acme获取泛域名证书

下载acme脚本

curl  https://get.acme.sh | sh

设置证书CA - ZeroSSL

acme 3.0开始默认使用ZeroSSL作为证书服务商, 这步可以跳过

acme.sh --set-default-ca --server zerossl

设置API Key

https://app.zerossl.com/developer

acme.sh --register-account -m myemail@example.com --server zerossl --eab-kid <eab-kid> --eab-hmac-key <eab-hmac-key>

配置DNS_API和获取证书

https://github.com/acmesh-official/acme.sh/wiki/dnsapi

找到自己使用的域名供应商, 进行配置

安装证书

把证书安装到nginx目录下.

acme.sh --install-cert -d yourdomain.com -d "*.yourdomain.com" \
--cert-file /etc/nginx/cert/cert.crt \
--key-file /etc/nginx/cert/privkey.pem \
--fullchain-file /etc/nginx/cert/fullchain.pem \
--reloadcmd     "service nginx force-reload"

nginx设置https

# nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        server_name  www.mirthfullee.top blog.mirthfullee.top mirthfullee.top;
        # hexo blog content
        root         <content-root>;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        
        error_page 404 /404.html;
        location = /404.html {
        }

    # ssl cert
    include /etc/nginx/ssl.conf;

}
    server {

    if ($host = mirthfullee.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = *.mirthfullee.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    listen       [::]:80;
    # 设置自动http转https
    server_name  *.mirthfullee.top mirthfullee.top;
    return 404;

}
    # proxy nas services
    include /etc/nginx/proxy.d/*.conf;
}

注意nginx的ssl_certficate设置的是fullchain证书, 否则会报错.

# ssl.conf
# listen [::]:443 ssl ipv6only=on;
# listen [::]:443; # manually changed
# ssl on;
listen 443 ssl;
ssl_certificate /etc/nginx/cert/fullchain.pem; 
ssl_certificate_key /etc/nginx/cert/privkey.pem; 

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";