Nginx 配置 SSL 可信证书

slug
nginx-ssl-cert
tags
nginx
openssl
cert
date
Aug 6, 2024
summary
使用 acme.sh 签发SSL签证。
status
Published
type
Post

一、使用 acme.sh 签发 ZeroSSL 证书

1.1. 安装依赖

# On Ubuntu/Debian: sudo apt install cron socat -y # On Fedora/RHEL/CentOS: sudo yum install nc socat -y

1.2.安装 acme.sh

一键安装

curl <https://get.acme.sh> | sh

自定义安装(可选)

git clone https://github.com/Neilpang/acme.sh.git cd acme.sh sudo ./acme.sh --install \ --home /usr/local/acmesh \ --config-home /usr/local/acmesh/data \ --cert-home /usr/local/acmesh/data \ --accountemail "service@wangyan.org"

1.3.签发证书(DNS 模式)

注册 ZeroSSL

获取 eab-kideab-hmac-key替换 xxxx
acme.sh --register-account --server zerossl \ --eab-kid xxxx \ --eab-hmac-key xxxx

导入域名注册商 KEY

# Cloudflare export CF_Key="" && \ export CF_Email="" # DNSPod export DP_Id="" && \ export DP_Key="" # West export WEST_Username="" && \ export WEST_Key=""

签发 ECC 证书

注意修改 dns_west_cndns_cf 或者其他 dns_dp
acme.sh --register-account --server zerossl \ --eab-kid xxx \ --eab-hmac-key xxxxx acme.sh --server zerossl --issue --force \ -d 'wangyan.cloud' -d '*.wangyan.cloud' \ --dns dns_cf --keylength ec-256 ln -s wangyan.cloud_ecc /usr/local/nginx/conf/ssl-certs/

撤销 && 删除

acme.sh --revoke -d 'wangyan.cloud' -d '*.wangyan.cloud' --ecc acme.sh --list

二、Nginx SSL 配置

1.1. 生成 dhparam

sudo chmod 777 /usr/local/nginx/conf/ssl-certs && \ sudo chmod o+t /usr/local/nginx/conf/ssl-certs sudo openssl dhparam -out /etc/nginx/ssl-certs/dhparam.pem 2048 sudo curl <https://ssl-config.mozilla.org/ffdhe2048.txt> > /etc/nginx/ssl-certs/dhparam.pem
If you have any questions, please contact me.