準備內容
- 域名一個
- 阿里雲賬號一個
- 系統 CentOS7 (其他系統請自行測試)
開始表(zhuang)演(bi)了
# 安裝
$ curl https://get.acme.sh | sh
.
.
.
[Sat Mar 16 18:22:28 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar 16 18:22:29 CST 2019] OK
[Sat Mar 16 18:22:29 CST 2019] Install success!
# 讓環境變數生效
$ source ~/.bashrc2.生成證照
-
acme.sh 實現了 acme 協議支援的所有驗證協議。 一般有兩種方式驗證:HTTP 驗證和 DNS 驗證。
-
這裡我們是用 DNS 驗證方式。DNS 方式,需要手動在域名上新增一條 txt 解析記錄,驗證域名所有權。為了避免每次都需要手動解析驗證域名所有權,我們使用域名解析商提供的 api 自動新增 txt 記錄完成驗證,acme.sh 目前支援數十種解析商的自動整合,其中包含阿里雲。以阿里云為例,你需要先登入到阿里雲賬號,生成你自己的 api id 和 api key,它是免費的(建議開啟阿里雲【RAM 訪問控制】,只給 AliyunDNSFullAccess 許可權策略,這樣做更安全)。然後執行下面的命令:
export Ali_Key="xxx" && export Ali_Secret="xxx"
# 因為生成的萬用字元域名證照中並不包含根域名證照,所以我們要指定根域名。
acme.sh --issue --dns dns_ali -d example.com -d *.example.com
.
.
.
[Mon Mar 25 11:28:48 CST 2019] Your cert is in /home/user/.acme.sh/example.com/example.com.cer
[Mon Mar 25 11:28:48 CST 2019] Your cert key is in /home/user/.acme.sh/example.com/example.com.key
[Mon Mar 25 11:28:48 CST 2019] The intermediate CA cert is in /home/user/.acme.sh/example.com/ca.cer
[Mon Mar 25 11:28:48 CST 2019] And the full chain certs is there: /home/user/.acme.sh/example.com/fullchain.cer
.
.
.
# 建立放置證照的資料夾
mkdir -p /data/certs/com.example/
# 前面證照生成以後,,需要把證照 copy 到真正需要用它的地方。
acme.sh --install-cert -d example.com -d *.example.com \
--key-file "/data/certs/com.example/com.example.key" \
--fullchain-file "/data/certs/com.example/fullchain.cer" \
--reloadcmd "service nginx force-reload"3.nginx 配置
# 建立證照資料夾的軟連線
ln -s /data/certs /etc/nginx/certs/etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
# localhost 轉發到 https://www.example.com
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
}
include /etc/nginx/conf.d/*.conf;
}/etc/nginx/conf.d/com.example.www.conf
# HTTP
server {
listen 80;
server_name example.com www.example.com;
charset utf-8;
location / {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
}
# HTTPS
server {
listen 443;
server_name example.com;
charset utf-8;
ssl on;
ssl_certificate certs/com.example/fullchain.cer;
ssl_certificate_key certs/com.example/com.example.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
}
server {
listen 443;
server_name www.example.com;
charset utf-8;
ssl on;
ssl_certificate certs/com.example/fullchain.cer;
ssl_certificate_key certs/com.example/com.example.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
root /data/wwwroot/com.example.www/public;
index index.html index.php;
# laravel 優雅連結,將所有請求都引導到 index.php 前端控制器。
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
root /data/wwwroot/com.example.www/public;
fastcgi_pass 127.0.0.1:9999;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}注意:請將 example.com 改為你自己的域名。
如有錯誤,請批評改正。
本作品採用《CC 協議》,轉載必須註明作者和本文連結