Owen的博客 - HTTPS
主要关注技术,读书,摘抄,杂谈,文章评论,工具分享,工作流,灵感,英文学习,注意力管理,深度工作等方向。
Zola
2022-03-25T00:00:00+00:00
https://old.owenyoung.com/tags/https/atom.xml
在中国自动生成免费HTTPS证书的最佳方案
2022-03-25T00:00:00+00:00
2022-03-25T00:00:00+00:00
Owen Young
https://old.owenyoung.com/blog/auto-https-ssl-in-china/
<p>Certbot 自动生成 Lets encrypt 的方案已经被墙了,经过各种尝试之后,发现基于 <a rel="noopener nofollow noreferrer" target="_blank" href="https://github.com/acmesh-official/acme.sh"><code>amce.sh+cloudflare</code></a> 的 dns 解析是最方便无痛的.</p>
<p>Certbot 自动生成 Lets encrypt 的方案已经被墙了,经过各种尝试之后,发现基于 <a rel="noopener nofollow noreferrer" target="_blank" href="https://github.com/acmesh-official/acme.sh"><code>amce.sh+cloudflare</code></a> 的 dns 解析是最方便无痛的.</p>
<span id="continue-reading"></span>
<ol>
<li>下载 acme 工具:</li>
</ol>
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span>
</span><span style="color:#65737e;"># 用root用户权限,因为涉及到操作nginx
</span><span>
</span><span style="color:#bf616a;">sudo</span><span> su
</span><span>
</span><span style="color:#bf616a;">wget -O</span><span> - https://get.acme.sh | </span><span style="color:#bf616a;">sh -s</span><span> email=my@example.com
</span><span>
</span></code></pre>
<ol>
<li>
<p>域名在 <a rel="noopener nofollow noreferrer" target="_blank" href="https://www.cloudflare.com/zh-cn/">Cloudflare</a> 解析</p>
</li>
<li>
<p>在某个域名的 dashboard 面板右侧找到 <code>Account ID</code>, 记录下备用。</p>
</li>
<li>
<p>进入<a rel="noopener nofollow noreferrer" target="_blank" href="https://dash.cloudflare.com/profile/api-tokens">https://dash.cloudflare.com/profile/api-tokens</a>,生成一个 API Token,选择<code>Edit Zone</code> 模版,Zone Resources 选择 <code>All Zones</code>,生成,</p>
</li>
</ol>
<p>把以下的信息保存到 <code>~/.bashrc</code></p>
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span>
</span><span style="color:#b48ead;">export </span><span style="color:#bf616a;">CF_Token</span><span>="</span><span style="color:#a3be8c;">sdfsdfsdfljlbjkljlkjsdfoiwje</span><span>"
</span><span>
</span><span style="color:#b48ead;">export </span><span style="color:#bf616a;">CF_Account_ID</span><span>="</span><span style="color:#a3be8c;">xxxxxxxxxxxxx</span><span>"
</span><span>
</span></code></pre>
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span>
</span><span style="color:#96b5b4;">source </span><span style="color:#bf616a;">~</span><span>/.bashrc
</span><span>
</span></code></pre>
<blockquote>
<p>如果有什么不清楚的,可以参考文档: <a rel="noopener nofollow noreferrer" target="_blank" href="https://github.com/acmesh-official/acme.sh/wiki/dnsapi">https://github.com/acmesh-official/acme.sh/wiki/dnsapi</a></p>
</blockquote>
<ol>
<li>
<p>签发证书,运行 <code>acme.sh --issue --dns dns_cf -d example.com --server letsencrypt</code></p>
</li>
<li>
<p>安装证书到指定目录:</p>
</li>
</ol>
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span>
</span><span style="color:#bf616a;">acme.sh --install-cert -d</span><span> example.com \
</span><span>
</span><span style="color:#bf616a;">--key-file</span><span> /etc/nginx/ssl/example.com.key \
</span><span>
</span><span style="color:#bf616a;">--fullchain-file</span><span> /etc/nginx/ssl/example.com.crt \
</span><span>
</span><span style="color:#bf616a;">--reloadcmd </span><span>"</span><span style="color:#a3be8c;">service nginx force-reload</span><span>"
</span><span>
</span></code></pre>
<p>之后 acme 会自动添加 cron 任务,自动续期期限</p>
<ol>
<li>nginx 配置参考</li>
</ol>
<p>可以在<a rel="noopener nofollow noreferrer" target="_blank" href="https://www.digitalocean.com/community/tools/nginx?domains.0.https.certType=custom&domains.0.php.php=false&domains.0.reverseProxy.reverseProxy=true&domains.0.routing.root=false&global.app.lang=zhCN">这里</a> 在线生成一份合适的 ssl 配置</p>
<p>生成后,首次需要初始化 Diffie-Hellman keys:<code>openssl dhparam -out /etc/nginx/dhparam.pem 2048</code></p>
<p>然后运行 <code>sudo nginx -t && sudo systemctl reload nginx</code></p>