linux-免费ssl证书

Posted 蝶泳奈何桥.

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux-免费ssl证书相关的知识,希望对你有一定的参考价值。


title: linux-免费ssl证书
categories: Linux
tags: [linux, xshell]
date: 2022-09-10 19:29:55
comments: false
mathjax: true
toc: true

linux-免费ssl证书


前篇

  • 33种免费获取SSL证书的方式 - https://zhuanlan.zhihu.com/p/174755007

HTTPS 证书文件格式转换

  • HTTPS证书文件格式转换 - https://ohttps.com/docs/certformat

Let’s Encrypt颁发的HTTPS证书一般包括以下几个文件:

  • cert.key(PEM格式):私钥文件
  • cert.cer(PEM格式):证书文件
  • fullchain.cer(PEM格式):包含证书和中间证书

自动更新脚本

  • 官方: https://github.com/acmesh-official/acme.sh
  • 一个脚本就把系统升级到 https了,还永久免费 - https://segmentfault.com/a/1190000038367115

以使用 阿里云 域名为例

  1. 下载自动更新脚本: curl https://get.acme.sh | sh -s email=my@example.com

    $ curl https://get.acme.sh | sh -s email=my@example.com
    
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100   937    0   937    0     0   1741      0 --:--:-- --:--:-- --:--:--  1738
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  212k  100  212k    0     0   231k      0 --:--:-- --:--:-- --:--:--  231k
    [Wed Sep 14 02:32:00 UTC 2022] Installing from online archive.
    [Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
    [Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz
    [Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first.
    [Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode.
    [Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning.
    [Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh
    [Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh
    [Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc'
    [Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
    [Wed Sep 14 02:32:02 UTC 2022] Installing cron job
    no crontab for root
    no crontab for root
    [Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
    [Wed Sep 14 02:32:03 UTC 2022] OK
    [Wed Sep 14 02:32:03 UTC 2022] Install success!
    
    • 这里为啥要指定一个邮箱呢?
      • 因为默认使用的 ZeroSSL, 就需要指定邮箱. 参考: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html
  2. 创建一个脚本执行: vim a_start.sh

    export Ali_Key="123123123"
    export Ali_Secret="456456456"
    ./acme.sh --issue --force --dns dns_ali -d *.aaa.com
    
    • Ali_KeyAli_Secret 是阿里云的秘钥
    • --dns dns_ali 指的是使用 dnsapi/dns_ali.sh 脚本
    • -d *.aaa.com 是泛域名, 也多个可以 -d 单域名
  3. 执行 a_start.sh

    $ ./a_start.sh
    
    [Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90
    [Wed Sep 14 06:20:17 UTC 2022] Creating domain key
    ...
    [Wed Sep 14 06:21:31 UTC 2022] Success
    ...
    [Wed Sep 14 06:22:22 UTC 2022] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw
    SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
    ....
    ei94GjqO39Wo5w==
    -----END CERTIFICATE-----
    [Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer
    [Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key
    [Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer
    [Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer
    
    
    
    

生成到指定路径

  • 生成前, 路径所在的目录必须先存在, 生成后可以执行命令重启 nginx

    ./acme.sh --issue --force --dns dns_ali -d *.aaa.cn \\
    --key-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key \\
    --fullchain-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer \\
    --reloadcmd     "service nginx force-reload"
    
    
    
    

ohttps

  • https://ohttps.com/
  1. 使用这两个文件

  2. 配置 nginx

    # cdn 服务
    server
    
        listen 443 ssl;
        server_name aaa.bbb.cn;
        root /webapps/cdn; # 存放文件的目录
        location / 
          autoindex on; # 索引
          autoindex_exact_size on; # 显示文件大小
          autoindex_localtime on; # 显示文件时间
          limit_rate 0;
        
    
        # ssl
        ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer;
        ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/aaa.bbb.cn.log;
    
    
    
    
    

以上是关于linux-免费ssl证书的主要内容,如果未能解决你的问题,请参考以下文章

linux系统自签发免费ssl证书,为nginx生成自签名ssl证书

自己制作ssl证书:自己签发免费ssl证书,为nginx生成自签名ssl证书

为Nginx申请和使用Let‘s Encrypt的SSL免费证书

为Nginx申请和使用Let‘s Encrypt的SSL免费证书

腾讯云服务器申请免费SSL证书,实现Https。

nginx配置免费ssl证书支持https安全访问