记录申请泛域名证书的过程

1. 安装acme.sh

通过命令行安装

curl  https://get.acme.sh | sh

安装后自动创建了一个定时任务

crontab -l
# 52 0 * * * "/home/rabbee/.acme.sh"/acme.sh --cron --home "/home/rabbee/.acme.sh" > /dev/null

2. 生成证书

这里使用dns的方式来通过验证

这里使用token来使用dns提供商的管理接口

阿里云

### 配置你的登录密钥
export Ali_Key=""
export Ali_Secret=""

### 生成证书
acme.sh --issue --dns dns_ali -d rabbee.cn -d '*.rabbee.cn'
# [Sun Jan 12 17:13:56 CST 2020] Your cert is in  /home/rabbee/.acme.sh/rabbee.cn/rabbee.cn.cer
# [Sun Jan 12 17:13:56 CST 2020] Your cert key is in  /home/rabbee/.acme.sh/rabbee.cn/rabbee.cn.key
# [Sun Jan 12 17:13:56 CST 2020] v2 chain.
# [Sun Jan 12 17:13:56 CST 2020] The intermediate CA cert is in  /home/rabbee/.acme.sh/rabbee.cn/ca.cer
# [Sun Jan 12 17:13:56 CST 2020] And the full chain certs is there:  /home/rabbee/.acme.sh/rabbee.cn/fullchain.cer
# [Sun Jan 12 17:13:56 CST 2020] _on_issue_success

显示以上信息就是成功了

cloudflare

这里获取API key

这里要使用Global API Key,Origin CA Key在这里是不能使用的

### 配置你的登录密钥
export CF_Key=""
export CF_Email=""

### 生成证书
acme.sh --issue --dns dns_cf -d rabbee.me -d '*.rabbee.me'
# [Sun Jan 12 17:53:09 CST 2020] Your cert is in  /home/rabbee/.acme.sh/rabbee.me/rabbee.me.cer
# [Sun Jan 12 17:53:09 CST 2020] Your cert key is in  /home/rabbee/.acme.sh/rabbee.me/rabbee.me.key
# [Sun Jan 12 17:53:09 CST 2020] v2 chain.
# [Sun Jan 12 17:53:09 CST 2020] The intermediate CA cert is in  /home/rabbee/.acme.sh/rabbee.me/ca.cer
# [Sun Jan 12 17:53:09 CST 2020] And the full chain certs is there:  /home/rabbee/.acme.sh/rabbee.me/fullchain.cer       [Sun Jan 12 17:53:09 CST 2020] _on_issue_success

显示以上信息就是成功了

3. 安装证书

mkdir -p /etc/nginx/cert/rabbee.cn
mkdir -p /etc/nginx/cert/rabbee.me
chown -R rabbee:www-data /etc/nginx/cert

acme.sh --install-cert -d rabbee.cn \
--cert-file      /etc/nginx/cert/rabbee.cn/cert  \
--key-file       /etc/nginx/cert/rabbee.cn/key  \
--fullchain-file /etc/nginx/cert/rabbee.cn/fullchain
--reloadcmd  "systemctl force-reload nginx"

acme.sh --install-cert -d rabbee.me \
--cert-file      /etc/nginx/cert/rabbee.me/cert  \
--key-file       /etc/nginx/cert/rabbee.me/key  \
--fullchain-file /etc/nginx/cert/rabbee.me/fullchain
--reloadcmd  "systemctl force-reload nginx"

目前证书在 60 天以后会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.

4. 配置证书

nginx的配置文件中加入ssl_certificatessl_certificate_key

server {
  # ...
	listen               443 ssl;
	listen               [::]:443 ssl;
	ssl_certificate      /etc/nginx/cert/rabbee.cn/fullchain;
	ssl_certificate_key  /etc/nginx/cert/rabbee.cn/key;
	ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers          HIGH:!aNULL:!MD5;
  # ...
}