linux-免费ssl证书

---

title: linux-免费ssl证书
categories: Linux
tags: [linux, xshell]
date: 2022-09-10 19:29:55
comments: false
mathjax: true
toc: true

linux-免费ssl证书

---

前篇

• 33种免费获取SSL证书的方式 - https://zhuanlan.zhihu.com/p/174755007

---

HTTPS 证书文件格式转换

• HTTPS证书文件格式转换 - https://ohttps.com/docs/certformat

Let’s Encrypt颁发的HTTPS证书一般包括以下几个文件：

• cert.key（PEM格式）：私钥文件
• cert.cer（PEM格式）：证书文件
• fullchain.cer（PEM格式）：包含证书和中间证书

---

自动更新脚本

• 官方: https://github.com/acmesh-official/acme.sh
• 一个脚本就把系统升级到 https了，还永久免费 - https://segmentfault.com/a/1190000038367115

以使用 阿里云 域名为例

1. 下载自动更新脚本: curl https://get.acme.sh | sh -s email=my@example.com

   $ curl https://get.acme.sh | sh -s email=my@example.com
   
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100   937    0   937    0     0   1741      0 --:--:-- --:--:-- --:--:--  1738
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100  212k  100  212k    0     0   231k      0 --:--:-- --:--:-- --:--:--  231k
   [Wed Sep 14 02:32:00 UTC 2022] Installing from online archive.
   [Wed Sep 14 02:32:00 UTC 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
   [Wed Sep 14 02:32:02 UTC 2022] Extracting master.tar.gz
   [Wed Sep 14 02:32:02 UTC 2022] It is recommended to install socat first.
   [Wed Sep 14 02:32:02 UTC 2022] We use socat for standalone server if you use standalone mode.
   [Wed Sep 14 02:32:02 UTC 2022] If you don't use standalone mode, just ignore this warning.
   [Wed Sep 14 02:32:02 UTC 2022] Installing to /root/.acme.sh
   [Wed Sep 14 02:32:02 UTC 2022] Installed to /root/.acme.sh/acme.sh
   [Wed Sep 14 02:32:02 UTC 2022] Installing alias to '/root/.bashrc'
   [Wed Sep 14 02:32:02 UTC 2022] OK, Close and reopen your terminal to start using acme.sh
   [Wed Sep 14 02:32:02 UTC 2022] Installing cron job
   no crontab for root
   no crontab for root
   [Wed Sep 14 02:32:02 UTC 2022] Good, bash is found, so change the shebang to use bash as preferred.
   [Wed Sep 14 02:32:03 UTC 2022] OK
   [Wed Sep 14 02:32:03 UTC 2022] Install success!
   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24

   • 这里为啥要指定一个邮箱呢?
     • 因为默认使用的 ZeroSSL, 就需要指定邮箱. 参考: https://www.xuchao.org/technology/acme-sh_is_using_zerossl_as_default_ca.html

2. 创建一个脚本执行: vim a_start.sh

   export Ali_Key="123123123"
   export Ali_Secret="456456456"
   ./acme.sh --issue --force --dns dns_ali -d *.aaa.com
   1
   2
   3

   • Ali_Key 和 Ali_Secret 是阿里云的秘钥
   • --dns dns_ali 指的是使用 dnsapi/dns_ali.sh 脚本
   • -d *.aaa.com 是泛域名, 也多个可以 -d 单域名

3. 执行 a_start.sh

   $ ./a_start.sh
   
   [Wed Sep 14 06:20:17 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90
   [Wed Sep 14 06:20:17 UTC 2022] Creating domain key
   ...
   [Wed Sep 14 06:21:31 UTC 2022] Success
   ...
   [Wed Sep 14 06:22:22 UTC 2022] Cert success.
   -----BEGIN CERTIFICATE-----
   MIIGZjCCBE6gAwIBAgIRAPhQkXL9/u0f49Oj25dsgTUwDQYJKoZIhvcNAQEMBQAw
   SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
   ....
   ei94GjqO39Wo5w==
   -----END CERTIFICATE-----
   [Wed Sep 14 06:22:22 UTC 2022] Your cert is in: /root/.acme.sh/*.aaa.com/*.aaa.com.cer
   [Wed Sep 14 06:22:22 UTC 2022] Your cert key is in: /root/.acme.sh/*.aaa.com/*.aaa.com.key
   [Wed Sep 14 06:22:22 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/*.aaa.com/ca.cer
   [Wed Sep 14 06:22:22 UTC 2022] And the full chain certs is there: /root/.acme.sh/*.aaa.com/fullchain.cer
   
   
   
   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21

---

生成到指定路径

• 生成前, 路径所在的目录必须先存在, 生成后可以执行命令重启 nginx

  ./acme.sh --issue --force --dns dns_ali -d *.aaa.cn \
  --key-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.key \
  --fullchain-file       /opt/nginx-cert/any.aaa.cn/any.aaa.cn.cer \
  --reloadcmd     "service nginx force-reload"
  
  
  
  1
  2
  3
  4
  5
  6
  7

---

ohttps

• https://ohttps.com/

1. 使用这两个文件

   

2. 配置 nginx

   # cdn 服务
   server
   {
       listen 443 ssl;
       server_name aaa.bbb.cn;
       root /webapps/cdn; # 存放文件的目录
       location / {
         autoindex on; # 索引
         autoindex_exact_size on; # 显示文件大小
         autoindex_localtime on; # 显示文件时间
         limit_rate 0;
       }
   
       # ssl
       ssl_certificate /opt/nginx-cert/aaa.bbb.cn/fullchain.cer;
       ssl_certificate_key /opt/nginx-cert/aaa.bbb.cn/cert.key;
       ssl_session_timeout 5m;
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       access_log /var/log/nginx/aaa.bbb.cn.log;
   }
   
   
   
   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25

---