https://blog.ekanshu.com.cn 使用 acme配置 https访问
错误信息
由于之前配置过,从新使用名称更新配置文件的时候发现报错,信息如下做个记录,我们不深究先从新生成证书
acme.sh --renew -d blog.ekanshu.com.cn
[Tue Sep 1 17:15:35 CST 2020] Renew: 'blog.ekanshu.com.cn'
[Tue Sep 1 17:15:36 CST 2020] Single domain='blog.ekanshu.com.cn'
[Tue Sep 1 17:15:36 CST 2020] Getting domain auth token for each domain
[Tue Sep 1 17:15:41 CST 2020] Getting webroot for domain='blog.ekanshu.com.cn'
[Tue Sep 1 17:15:41 CST 2020] Verifying: blog.ekanshu.com.cn
[Tue Sep 1 17:15:47 CST 2020] blog.ekanshu.com.cn:Verify error:Invalid response from http://blog.ekanshu.com.cn/.well-known/acme-challenge/Q1dPp6i2-NodYMUkNEieD1kt_BLiNE1S1h7u0u_7-cs [118.24.54.134]:
[Tue Sep 1 17:15:47 CST 2020] Please add '--debug' or '--log' to check more details.
[Tue Sep 1 17:15:47 CST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证。
(1)http方式生成证书,(忽略dns方式安装)
acme.sh --issue -d blog.ekanshu.com.cn --webroot /var/www/html/laravel-ekanshu-blog/public
运行结果
[root@VM_0_12_centos .acme.sh]# acme.sh --issue -d blog.ekanshu.com.cn --webroot /var/www/html/laravel-ekanshu-blog/public
[Tue Sep 1 17:20:19 CST 2020] Single domain='blog.ekanshu.com.cn'
[Tue Sep 1 17:20:19 CST 2020] Getting domain auth token for each domain
[Tue Sep 1 17:20:26 CST 2020] Getting webroot for domain='blog.ekanshu.com.cn'
[Tue Sep 1 17:20:26 CST 2020] Verifying: blog.ekanshu.com.cn
[Tue Sep 1 17:20:31 CST 2020] Pending
[Tue Sep 1 17:20:34 CST 2020] Pending
[Tue Sep 1 17:20:37 CST 2020] Pending
[Tue Sep 1 17:20:40 CST 2020] Pending
[Tue Sep 1 17:20:44 CST 2020] Success
[Tue Sep 1 17:20:44 CST 2020] Verify finished, start to sign.
[Tue Sep 1 17:20:44 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/72146190/4966272616
[Tue Sep 1 17:20:46 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03de44c2a21a5cceebdd2f9d3bd518fe1ce1
[Tue Sep 1 17:20:48 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISA95EwqIaXM7r3S+dO9UY/hzhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MDEwODIwNDVaFw0y
MDExMzAwODIwNDVaMB4xHDAaBgNVBAMTE2Jsb2cuZWthbnNodS5jb20uY24wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkoYxp0aM7dTGmKFeomrp0w7OC
2qRhTGRiKcAUV5DvvAlhVGvCWbh3ol3bXpwjPM1Qnz46Kpr9e90VvzrW25lWGGI6
+nc1pSPMpu73sOPV0p0uy4zI/KQt+cupNYygLsDE4beyLAWZv7BGgVmE0wufdbKN
2HyTUerjqymihUWuFpqOn54YjcJHOwLSiwZcWWG3N42KqgD7uB94ZB9cx5nvMevf
i1MqFrjW1nLmE652S+OgnkhntwBrixRTuH2/i5Q+XmH8Y7MkTNI4zoCh2/He6ohg
jOczzjJg0QZZ/dvMINlw9vPceJtyRhYG59I1IDUTnJmsa2g7jxMJZKdXdD8NAgMB
AAGjggJpMIICZTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO4gh+SUJPT+Z7a2YpKl
cTV8iqboMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wHgYDVR0RBBcwFYITYmxvZy5la2Fuc2h1LmNvbS5jbjBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3
APCVpFnyANGCQBAtL5OIjq1L/h1H45nh0DSmsKiqjrJzAAABdEj3/DkAAAQDAEgw
RgIhAOwtotqZ1iCx3/GqCNF+sJUw2QbUc3ddXSzavhNcJyS9AiEAxsuOyiH8jh/g
YcZrmD6BbcStxlyZKLbR6svR930M9rMAdgCyHgXMi6LNiiBOh2b5K7mKJSBna9r6
cOeySVMt74uQXgAAAXRI9/w5AAAEAwBHMEUCIF+E/+TUqhmXn15IL3rfGWeG2xyc
08UrgrM/+dxWjc/cAiEAj/c09r9xFHF0iOCLfORlCT8dXrpX1FzKfVuMPA89CjMw
DQYJKoZIhvcNAQELBQADggEBAGLVJAaqIEUlx2oR3JE0IU8Q0sn67v6OAABtdKF3
Cvd6FWdejw7rIk10vz31MtWi3YtsIVk6LmJ9q0r97gCQa20BC44CUGjVPurBKsIH
zWrFrvl1rMWEmMFzxOHV2qdNKA5uOKhL80yxzBkOLSNdcuvQPDs6rHMA1sTIHc6Y
KK3owq+Ah/8xWwNMVjXYsUvHWsM/Vk8gkcSUEvpF+Lb4Tel0Wl6pvWNppWt0TIYH
QDWEXQRin0S51slA6HObdE2vQWimkgMv7KYnDMxVBWNorkY6ApqhKIg3W1pciOpL
4k3aRD55KPMjPZAuoHXutOQYAQEJGlZpWzOIeSPw2jCDQDc=
-----END CERTIFICATE-----
[Tue Sep 1 17:20:48 CST 2020] Your cert is in /root/.acme.sh/blog.ekanshu.com.cn/blog.ekanshu.com.cn.cer
[Tue Sep 1 17:20:48 CST 2020] Your cert key is in /root/.acme.sh/blog.ekanshu.com.cn/blog.ekanshu.com.cn.key
[Tue Sep 1 17:20:48 CST 2020] The intermediate CA cert is in /root/.acme.sh/blog.ekanshu.com.cn/ca.cer
[Tue Sep 1 17:20:48 CST 2020] And the full chain certs is there: /root/.acme.sh/blog.ekanshu.com.cn/fullchain.cer
(2)copy/安装 证书
Apache example
acme.sh --installcert -d example.com \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"
Nginx example
