https://github.com/acmesh-official/acme.sh


注意

  1. nginx版本不要太低
  2. acme.sh v3.0以后,默认 CA变成了ZeroSSL

https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL

  1. nginx command is not found. 错误:Nginx模式。需要给Nginx做一个软连接

ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/nginx

  1. Can not find nginx conf 错误:加上指定的域名配置文件

acme.sh —issue -d 域名 —nginx /usr/local/nginx/conf/conf.d/域名配置

  1. 关掉防火墙

1. 安装acme.sh

  1. curl  [https://get.acme.sh](https://get.acme.sh) | sh<br />![](https://cdn.nlark.com/yuque/0/2022/png/288528/1648171759105-d476ae51-504f-4d33-bdde-76ae5e873abc.png#crop=0&crop=0&crop=1&crop=1&id=jhyfZ&originHeight=530&originWidth=1083&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)
  1. [root@localhost ~]# cd ~/.acme.sh/
  2. [root@localhost .acme.sh]# ls
  3. account.conf  acme.sh  acme.sh.csh  acme.sh.env  deploy  dnsapi  notify
  5. # (1) 执行acme.sh 安装
  6. [root@localhost .acme.sh]# acme.sh
  7. bash: acme.sh: command not found...
  9. ### 不能执行,检查bashrc文件
  10. [root@localhost .acme.sh]# vim ~/.bashrc
  11. ---------------------------------------------------
  12. # .bashrc
  13. # User specific aliases and functions
  15. alias rm='rm -i'
  16. alias cp='cp -i'
  17. alias mv='mv -i'
  19. # Source global definitions
  20. if [ -f /etc/bashrc ]; then
  21.         . /etc/bashrc
  22. fi
  23. . "/root/.acme.sh/acme.sh.env"   <-- 已添加
  24. ---------------------------------------------------
  25. ### 重新载入bashrc文件
  26. [root@localhost .acme.sh]# source ~/.bashrc
  29. #(2) 检查定时任务:
  30. [root@localhost .acme.sh]# crontab -e
  31. 47 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

nginx配置

  1. server {
  2.   server_name domain.com;
  3.   listen 80;
  5.   location / {
  6.     root  /www/html/;
  7.     index index.html;
  8.   }
  10.   #这里很重要,当Letsencrypt验证你的域名有效性时
  11.   #会访问domain.com/.well-know/acme-challenge/这个目录下是否有acme认证文件
  12.   #此处我们需要对这个root单独进行管理,而不应该放置在任何站点www文件下
  13.   location /.well-know/acme-challenge/ {
  14.     root  /www/ssl/;
  15.     log_not_found off;
  16.   }
  17. }

2. 获取证书

acme.sh --issue -d domain.com -w /www/ssl/
—issue 去创造
-d d,指的是domain,后跟域名
-w 指定domain.com/.well-know/acme-challenge/设置的文件夹
acme安装http证书 - 图1

3. 安装证书到nginx

  1. acme.sh --install-cert -d domain.com \
  2. --key-file       /www/ssl/domain.com.key \  #指定将keyfile存放哪里
  3. --fullchain-file /www/ssl/domain.com.pem \
  4. --reloadcmd     "service nginx force-reload"

acme安装http证书 - 图2

4. 修改nginx配置

  1. server {
  2.   # 当http协议被请求时,统一转发到https协议商
  3.   listen 80;
  4.   listen [::]:80; #IPV6协议
  5.   server_name domain.com;
  6.   rewrite ^(.*)$ https://$host$1 permanent;
  7. }
  9. server {
  10.   listen 443 ssl;
  11.   listen [::]:443 ssl;
  12.   ssl_certificate /www/ssl/domain.com.pem; #证书文件
  13.   ssl_certificate_key /www/ssl/domain.com.key;
  15.   server_name domain.com;
  17.   location / {
  18.     root  /www/html/;
  19.     index index.html;
  20.   }
  21.   location /.well-know/acme-challenge/ {
  22.     root  /www/ssl/;
  23.     log_not_found off;
  24.   }
  25. }