https://github.com/acmesh-official/acme.sh/wiki/说明
安装acme.sh,并设置crontab自动更新任务
curl https://get.acme.sh | sh -s email=my@example.com
国内用户可以使用gitee镜像:
git clone https://gitee.com/neilpang/acme.sh.gitcd acme.sh
./acme.sh --install -m my@example.com
生成证书
acme.sh --issue -d xxx.com -w /网站访问根目录
生成证书后会有以下信息
Your cert is in /root/.acme.sh/xxx.com_ecc/xxx.com.cer
Your cert key is in /root/.acme.sh/xxx.com_ecc/xxx.com.key
The intermediate CA cert is in /root/.acme.sh/xxx.com_ecc/ca.cer
And the full chain certs is there: /root/.acme.sh/xxx.com_ecc/fullchain.cer
安装证书到指定目录,并转换为pem格式
acme.sh --install-cert -d xxx.com \
--key-file /指定证书的存放目录/key.pem \
--fullchain-file /指定证书的存放目录/cert.pem \
--reloadcmd "systemctl restart nginx"
生成dhparam.pem
openssl dhparam -out /证书存放目录/dhparam.pem 2048
手动配置nginx,添加证书配置内容
listen 443 ssl;
ssl_certificate /证书存放目录/cert.pem;
ssl_certificate_key /证书存放目录/key.pem;
ssl_dhparam /证书存放目录/dhparam.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
注意acme需要80端口的普通http网站来验证网站,所以不能删除80的普通配置而只保留443的配置,否则会导致无法自动更新证书
http://xxx.com/.well-known/acme-challenge/验证文件