Nginx+SSL(Let’s Encrypt)泛解析

2018年5月10日 Linux 0条评论 阅读次数 1,087


此处选择nginx版本为1.14.0,其安装方法
命令

# 1.运行下面命令
acme.sh --issue -d showlet.tk -d *.showlet.tk   --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
# 2.新建DNS TXT记录值 更具提示 添加_acme-challenge的TXT记录值

# 3. 用-renew 更新,取得SSL签
acme.sh --renew -d showlet.tk -d *.showlet.tk   --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

运行记录

root@mdlVPS:~ acme.sh --issue -d showlet.tk -d *.showlet.tk --dns \
                      --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri May 11 00:45:15 EDT 2018] Multi domain='DNS:showlet.tk,DNS:*.showlet.tk'
[Fri May 11 00:45:16 EDT 2018] Getting domain auth token for each domain
[Fri May 11 00:45:20 EDT 2018] Getting webroot for domain='showlet.tk'
[Fri May 11 00:45:20 EDT 2018] Getting webroot for domain='*.showlet.tk'
[Fri May 11 00:45:21 EDT 2018] Add the following TXT record:
[Fri May 11 00:45:21 EDT 2018] Domain: '_acme-challenge.showlet.tk'
[Fri May 11 00:45:21 EDT 2018] TXT value: '30kIN80fZQPfodLpDuPGY4Ewaa1KeQfYyPjsLFq_UR4'
[Fri May 11 00:45:21 EDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Fri May 11 00:45:21 EDT 2018] so the resulting subdomain will be: _acme-challenge.showlet.tk
[Fri May 11 00:45:21 EDT 2018] Add the following TXT record:
[Fri May 11 00:45:21 EDT 2018] Domain: '_acme-challenge.showlet.tk'
[Fri May 11 00:45:21 EDT 2018] TXT value: 'RdlcFfHLtByEBlpX47Yp6LmYrd6H9XGlWZETl8Q5sqA'
[Fri May 11 00:45:21 EDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Fri May 11 00:45:21 EDT 2018] so the resulting subdomain will be: _acme-challenge.showlet.tk
[Fri May 11 00:45:21 EDT 2018] Please add the TXT records to the domains, and re-run with --renew.
[Fri May 11 00:45:21 EDT 2018] Please add '--debug' or '--log' to check more details.
[Fri May 11 00:45:21 EDT 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
root@mdlVPS:~ acme.sh  --renew -d showlet.tk -d *.showlet.tk   --dns \
                       --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri May 11 00:48:23 EDT 2018] Renew: 'showlet.tk'
[Fri May 11 00:48:25 EDT 2018] Multi domain='DNS:showlet.tk,DNS:*.showlet.tk'
[Fri May 11 00:48:25 EDT 2018] Getting domain auth token for each domain
[Fri May 11 00:48:25 EDT 2018] Verifying:showlet.tk
[Fri May 11 00:48:30 EDT 2018] Success
[Fri May 11 00:48:30 EDT 2018] Verifying:*.showlet.tk
[Fri May 11 00:48:34 EDT 2018] Success
[Fri May 11 00:48:34 EDT 2018] Verify finished, start to sign.
[Fri May 11 00:48:36 EDT 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIGDDCCBPSgAwIBAgISBKJuXqpcnq9D6rj1KOf0CCVtMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MTEwMzQ4MzVaFw0x
ODA4MDkwMzQ4MzVaMBUxEzARBgNVBAMTCnNob3dsZXQudGswggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDoJKEmJgCjzEYOhaIRSqvkJJhxzoU/kbRFVM+5
JXW9PTDlTYp8zMjDY6RI/eq6W3eqLTewsezI6bng/miN5hIFnFYzXg6ezkL8Gmi9
vqHVZM0PluzF/nSgqi2Fxxzrcd2nY8oPN/BHhXrKgGB7gtTzfROV2XKYNf8LUkSV