acme.sh --installcert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"
以blog.ekanshu.com.cn为例
apache方式
acme.sh --installcert -d blog.ekanshu.com.cn \
--cert-file /etc/httpd/ssl/blog.ekanshu.com.cn.crt \
--key-file /etc/httpd/ssl/blog.ekanshu.com.cn.key \
--fullchain-file /etc/httpd/ssl/fullchain.cer \
--reloadcmd "systemctl restart httpd"
nginx方式
acme.sh --installcert -d blog.ekanshu.com.cn \
--cert-file /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/blog.ekanshu.com.cn.cer \
--key-file /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/blog.ekanshu.com.cn.key \
--fullchain-file /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/fullchain.cer \
--reloadcmd "nginx -s reload"
(3)nginx配置方案
443端口兼容
server {
listen 443 ssl;
server_name blog.ekanshu.com.cn;
ssl_certificate /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/blog.ekanshu.com.cn/blog.ekanshu.com.cn.key;
ssl_session_timeout 5m;
# 指定SSL服务器端支持的协议版本
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; 指定加密算法
ssl_ciphers HIGH:!aNULL:!MD5;
# 在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算法
ssl_prefer_server_ciphers on;
root /var/www/html/laravel-ekanshu-blog/public/;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
#location /api.php{
# proxy_pass http://127.0.0.1:8090/api/v1;
#}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
server {
listen 80;
server_name blog.ekanshu.com.cn www.humengxu.com;
if ($host != blog.ekanshu.com.cn){
rewrite ^/(.*)$ https://blog.ekanshu.com.cn/$1 permanent;
# return 301 blog.ekanshu.com.cn;
}
return 301 https://blog.ekanshu.com.cn$request_uri;
}
纯80端
server {
listen 80;
server_name blog.ekanshu.com.cn www.humengxu.com;
if ($host != blog.ekanshu.com.cn){
rewrite ^/(.*)$ http://blog.ekanshu.com.cn/$1 permanent;
# return 301 blog.ekanshu.com.cn;
}
root /var/www/html/laravel-ekanshu-blog/public/;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
#location /api.php{
# proxy_pass http://127.0.0.1:8090/api/v1;
#}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
(4)apache 方案
配置http,直接跳转https
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html/robot"
ServerName robot.xxx.com
RedirectMatch ^/$ https://robot.xxx.com
ErrorLog "logs/robot.xxx.com-error_log"
CustomLog "logs/robot.xxx.com-access_log" common
#ProxyRequests On
#ProxyPass /api/ http://127.0.0.1:5000/
#ProxyPassReverse /api/ http://127.0.0.1:5000/
</VirtualHost>
配置https
<VirtualHost *:443>
DocumentRoot "/var/www/html/gkmobile/public"
ServerName yimai.xxx.com:443
Header set Access-Control-Allow-Origin "http://127.0.0.1"
ErrorLog "logs/yimai.xxx.com-error_log"
CustomLog "logs/yimai.xxx.com-access_log" common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLHonorCipherOrder on
SSLCertificateFile /etc/httpd/conf/genekang-ssl/genekang.com.cer
SSLCertificateKeyFile /etc/httpd/conf/genekang-ssl/genekang.com.key
SSLCertificateChainFile /etc/httpd/conf/genekang-ssl/fullchain.cer
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
(5)定制任务
运行完会自动设置定制任务,如下:
46 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
(6)续期证书
目前证书在 60 天以后会自动续期, 你无需任何操作。今后有可能会缩短这个时间, 不过都是自动的, 你不用关心。 强制手动续期:
acme.sh --renew -d example.com --force
(7)更新 acme.sh
目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步。 升级 acme.sh 到最新版 :
acme.sh --upgrade
如果你不想手动升级, 可以开启自动升级:
acme.sh --upgrade --auto-upgrade
之后, acme.sh 就会自动保持更新了。
你也可以随时关闭自动更新:
acme.sh --upgrade --auto-upgrade 0
(8)泛域名的http跳转https
apache
在网站的根目录配置 .htaccess
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
或者
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
nginx
upstream tomcat9 {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name *.xxxx.cn;
return 301 https://$http_host$request_uri;
}
server {
listen 443 ssl http2;
server_name *.xxxxx.cn;
ssl_certificate cert/xxxx.cn/fullchina.cer;
ssl_certificate_key cert/xxxx.cn/xxxx.cn.key;
ssl_session_timeout 5m;
ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
access_log logs/easex.cn_access.log;
error_log logs/easex.cn_error.log;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass http://tomcat9/;
}
}
