Skip to content

免费SSL证书安装并应用到Nginx方案

Published: at 00:00

说明

最近我独立开发了一个后台系统,为了使域名能够通过https进行访问,必须配置SSL证书。然而,个人来说,购买SSL证书的费用相对较高,每年的支出也相对较大。因此,我进行了一番调研,寻找到了一些免费的SSL证书,并将相关安装使用方法记录在此。

前提条件

安装证书

安装 acme.sh

root@host-1:/data/https# git clone https://gitee.com/neilpang/acme.sh.git
Cloning into 'acme.sh'...
remote: Enumerating objects: 15596, done.
remote: Total 15596 (delta 0), reused 0 (delta 0), pack-reused 15596
Receiving objects: 100% (15596/15596), 4.85 MiB | 4.21 MiB/s, done.
Resolving deltas: 100% (9732/9732), done.
root@host-1:/data/https# cd acme.sh
root@host-1:/data/https/acme.sh# ./acme.sh --install -m [email protected]
[Tue Dec  5 02:32:52 PM CST 2023] It is recommended to install socat first.
[Tue Dec  5 02:32:52 PM CST 2023] We use socat for standalone server if you use standalone mode.
[Tue Dec  5 02:32:52 PM CST 2023] If you don't use standalone mode, just ignore this warning.
[Tue Dec  5 02:32:52 PM CST 2023] Installing to /root/.acme.sh
[Tue Dec  5 02:32:52 PM CST 2023] Installed to /root/.acme.sh/acme.sh
[Tue Dec  5 02:32:52 PM CST 2023] Installing alias to '/root/.bashrc'
[Tue Dec  5 02:32:52 PM CST 2023] OK, Close and reopen your terminal to start using acme.sh
[Tue Dec  5 02:32:52 PM CST 2023] Installing cron job
5 1 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Tue Dec  5 02:32:52 PM CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Dec  5 02:32:53 PM CST 2023] OK

更新环境变量

source ~/.bashrc

获取证书

1、在 freessl.cn 后台获取到专属的ACME地址,这里假设为: https://acme.freessl.cn/v2/DV90/directory/fakehashid

2、获取证书

root@host-1:/data/https# acme.sh --issue -d xh.yhz.me  --dns dns_dp --server https://acme.freessl.cn/v2/DV90/directory/fakehashid

这里省略掉中间的敏感信息.......

[Tue Dec  5 02:46:23 PM CST 2023] Your cert is in: /root/.acme.sh/xh.yhz.me/xh.yhz.me.cer
[Tue Dec  5 02:46:23 PM CST 2023] Your cert key is in: /root/.acme.sh/xh.yhz.me/xh.yhz.me.key
[Tue Dec  5 02:46:23 PM CST 2023] The intermediate CA cert is in: /root/.acme.sh/xh.yhz.me/ca.cer
[Tue Dec  5 02:46:23 PM CST 2023] And the full chain certs is there: /root/.acme.sh/xh.yhz.me/fullchain.cer

安装证书


root@host-1:/etc/nginx/ssl# acme.sh --install-cert -d xh.yhz.me \
--key-file       /etc/nginx/ssl/xh.yhz.me.key  \
--fullchain-file /etc/nginx/ssl/xh.yhz.me.crt \
--ca-file        /etc/nginx/ssl/xh.yhz.me.ca.crt \
--reloadcmd     "systemctl restart nginx"



[Tue Dec  5 03:08:24 PM CST 2023] Installing CA to: /etc/nginx/ssl/xh.yhz.me.ca.crt
[Tue Dec  5 03:08:24 PM CST 2023] Installing key to: /etc/nginx/ssl/xh.yhz.me.key
[Tue Dec  5 03:08:24 PM CST 2023] Installing full chain to: /etc/nginx/ssl/xh.yhz.me.crt
[Tue Dec  5 03:08:24 PM CST 2023] Run reload cmd: systemctl restart nginx

使用证书

修改Nginx配置

vim /etc/nginx/conf.d/xh.yhz.me.conf

# 增加如下信息
server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  xh.yhz.me;
    root         /data/xh.yhz.me/dist;

    ssl_certificate /etc/nginx/ssl/xh.yhz.me.crt;
    ssl_certificate_key /etc/nginx/ssl/xh.yhz.me.key;
    ssl_trusted_certificate /etc/nginx/ssl/xh.yhz.me.ca.crt;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location /api {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE';
      add_header 'Access-Control-Allow-Headers' 'Content-Type';
      rewrite  ^.+api/?(.*)$ /$1 break;
      include  uwsgi_params;
      proxy_pass http://127.0.0.1:8083;
      proxy_set_header HOST $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto  $scheme;
    }
  }

重启 nginx

# 测试配置是否OK
/etc/init.d/nginx configtest

# 重启 Nginx
/etc/init.d/nginx restart

查看自动更新证书任务

在安装 acme.sh 的时候,默认会创建这个定时任务,用于检查证书是否需要更新而进行自动更新。

root@host-1:/etc/nginx/ssl# crontab -l
5 1 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null