安装 .acme 并申请ECC, RSA 双证书,设置定时任务实现证书自动续期,设置nginx双证书配置文件

1. 配置阿里云用户密钥

export Ali_Key="<key>"
export Ali_Secret="<secret>"

2. 创建rsa证书存储目录

mkdir -p /etc/letsencrypt/inbluemoon.com/rsa/

3. 申请rsa证书

./acme.sh --issue --dns dns_ali -d inbluemoon.com -d '*.inbluemoon.com'

4. 将rsa证书安装到指定目录

./acme.sh --installcert -d inbluemoon.com \
--key-file       /etc/letsencrypt/inbluemoon.com/rsa/privkey.pem  \
--fullchain-file /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem \
--cert-file      /etc/letsencrypt/inbluemoon.com/rsa/cert.pem \
--ca-file        /etc/letsencrypt/inbluemoon.com/rsa/chain.pem \
--reloadcmd     "nginx -s reload"

5. 创建ecc证书存储目录

mkdir -p /etc/letsencrypt/inbluemoon.com/ecc/

6. 申请ecc证书

./acme.sh --issue --keylength ec-256 --dns dns_ali -d inbluemoon.com -d '*.inbluemoon.com'

7. 将ecc证书安装到指定目录

./acme.sh --installcert --ecc -d inbluemoon.com \
--key-file       /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem  \
--fullchain-file /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem \
--cert-file      /etc/letsencrypt/inbluemoon.com/ecc/cert.pem \
--ca-file        /etc/letsencrypt/inbluemoon.com/ecc/chain.pem \
--reloadcmd     "nginx -s reload"

8. 自动续期

./acme.sh --install-cronjob

9. Nginx 配置示例

server {

    listen      443 ssl http2;
    server_name www.inbluemoon.com;

    # ECC Cert
    ssl_certificate             /etc/letsencrypt/inbluemoon.com/ecc/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/inbluemoon.com/ecc/privkey.pem;

    # RSA Cert
    ssl_certificate             /etc/letsencrypt/inbluemoon.com/rsa/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/inbluemoon.com/rsa/rsa/privkey.pem;

    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         30m;
    ssl_protocols               TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;

}
消息盒子
# 您需要首次评论以获取消息 #
# 您需要首次评论以获取消息 #

只显示最新10条未读和已读信息