1. 创建ssl文件目录
1
/usr/local/nginx/conf/ssl
  1. 创建账号

    1
    openssl genrsa 4096 > account.key
  2. 创建 CSR 文件

    1
    openssl genrsa 4096 > domain.key

或者 ECC 私钥

1
openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key

  1. 生成 CSR 文件

    1
    openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:applehater.cn")) > domain.csr
  2. 提供验证文件访问
    创建虚拟网站

    1
    mkdir /usr/share/nginx/html/challenges

配置nginx访问目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
server {
server_name applehater.cn;
server_tokens off;
access_log /dev/null;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location ^~ /.well-known/acme-challenge/ {
alias /usr/share/nginx/html/challenges/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://applehater.cn/$1 permanent;
}
}

  1. 获取网站证书
    1
    wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

执行脚本生成证书

1
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

  1. 合并证书
    中间证书和网站证书
    1
    2
    wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
    cat signed.crt intermediate.pem > chained.pem

根证书和中间证书

1
2
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

  1. 配置主站

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    server {
    listen 443 ssl http2 fastopen=3 reuseport;
    root /usr/share/nginx/html/typecho;
    index index.php index.html index.htm;
    server_name applehater.cn api.applehater.cn;
    ssl on;
    ssl_certificate /usr/local/nginx/conf/ssl/chained.pem;
    ssl_certificate_key /usr/local/nginx/conf/ssl/domain.key;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/full_chained.pem;
    resolver 114.114.114.114 valid=300s;
    resolver_timeout 10s;
    access_log /dev/null;
    location / {
    try_files $uri $uri/ /index.php?$query_string;
    }
    location ~ \.php$ {
    try_files $uri /index.php =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    }
    }
  2. 自动更新脚本

    1
    2
    3
    4
    5
    6
    7
    #!/bin/bash
    cd /usr/local/nginx/conf/ssl
    python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /usr/share/nginx/html/challenges/ > signed.crt || exit
    wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
    cat signed.crt intermediate.pem > chained.pem
    service nginx reload

证书有效期为90天,为即时更新证书,可以将这个脚本按时执行。

原文来自imququ.com 《Let’s Encrypt,免费好用的 HTTPS 证书》