使用 .acme 申请证书时,验证域名支持多种方式
参考: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
这里使用阿里云云解析 DNS 自动解析验证域名
配置阿里云密钥#
# 阿里云用户密钥(这里建议使用只有DNS解析权限的子用户)
export Ali_Key="<key>"
export Ali_Secret="<secret>"
创建 rsa 证书存储目录#
# rsa 目录
mkdir -p /etc/letsencrypt/inbluemoon.com/rsa/
# ecc 目录
mkdir -p /etc/letsencrypt/inbluemoon.com/ecc/
申请 rsa 证书#
./acme.sh --issue --dns dns_ali --keylength 2048 -d inbluemoon.com -d '*.inbluemoon.com'
将 rsa 证书安装到指定目录#
./acme.sh --installcert -d inbluemoon.com \
--key-file /etc/letsencrypt/inbluemoon.com/rsa/privkey.pem \
--fullchain-file /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem \
--cert-file /etc/letsencrypt/inbluemoon.com/rsa/cert.pem \
--ca-file /etc/letsencrypt/inbluemoon.com/rsa/chain.pem \
--reloadcmd "nginx -s reload"
申请 ecc 证书#
./acme.sh --issue --keylength ec-256 --dns dns_ali -d inbluemoon.com -d '*.inbluemoon.com'
将 ecc 证书安装到指定目录#
./acme.sh --installcert --ecc -d inbluemoon.com \
--key-file /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem \
--fullchain-file /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem \
--cert-file /etc/letsencrypt/inbluemoon.com/ecc/cert.pem \
--ca-file /etc/letsencrypt/inbluemoon.com/ecc/chain.pem \
--reloadcmd "nginx -s reload"
自动续期#
./acme.sh --install-cronjob
Nginx 配置示例#
server {
listen 443 ssl http2;
server_name www.inbluemoon.com;
# ECC Cert
ssl_certificate /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem;
# RSA Cert
ssl_certificate /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/inbluemoon.com/rsa/rsa/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
}