安装acme.sh
java
curl https://get.acme.sh | sh -s email=my@example.com [记得修改邮箱]安装后的路径 /root/.acme
设置别名 alias acme.sh=~/.acme.sh/acme.sh 运行 source ~/.bashrc
或者打开~/.bashrc文件,输入要设置的alias命令,保存,然后运行 source ~/.bashrc
使用nginx
生成证书
java
acme.sh --issue -d [你的域名] --nginx [nginx的配置路径] 宝塔: /www/server/panel/vhost/nginx/xxxxx.conf
acme.sh --issue -d xxxxx.cn --nginx /www/server/panel/vhost/nginx/xxxxx.cn.conf在宝塔配置证书
存放的地址
或者将证书拷贝到该路径上
java
acme.sh --installcert -d [你的域名] --key-file /www/server/panel/vhost/cert/xxxxx.cn/privkey.pem --fullchain-file /www/server/panel/vhost/cert/xxxxx.cn/fullchain.pem --reloadcmd "service nginx force-reload"
acme.sh --installcert -d xxxxx.cn --key-file /www/server/panel/vhost/cert/xxxxx.cn/privkey.pem --fullchain-file /www/server/panel/vhost/cert/xxxxx.cn/fullchain.pem --reloadcmd "service nginx reload"如果报错Usage: /etc/init.d/nginx {start|stop|restart|reload|status|configtest}
Thu Apr 18 11:16:03 CST 2024\] Reload error for : 则删除force- ### 自动续签 证书的有效期为 90 天,acme.sh 会 60 天更新(Renew)一次。 在安装 acme.sh 的时候就自动配置了一条 cron 任务了,会每天检查证书的情况。当然可以到 crontab 里看一下。 ```java # crontab -l 24 22 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null ``` ```java server { listen 80; listen 443 ssl http2 ; server_name xxxxx.cn; #index index.html; #root /home/www/wwwroot/gcoder5.xyz/; #CERT-APPLY-CHECK--START # 用于SSL证书申请时的文件验证相关配置 -- 请勿删除 include /www/server/panel/vhost/nginx/well-known/xxxxx.cn.conf; #CERT-APPLY-CHECK--END #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则 #error_page 404/404.html; #HTTP_TO_HTTPS_START if ($server_port !~ 443){ rewrite ^(/.*)$ https://$host$1 permanent; } #HTTP_TO_HTTPS_END ssl_certificate /www/server/panel/vhost/cert/xxxxx.cn/fullchain.pem; ssl_certificate_key /www/server/panel/vhost/cert/xxxxx.cn/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security "max-age=31536000"; error_page 497 https://$host$request_uri; #SSL-END #ERROR-PAGE-START 错误页配置,可以注释、删除或修改 #error_page 404 /404.html; #error_page 502 /502.html; #ERROR-PAGE-END #PHP-INFO-START PHP引用配置,可以注释或修改 #引用反向代理规则,注释后配置的反向代理将无效 include /www/server/panel/vhost/nginx/proxy/xxxxx.cn/*.conf; include enable-php-00.conf; #PHP-INFO-END #REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效 include /www/server/panel/vhost/rewrite/xxxxx.cn.conf; #REWRITE-END #禁止访问的文件或目录 location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md) { return 404; } #一键申请SSL证书验证目录相关设置 location ~ \.well-known{ allow all; } #禁止在证书验证目录放入敏感文件 if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) { return 403; } location / { proxy_pass http://localhost:10080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /fx { proxy_pass http://127.0.0.1:18080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } access_log /dev/null; error_log /www/wwwlogs/xxxxx.cn.error.log; } ```