内容目录

HTTPS配置

本文大致介绍了https协议，并基于ACME证书自动化介绍SSL证书配置过程，实现https访问

https协议

待更新

https/ssl证书配置

免费SSL证书申请网站：https://freessl.cn/

请注意放行ECS安全组中放行https的443端口

首先安装acme.sh

进入下载目录下载并安装acme.sh

curl https://get.acme.sh | sh

官方提供了另一个国内链接如下：

curl https://gitcode.net/cert/cn-acme.sh/-/raw/master/install.sh?inline=false | sh

命令行提示如下：

[root@iZuf6bk3ycdczx5tq96ms1Z acme]# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0   1379      0 --:--:-- --:--:-- --:--:--  1377
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  217k  100  217k    0     0   6417      0  0:00:34  0:00:34 --:--:-- 10136
[Sun Mar 17 11:08:05 PM CST 2024] Installing from online archive.
[Sun Mar 17 11:08:05 PM CST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sun Mar 17 11:08:06 PM CST 2024] Extracting master.tar.gz
[Sun Mar 17 11:08:06 PM CST 2024] Installing to /root/.acme.sh
[Sun Mar 17 11:08:06 PM CST 2024] Installed to /root/.acme.sh/acme.sh
[Sun Mar 17 11:08:06 PM CST 2024] Installing alias to '/root/.bashrc'
[Sun Mar 17 11:08:06 PM CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Sun Mar 17 11:08:06 PM CST 2024] Installing alias to '/root/.cshrc'
[Sun Mar 17 11:08:06 PM CST 2024] Installing alias to '/root/.tcshrc'
[Sun Mar 17 11:08:06 PM CST 2024] Installing cron job
no crontab for root
no crontab for root
[Sun Mar 17 11:08:06 PM CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Sun Mar 17 11:08:08 PM CST 2024] OK
[Sun Mar 17 11:08:08 PM CST 2024] Install success!

添加https需要解析的域名后前往域名解析处完成ACME域名配置

配置完成后，检测即可获得证书申请命令，如：

acme.sh --issue -d williamshen.cn  --dns dns_dp --server https://acme.freessl.cn/v2/DV90/directory/YourPersonalACMEAddress

若未配置系统环境变量，可前往指定文件夹执行该命令/root/.acme.sh/acme.sh

可以通过下述命令配置环境变量

alias acme.sh=~/.acme.sh/acme.sh
echo 'alias acme.sh=~/.acme.sh/acme.sh' >> /etc/profile.d/acme.sh

安装完成后，证书默认地址为/root/.acme.sh下，不建议直接使用该地址，而应使用以下命令复制证书

acme.sh --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "service nginx force-reload"

如：

acme.sh --install-cert -d williamshen.cn \
--key-file       /usr/share/nginx/ssl_cert/williamshen.cn/williamshen.cn.key  \
--fullchain-file /usr/share/nginx/ssl_cert/williamshen.cn/williamshen.cn.cert \
--reloadcmd     "service nginx force-reload"

acme.sh --install-cert -d blog.williamshen.cn \
--key-file       /usr/share/nginx/ssl_cert/williamshen.cn/blog.williamshen.cn.key  \
--fullchain-file /usr/share/nginx/ssl_cert/williamshen.cn/blog.williamshen.cn.cert \
--reloadcmd     "service nginx force-reload"

acme.sh --install-cert -d pan.williamshen.cn \
--key-file       /usr/share/nginx/ssl_cert/williamshen.cn/pan.williamshen.cn.key  \
--fullchain-file /usr/share/nginx/ssl_cert/williamshen.cn/pan.williamshen.cn.cert \
--reloadcmd     "service nginx force-reload"

nginx修改配置如下，增加下列配置：

server {
    ...
    listen   443 ssl; # HTTPS 需要使用的端口

    ssl_certificate    /etc/ssl/certificate.cert; # 网站新证书路径
    ssl_certificate_key    /etc/ssl/private.key; # 网站新私钥路径

    server_name your.domain.com; # 域名
    ...
    }

}

至此，ssl证书配置完成，可以尝试https访问是否成功

参考文档

ACME v2证书自动化快速入门 https://blog.freessl.cn/acme-quick-start/
Linux下使用acme.sh 配置https 免费证书 https://blog.csdn.net/u010227042/article/details/122215017