用 Let's Encrypt 官方推荐的 certbot 客户端申请证书的过程中报错 python 依赖错误,Google 一番发现有国外的小伙伴提到 aws 的服务器不支持 certbot安装,并推荐了另外一个客户端,测试后可用,特记录于此
服务器环境: Awi Linux + Nginx
安装脚本
curl https://get.acme.sh | sh
source ~/.bashrc
或者直接从 github 上下载并安装
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
source ~/.bashrc
申请 ssl 证书
这里只列举了单域名,而且已经将域名指向到服务器, 其他更多情况请查阅下面的参考链接
acme.sh --issue -d example.com --webroot /var/www/example.com
执行过后会看到已经在自动申请了
[Fri Mar 13 03:50:46 UTC 2020] Create account key ok.
[Fri Mar 13 03:50:46 UTC 2020] Registering account
[Fri Mar 13 03:50:46 UTC 2020] Registered
[Fri Mar 13 03:50:46 UTC 2020] ACCOUNT_THUMBPRINT='OQTFfLllQ1LlCOl4Tw9W2faVubxuP73mMHrY3SpUAEg'
[Fri Mar 13 03:50:46 UTC 2020] Creating domain key
[Fri Mar 13 03:50:46 UTC 2020] The domain key is here: /home/ec2-user/.acme.sh/www.****.com/www.****.com.key
[Fri Mar 13 03:50:46 UTC 2020] Single domain='www.****.com'
[Fri Mar 13 03:50:46 UTC 2020] Getting domain auth token for each domain
[Fri Mar 13 03:50:47 UTC 2020] Getting webroot for domain='www.****.com'
[Fri Mar 13 03:50:47 UTC 2020] Verifying: www.****.com
[Fri Mar 13 03:50:50 UTC 2020] Pending
[Fri Mar 13 03:50:52 UTC 2020] Pending
[Fri Mar 13 03:51:14 UTC 2020] Pending
[Fri Mar 13 03:51:16 UTC 2020] Pending
[Fri Mar 13 03:51:19 UTC 2020] Success
[Fri Mar 13 03:51:19 UTC 2020] Verify finished, start to sign.
[Fri Mar 13 03:51:19 UTC 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/80463906/2638416705
[Fri Mar 13 03:51:19 UTC 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03ed023419526b17a0863537b61bd5954723
[Fri Mar 13 03:51:20 UTC 2020] Cert success.
跑完以后会给出已生成的 证书和私钥存放在本地的路径
注意: 这个生成的文件是内部使用的,不能直接 copy 出来用,需要用命令导出目标文件后才可在 nginx 上配置
导出的命令如下:
配置好导出的路径和 nginx reload 的命令就 OK 了
acme.sh --install-cert \
--domain example.com \
--cert-file /path/to/cert/cert.pem \
--key-file /path/to/keyfile/key.pem \
--fullchain-file /path/to/fullchain/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
最后把导出的文件配置到 Nginx
记得把 80 和 443 端口对外开放哦
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
index index.html;
location / {
root /opt/nginx_root;
}
ssl_certificate /path/to/cert/cert.pem;
ssl_certificate_key /path/to/keyfile/key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
}
最后在浏览器访问并查看证书,chrome地址栏标绿并加锁:
Let's Encrypt的 ssl 证书有效期是三个月,到时候需要刷新,acme已经在 crontab 配置好了,不过也可以用下面的命令强制刷新
acme.sh --renew -d example.com --force
参考:
https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/