Nginx配置Let's Encrypt https证书

Posted 2021-08-05 i书生

下载源码

wget http://nginx.org/download/nginx-1.16.1.tar.gz

安装依赖

#PCREwget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz#OpenSSLwget https://www.openssl.org/source/openssl-1.0.2t.tar.gz#zlib wget http://www.zlib.net/zlib-1.2.11.tar.gz

编译安装

#解压之后nginx-1.16.1 pcre-8.43 openssl-1.0.2t zlib-1.2.11#预编译./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.43 --with-openssl=../openssl-1.0.2t#编译make#安装make install

启动

/usr/local/nginx/sbin/nginx

利用acem.sh生成证书

按照acem.sh

curl https://get.acme.sh | sh

阿里DNS解析

export Ali_Key="asdasdsdasdasd"export Ali_Secret="asdasdsdasdasdasdasd"acme.sh --issue --dns dns_ali -d domian.com -d *.domian.com

cloudflare DNS 解析

export CF_Key="asdasdsdasdasdasdasd"export CF_Email="xxxxx@dd.com"acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com

生成好之后，会有提示信息，并且有证书的保存位置

nginx https配置

 server { listen 443 ssl; server_name domain.com; ssl_certificate /root/.acme.sh/domain.com/fullchain.cer; ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on;
 location / { proxy_pass http://127.0.0.1:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Cookie $http_cookie; client_max_body_size 1024M; proxy_connect_timeout 60; proxy_send_timeout 600; proxy_read_timeout 600; proxy_buffer_size 64k; proxy_buffers 16 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; }}# http 转httpsserver { listen 80; server_name demo.domain.com; rewrite ^(.*)$ https://$host$1 permanent;}

访问

https://domain.com

更新

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
证书的有效期为3个月，到期之后执行上面脚本进行更新，也可以添加脚本到系统的定时任务里面，定时执行。