- 更新ca-certificates
yum update ca-certificates
- 安装acmesh
curl https://get.acme.sh | sh -s email=yyy@xxx.com
- 申请证书
# 使用dns方式验证 其他平台配置方式的见https://github.com/acmesh-official/acme.sh/wiki/dnsapi
# 设置dnspod的密钥和key
export DP_Id="aaa"
export DP_Key="bbb"
# 指定使用dnspod
/root/.acme.sh/acme.sh --issue --dns dns_dp -d xxx.com -d '*.xxx.com'
- 证书放置目录,用于nginx读取,并定时更新,自动刷新nginx
# 创建目录
mkdir -p /etc/nginx/certs/xxx.com
# 安装证书
/root/.acme.sh/acme.sh --install-cert -d xxx.com \
--cert-file /etc/nginx/certs/xxx.com/cert \
--key-file /etc/nginx/certs/xxx.com/key \
--fullchain-file /etc/nginx/certs/xxx.com/fullchain \
--reloadcmd "nginx -s reload"
- nginx配置
server {
listen 80;
listen 443 ssl http2;
server_name xxx.com;
ssl_certificate "/etc/nginx/certs/xxx.com/cert";
ssl_certificate_key "/etc/nginx/certs/xxx.com/key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/xxx.com.access.log;
error_log /var/log/nginx/xxx.com.error.log;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://localhost:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}