置域名API

四、生成并保存证书到对应路径

五、手动配置证书到Nginx或Apache

六、重启服务器

七、证书续期

与本文相关的文章

您必须 登录 才能发表评论！

您必须登录才能发表评论！