说明
最近我独立开发了一个后台系统,为了使域名能够通过https进行访问,必须配置SSL证书。然而,个人来说,购买SSL证书的费用相对较高,每年的支出也相对较大。因此,我进行了一番调研,寻找到了一些免费的SSL证书,并将相关安装使用方法记录在此。
前提条件
- 去 https://freessl.cn/ 网站注册,并验证好域名,这里假设的域名为 xh.yhz.me。
- 网站对应的服务器、负载均衡或代理需要对外开放 443 端口。
安装证书
安装 acme.sh
root@host-1:/data/https# git clone https://gitee.com/neilpang/acme.sh.git
Cloning into 'acme.sh'...
remote: Enumerating objects: 15596, done.
remote: Total 15596 (delta 0), reused 0 (delta 0), pack-reused 15596
Receiving objects: 100% (15596/15596), 4.85 MiB | 4.21 MiB/s, done.
Resolving deltas: 100% (9732/9732), done.
root@host-1:/data/https# cd acme.sh
root@host-1:/data/https/acme.sh# ./acme.sh --install -m [email protected]
[Tue Dec 5 02:32:52 PM CST 2023] It is recommended to install socat first.
[Tue Dec 5 02:32:52 PM CST 2023] We use socat for standalone server if you use standalone mode.
[Tue Dec 5 02:32:52 PM CST 2023] If you don't use standalone mode, just ignore this warning.
[Tue Dec 5 02:32:52 PM CST 2023] Installing to /root/.acme.sh
[Tue Dec 5 02:32:52 PM CST 2023] Installed to /root/.acme.sh/acme.sh
[Tue Dec 5 02:32:52 PM CST 2023] Installing alias to '/root/.bashrc'
[Tue Dec 5 02:32:52 PM CST 2023] OK, Close and reopen your terminal to start using acme.sh
[Tue Dec 5 02:32:52 PM CST 2023] Installing cron job
5 1 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Dec 5 02:32:52 PM CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Dec 5 02:32:53 PM CST 2023] OK
更新环境变量
source ~/.bashrc
获取证书
1、在 freessl.cn 后台获取到专属的ACME地址,这里假设为: https://acme.freessl.cn/v2/DV90/directory/fakehashid
2、获取证书
root@host-1:/data/https# acme.sh --issue -d xh.yhz.me --dns dns_dp --server https://acme.freessl.cn/v2/DV90/directory/fakehashid
这里省略掉中间的敏感信息.......
[Tue Dec 5 02:46:23 PM CST 2023] Your cert is in: /root/.acme.sh/xh.yhz.me/xh.yhz.me.cer
[Tue Dec 5 02:46:23 PM CST 2023] Your cert key is in: /root/.acme.sh/xh.yhz.me/xh.yhz.me.key
[Tue Dec 5 02:46:23 PM CST 2023] The intermediate CA cert is in: /root/.acme.sh/xh.yhz.me/ca.cer
[Tue Dec 5 02:46:23 PM CST 2023] And the full chain certs is there: /root/.acme.sh/xh.yhz.me/fullchain.cer
安装证书
root@host-1:/etc/nginx/ssl# acme.sh --install-cert -d xh.yhz.me \
--key-file /etc/nginx/ssl/xh.yhz.me.key \
--fullchain-file /etc/nginx/ssl/xh.yhz.me.crt \
--ca-file /etc/nginx/ssl/xh.yhz.me.ca.crt \
--reloadcmd "systemctl restart nginx"
[Tue Dec 5 03:08:24 PM CST 2023] Installing CA to: /etc/nginx/ssl/xh.yhz.me.ca.crt
[Tue Dec 5 03:08:24 PM CST 2023] Installing key to: /etc/nginx/ssl/xh.yhz.me.key
[Tue Dec 5 03:08:24 PM CST 2023] Installing full chain to: /etc/nginx/ssl/xh.yhz.me.crt
[Tue Dec 5 03:08:24 PM CST 2023] Run reload cmd: systemctl restart nginx
使用证书
修改Nginx配置
vim /etc/nginx/conf.d/xh.yhz.me.conf
# 增加如下信息
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xh.yhz.me;
root /data/xh.yhz.me/dist;
ssl_certificate /etc/nginx/ssl/xh.yhz.me.crt;
ssl_certificate_key /etc/nginx/ssl/xh.yhz.me.key;
ssl_trusted_certificate /etc/nginx/ssl/xh.yhz.me.ca.crt;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /api {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'Content-Type';
rewrite ^.+api/?(.*)$ /$1 break;
include uwsgi_params;
proxy_pass http://127.0.0.1:8083;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
重启 nginx
# 测试配置是否OK
/etc/init.d/nginx configtest
# 重启 Nginx
/etc/init.d/nginx restart
查看自动更新证书任务
在安装 acme.sh 的时候,默认会创建这个定时任务,用于检查证书是否需要更新而进行自动更新。
root@host-1:/etc/nginx/ssl# crontab -l
5 1 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null