前言
之前一直以为商用 SSL 证书是要花钱买的, 原来 Let’s Encrypt 是可以免费领取的. 当然免费的东西只有 90 天有效期, 网上有很多工具帮助你自动续期.
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X. 509 certificates for Transport Layer Security (TLS) encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time.
我找到的这个工具叫 acme.sh, 简单的bash 脚本, 不需要额外安装。
安装 acme.sh
使用也还蛮简单, 就申请证书, 安装两步。 注意生成的证书得放在 nginx 目录下面
# download acme.sh
curl https://get.acme.sh | sh
# issue certificate
acme.sh --issue -d example.com -w /var/www/.letsencrypt
# install
acme.sh --install-cert -d example.com \
--key-file /etc/nginx/ssl/site.key \
--fullchain-file /etc/nginx/ssl/site.cert \
--reloadcmd "sudo service nginx reload"update Nginx 配置
server {
listen 443 ssl;
...
ssl_certificate /etc/nginx/ssl/site.cert;
ssl_certificate_key /etc/nginx/ssl/site.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # do not use SSLv3 ref: POODLE
}
server {
listen 80;
root /var/www/.letsencrypt/;
index index.html;
location / {
rewrite ^/(.*)$ https://$host$request_uri permanent;
}
location ^~ /.well-known/ {
try_files $uri $uri/ =404;
}
}SSL 证书续期
在 install 的时候在 crontab 会自动加上一个 daily job, 每天半夜检查更新证书
30 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null