acme.sh 证书客户端
发布时间 2023-06-25 16:56:36作者: lbnnbs
curl https://get.acme.sh | sh
生成证书
acme.sh --issue -d xxx.com -w /网站访问根目录
生成证书后会有以下信息
Your cert is in /root/.acme.sh/xxx.com/mrnil.com.cer
Your cert key is in /root/.acme.sh/xxx.com/mrnil.com.key
The intermediate CA cert is in /root/.acme.sh/xxx.com/ca.cer
And the full chain certs is there: /root/.acme.sh/xxx.com/fullchain.cer
生成pem格式证书,并自动crontab自动更新配置
acme.sh --install-cert -d xxx.com \
--key-file /指定证书的存放目录/key.pem \
--fullchain-file /指定证书的存放目录/cert.pem \
--reloadcmd "systemctl restart nginx"
生成dhparam.pem
openssl dhparam -out /证书存放目录/dhparam.pem 2048
手动配置nginx,添加证书配置内容
listen 443 ssl;
ssl_certificate /证书存放目录/cert.pem;
ssl_certificate_key /证书存放目录/key.pem;
ssl_dhparam /证书存放目录/dhparam.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
注意acme需要80端口的普通http网站来验证网站,所以不能删除80的普通配置而只保留443的配置,否则会导致无法自动更新证书
http://xxx.com/.well-known/acme-challenge/验证文件