linux-免费ssl证书

Posted 蝶泳奈何桥.

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux-免费ssl证书相关的知识,希望对你有一定的参考价值。

title: linux-免费ssl证书
categories: Linux
tags: [linux, xshell]
date: 2022-09-10 19:29:55
comments: false
mathjax: true
toc: true

linux-免费ssl证书

前篇

  • 33种免费获取SSL证书的方式 - https://zhuanlan.zhihu.com/p/174755007

HTTPS 证书文件格式转换

  • HTTPS证书文件格式转换 - https://ohttps.com/docs/certformat

Let’s Encrypt颁发的HTTPS证书一般包括以下几个文件:

  • cert.key(PEM格式):私钥文件
  • cert.cer(PEM格式):证书文件
  • fullchain.cer(PEM格式):包含证书和中间证书

自动更新脚本

  • 官方: https://github.com/acmesh-official/acme.sh
  • 一个脚本就把系统升级到 https了,还永久免费 - https://segmentfault.com/a/1190000038367115

以使用 阿里云 域名为例

  1. 下载自动更新脚本: curl https://get.acme.sh | sh -s email=my@example.com

    $ curl https://get.acme.sh | sh -s email=my@example.com

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   937    0   937    0     0   1741      0 --:--:-- --:--:-- --:--:--  1738
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  212k  100  212k    0     0   231k      0 --:--:-- --:--:-- --:--:--  231k
[Wed Sep 14 02:32:00 UTC 2022] Installing from online archive.
[Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz
[Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first.
[Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode.
[Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning.
[Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh
[Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh
[Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc'
[Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
[Wed Sep 14 02:32:02 UTC 2022] Installing cron job
no crontab for root
no crontab for root
[Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Sep 14 02:32:03 UTC 2022] OK
[Wed Sep 14 02:32:03 UTC 2022] Install success!
    • 这里为啥要指定一个邮箱呢?
      • 因为默认使用的 ZeroSSL, 就需要指定邮箱. 参考: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html

  2. 创建一个脚本执行: vim a_start.sh

    export Ali_Key="123123123"
export Ali_Secret="456456456"
./acme.sh --issue --force --dns dns_ali -d *.aaa.com
    • Ali_KeyAli_Secret 是阿里云的秘钥
    • --dns dns_ali 指的是使用 dnsapi/dns_ali.sh 脚本
    • -d *.aaa.com 是泛域名, 也多个可以 -d 单域名

  3. 执行 a_start.sh

    $ ./a_start.sh

[Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Sep 14 06:20:17 UTC 2022] Creating domain key
...
[Wed Sep 14 06:21:31 UTC 2022] Success
...
[Wed Sep 14 06:22:22 UTC 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
....
ei94GjqO39Wo5w==
-----END CERTIFICATE-----
[Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer
[Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key
[Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer
[Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer

生成到指定路径

  • 生成前, 路径所在的目录必须先存在, 生成后可以执行命令重启 nginx

    ./acme.sh --issue --force --dns dns_ali -d *.aaa.cn \\
--key-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key \\
--fullchain-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer \\
--reloadcmd     "service nginx force-reload"

ohttps

  • https://ohttps.com/

  1. 使用这两个文件

  2. 配置 nginx

    # cdn 服务
server

    listen 443 ssl;
    server_name aaa.bbb.cn;
    root /webapps/cdn; # 存放文件的目录
    location / 
      autoindex on; # 索引
      autoindex_exact_size on; # 显示文件大小
      autoindex_localtime on; # 显示文件时间
      limit_rate 0;
    

    # ssl
    ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer;
    ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    access_log /var/log/nginx/aaa.bbb.cn.log;

以上是关于linux-免费ssl证书的主要内容,如果未能解决你的问题,请参考以下文章

linux系统自签发免费ssl证书,为nginx生成自签名ssl证书

自己制作ssl证书:自己签发免费ssl证书,为nginx生成自签名ssl证书

为Nginx申请和使用Let‘s Encrypt的SSL免费证书

为Nginx申请和使用Let‘s Encrypt的SSL免费证书

腾讯云服务器申请免费SSL证书,实现Https。

nginx配置免费ssl证书支持https安全访问