惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
V
Visual Studio Blog
博客园_首页
Engineering at Meta
Engineering at Meta
The Cloudflare Blog
MongoDB | Blog
MongoDB | Blog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
雷峰网
雷峰网
D
Docker
博客园 - 司徒正美
S
SegmentFault 最新的问题
M
MIT News - Artificial intelligence
博客园 - 叶小钗
博客园 - 三生石上(FineUI控件)
U
Unit 42
J
Java Code Geeks
A
About on SuperTechFans
N
Netflix TechBlog - Medium
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
Security Affairs
I
Intezer
Cisco Talos Blog
Cisco Talos Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog RSS Feed
P
Privacy & Cybersecurity Law Blog
T
Tenable Blog
T
Threatpost
H
Hacker News: Front Page
G
Google Developers Blog
博客园 - 【当耐特】
Hugging Face - Blog
Hugging Face - Blog
Apple Machine Learning Research
Apple Machine Learning Research
L
Lohrmann on Cybersecurity
大猫的无限游戏
大猫的无限游戏
Google DeepMind News
Google DeepMind News
A
Arctic Wolf
S
Secure Thoughts
GbyAI
GbyAI
NISL@THU
NISL@THU
S
Security @ Cisco Blogs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Webroot Blog
Webroot Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
O
OpenAI News
Spread Privacy
Spread Privacy
Application and Cybersecurity Blog
Application and Cybersecurity Blog

雾非雾 - 证书

暂无文章

SSL证书的申请
花非花 · 2022-10-07 · via 雾非雾 - 证书

花非花 2022年 10月 07 日

阅读选项

昨天折腾了一通,主站的 SSL 搞定了;但是子目录 php 竟然无法运行,只好暂时终止。
今天来折腾了一下这个子域名,顺便记录一下申请过程。

1、先安装 acme.sh
登录 SSH 后,切换到 root 帐号
后面的 email 换成自己的邮箱地址

curl https://get.acme.sh | sh -s email=申请用的电子邮箱

安装完成后,要重启加载一下;或者关闭 SSH 重新登录一下

source ~/.bashrc

如果想保持 acme.sh 为最新,可开启自动更新

acme.sh --upgrade --auto-upgrade

2、创建用于存放证书的目录

mkdir -p /var/www/letsencrypt

3、acme.sh 支持 Let's Encrypt、Buypass、ZeroSSL 和 SSL.com,默认使用 ZeroSSL,切换命令:
Let's Encrypt

acme.sh --set-default-ca --server letsencrypt

Buypass

acme.sh --set-default-ca --server buypass

SSL.com

acme.sh --set-default-ca --server ssl.com

ZeroSSL

acme.sh --set-default-ca --server zerossl

4、配置 Nginx,用 HTTP 来验证证书签发
域名、验证目录根据自己需求自定义

server {
    listen 80;
    listen [::]:80;
    server_name 自己的域名;
    location /.well-known/acme-challenge {
        # 自己定义的位置,用于校验服务器所有权
    root /www/wwwroot/809022.xyz;
        # 自己的网站目录
    }

    location / {
        rewrite    ^/(.*)$ https://$host/$1 permanent;
    }
}

5、申请证书
--webroot 申请网站的根目录

acme.sh --issue -d 自己的域名 --webroot /www/wwwroot/rj.809022.xyz

如果有多个域名,之间用空格隔开;至于是不是支持泛域名,请自己 google

acme.sh --issue -d 域名1 -d 域名2 -w /www/wwwroot/rj.809022.xyz

6、申请成功后显示

[root@80smus ~]# acme.sh --issue -d rj.809022.xyz --webroot /www/wwwroot/rj.809022.xyz
[Thu Oct  6 16:59:46 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Oct  6 16:59:46 CST 2022] Single domain='rj.809022.xyz'
[Thu Oct  6 16:59:46 CST 2022] Getting domain auth token for each domain
[Thu Oct  6 17:00:09 CST 2022] Getting webroot for domain='rj.809022.xyz'
[Thu Oct  6 17:00:09 CST 2022] Verifying: rj.809022.xyz
[Thu Oct  6 17:00:12 CST 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Oct  6 17:00:17 CST 2022] Success
[Thu Oct  6 17:00:17 CST 2022] Verify finished, start to sign.
[Thu Oct  6 17:00:17 CST 2022] Lets finalize the order.
[Thu Oct  6 17:00:17 CST 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/762972326/132022859836'
[Thu Oct  6 17:00:21 CST 2022] Downloading cert.
[Thu Oct  6 17:00:21 CST 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03763b64c7f5f1a8cf1c65c70af0f87700d2'
[Thu Oct  6 17:00:24 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
这里显示的是密钥
-----END CERTIFICATE-----
[Thu Oct  6 17:00:24 CST 2022] Your cert is in: /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.cer
[Thu Oct  6 17:00:24 CST 2022] Your cert key is in: /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.key
[Thu Oct  6 17:00:24 CST 2022] The intermediate CA cert is in: /root/.acme.sh/rj.809022.xyz/ca.cer
[Thu Oct  6 17:00:24 CST 2022] And the full chain certs is there: /root/.acme.sh/rj.809022.xyz/fullchain.cer

7、安装申请到的证书
从上面返回的信息判断证书的保存目录在 /root/.acme.sh/rj.809022.xyz/
一般不推荐证书放到 root 目录使用,所以新建个目录把证书 cer key 复制过去(或者在网站根目录下建立 cert 目录用于存放:

mkdir -p /www/nginx/ssl
cp /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.cer /www/nginx/ssl/rj.809022.xyz.cer
cp /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.key /www/nginx/ssl/rj.809022.xyz.key

听说安卓手机验证可能会有问题,所以运行一下下面的命令

acme.sh --installcert -d rj.809022.xyz --keypath /www/nginx/ssl/rj.809022.xyz.key --fullchainpath /www/nginx/ssl/rj.809022.xyz.cer

8、重新配置 Nginx

server {
        listen      443 ssl http2;
        server_name  rj.809022.xyz;

           ssl on;
        ssl_certificate      /www/nginx/ssl/rj.809022.xyz.cer;    # 证书路径
        ssl_certificate_key  /www/nginx/ssl/rj.809022.xyz.key;    # 证书路径
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        root /www/wwwroot/rj.809022.xyz;
        index index.html index.htm;
        location / {
                try_files $uri $uri/ =404;
        }
}

# 强制 http 跳转 https
server {
        listen      80;
        server_name rj.809022.xyz;
        return      301 https://$server_name$request_uri;
}

9、重启 Nginx
我因为安装了宝塔,所以上面的一些建立目录、复制、包括现在重启服务,都是在宝塔下鼠标点击操作
之后重启打开自己的网站就会发现上锁了

10、附加一些命令
手动更新证书

acme.sh --renew -d 这里填写你的域名 --force

证书列表

acme.sh --list

停止更新

acme.sh --remove -d 要停止服务的域名