2K60k09IGnmOaRMDpr0jLt35ZolANOpY6/8XvmuHoo1Pd1VIDFCI4tl+sVPe6LdV
rHObJ2yG/aIE1eYoOLP6viM4O39YLWJX8BLoVb3ojo5VIiD5XyaNLvQUZhey8eB9
dOCsBMoUklpPr7zb4IReF8jhssH9+CAozRZxfJkRqQq+ogDvAgMBAAGjggMfMIID
GzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKPCy7KEcw6P+04LWq2HoXN6xYwpMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
IwYDVR0RBBwwGoIMKi5zaG93bGV0LnRrggpzaG93bGV0LnRrMIH+BgNVHSAEgfYw
gfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0
cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBD
ZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBh
cnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0
ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3Np
dG9yeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQApPFGWVMg5ZbqqUPxYB9S3
b79Yeily3KTDDPTlRUf0eAAAAWNNh39gAAAEAwBGMEQCIFw2xsz1u6kfO+PcL2Dx
J2czH0/7AAGk0Nn3hJnfnGenAiA+XyEzxl3z59CCcRzi6VDMtIJtfr4kjGLD1f7J
uxJoqgB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABY02Hf3YA
AAQDAEcwRQIhAJ82UEOXaqz9JVIbCvN56C7boEVRc+l05l2UbJkOR5dWAiBLQNpg
vF/ACcyrSry+oDkHhpY0TPfG4EA0I7KhXHTaETANBgkqhkiG9w0BAQsFAAOCAQEA
JBZYsmCyoNcC2i5GirppbUQ+Xe8pbbZtljxS02PSq/o+dPrKW5tBrMpCDNw5psSa
zWg02yjThNinwVrskGFhBP88tmA7fdsZHkp66XGTw8MvbQ6H6FgHtff89rKWcj91
PK3haBNl1jwWj1YtlcriD5a+hzDO65Cb7kwTeXR+rbqSUW26tzsstTqIeTm2FrNC
TtyNTHItXQfQwQRuRsVL8BbrKNsFliGdNsvLrTI/qrFTE+dRMqGq+kC1LjC3ZfDU
3gswNqXCjf53PE9OiAEz6Py49BlilwUSLprM3rb6PST7naMt+G+bFJqUOOLY6GOd
ttRLaZdu4KRkSukKfVBu1Q==
-----END CERTIFICATE-----
[Fri May 11 00:48:36 EDT 2018] Your cert is in  /root/.acme.sh/showlet.tk/showlet.tk.cer
[Fri May 11 00:48:36 EDT 2018] Your cert key is in  /root/.acme.sh/showlet.tk/showlet.tk.key
[Fri May 11 00:48:36 EDT 2018] The intermediate CA cert is in  /root/.acme.sh/showlet.tk/ca.cer
[Fri May 11 00:48:36 EDT 2018] And the full chain certs is there:  /root/.acme.sh/showlet.tk/fullchain.cer
[Fri May 11 00:48:37 EDT 2018] It seems that you are using dns manual mode.please take care:
The dns manual mode can not renew automatically, you must issue it again manually.
You d better use the other modes instead.
[Fri May 11 00:48:37 EDT 2018] Call hook error.

nginx配置文件

server {

    listen         443   ssl http2;
    #此处,写法为了自动跳转网站所在目录。
    server_name    ~^(?<subdomain>.+).showlet.tk;     root           /www/subdomain;
    index          index.html index.htm;

    ssl_certificate       /root/.acme.sh/showlet.tk/fullchain.cer; 
    ssl_certificate_key   /root/.acme.sh/showlet.tk/showlet.tk.key;
    ssl_protocols         TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
}
server {  #跳转https
    listen       80;
    rewrite ^(.*)   https://host$1 permanent;
}

强制重新加载nginx,否则证书不重新加载

server nginx force-reload

访问 *.showlet.tk时,自动跳转https 并且使用 Let’s Encrypt证书
本事例此处的演示站为
www.showlet.tk
show1.showlet.tk
show2.showlet.tk
show3.showlet.tk [1]

[1] 文件的根目录假定为 /www
www.showlet.tk 目录在 /www/www
show1.showlet.tk 目录在 /www/show1
show2.showlet.tk 目录在 /www/show2
show3.showlet.tk 目录在 /www/show3