Certificate

Network Computer
Website
发布日期:   2023-04-03

HTTPS

Certificate

对比不同的证书颁发机构,其中Let's Encrypt作为开源机构,非常靠谱

  • 这里可以选择对应的web服务器和系统
  • 按照网站提供的说明安装,以下为nginx+ubuntu20的说明
  • 安装snapd:sudo apt install snapd
  • 更新snapd: sudo snap install core; sudo snap refresh core
  • 安装cerbot: sudo snap install --classic certbot
  • cerbot命令放入路径中: sudo ln -s /snap/bin/certbot /usr/bin/certbot
  • 插件等级: sudo snap set certbot trust-plugin-with-root=ok
  • DNS插件: 我申请的域名是在阿里云申请的,Let’s Encrypt官方未提供对应插件,采用github上提供的一个certbot-dns-aliyun来解决,
    1
    2
    3
    4
    sudo snap install certbot-dns-aliyun
    sudo snap set certbot trust-plugin-with-root=ok
    sudo snap connect certbot:plugin certbot-dns-aliyun
    /snap/bin/certbot plugins
  • 这里创建新用户,并在用户下对应的权限管理中添加整个云账号的AliyunDNSFullAccess,新用户下可以创建新的AccessKey用于下一步
  • 创建一个Credential.ini,内容写为上一步中获取的AccessKey和secret
    1
    2
    dns_aliyun_access_key = 12345678
    dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
  • 获取证书,命令行会显示证书位置比如Certificate is saved at: /etc/letsencrypt/live/lovestrong.top/fullchain.pem, Key is saved at: /etc/letsencrypt/live/lovestrong.top/privkey.pem
    1
    2
    3
    4
    certbot certonly \
        --authenticator = dns-aliyun \
        --dns-aliyun-credentials = '/path/to/credentials.ini' \
        -d "*.example.com,example.com"
  • 测试自动更新
    1
    sudo certbot renew --dry-run
  • 将证书配置进入nginx文件,比如默认的/etc/nginx/site-available/default,其中root指定默认的目录位置
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    server {
                    listen 443 ssl;
                    server_name lovestrong.top;
                    client_max_body_size 80M;
                    ssl_certificate  /etc/letsencrypt/live/lovestrong.top/fullchain.pem;
                    ssl_certificate_key /etc/letsencrypt/live/lovestrong.top/privkey.pem;
                    ssl_session_timeout 5m;
                    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                    ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
                    ssl_prefer_server_ciphers on;
            root /var/www/html/dwf;
                    location / {
                            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                            proxy_set_header Host $http_host;
                            proxy_set_header X-Forwarded-Proto https;
                            proxy_set_header X-Real-IP $remote_addr;
                            proxy_redirect off;
                            proxy_connect_timeout      20;
                            proxy_send_timeout         60;
                            proxy_read_timeout         60;
                    }

                    location = /favicon.ico {
                            log_not_found off;
                            access_log off;
                    }
        }
文章作者: greatofdream
文章链接: https://greatofdream.github.io/2023/04/03/certificate/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 greatofdream !
Network Computer
  目录