acme申请证书

2021 年 08 月 26 日

279 次浏览

3584字数

申请证书

#使用 `--pre-hook "systemctl stop nginx"  --post-hook  "systemctl start nginx"` 可以不用手动停止nginx服务
#nginx -s stop
#systemctl stop nginx
apt-get install socat curl
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --issue -d hh.kkiikk02.top --standalone -k ec-256 --force --test --pre-hook "systemctl stop nginx"  --post-hook  "systemctl start nginx"
rm -rf ~/.acme.sh/hh.kkiikk02.top_ecc
以上是测试
~/.acme.sh/acme.sh --issue -d hh.kkiikk02.top --standalone -k ec-256 --force --pre-hook "systemctl stop nginx"  --post-hook  "systemctl start nginx"
mkdir /etc/nginx/ssl/
~/.acme.sh/acme.sh --installcert -d hh.kkiikk02.top --fullchainpath /etc/nginx/ssl/hh.kkiikk02.top.crt --keypath /etc/nginx/ssl/hh.kkiikk02.top.key --ecc --force

nginx.conf配置

user  root;
worker_processes  auto;
#error_log  /etc/nginx/error.log warn;
#pid    /run/nginx.pid;
events {
    use epoll;
    worker_connections  1024;
    multi_accept on;
}
http {
    include /etc/nginx/conf/mime.types; #注意路径
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
        server_names_hash_bucket_size 512;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 10G;
 
        sendfile        on;
        tcp_nopush     on;
        tcp_nodelay on;
        keepalive_timeout 720;
 
        fastcgi_connect_timeout 3600;
        fastcgi_send_timeout 3600;
        fastcgi_read_timeout 3600;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_intercept_errors on;
 
        gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
    gzip_vary on;
    gzip_proxied   expired no-cache no-store private auth;
    gzip_disable   "MSIE [1-6]\.";
    server_tokens off;
    include /etc/nginx/conf/conf.d/*.conf;
}

d.conf配置

server {
        listen 0.0.0.0:443;
        listen [::]:443; #没有ipv6的话要注释掉这行
    ssl on;
        ssl_certificate       /etc/nginx/ssl/hh.kkiikk02.top.crt;
        ssl_certificate_key   /etc/nginx/ssl/hh.kkiikk02.top.key;
        ssl_protocols         TLSv1.3;
        ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
        server_name hh.kkiikk02.top;
        index index.html index.htm;
        root  /html;
        error_page 400 = /400.html;
 
        location / {
    index index.php index.html index.htm index.php;
        }
 
        # Config for 0-RTT in TLSv1.3
        ssl_early_data on;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000";
 
}
    server {
        listen 80;
        listen [::]:80;   #没有ipv6的话要注释掉这行
        server_name hh.kkiikk02.top;
        return 301 https://hh.kkiikk02.top$request_uri;
    }

acme申请证书