{"id":199,"date":"2018-03-27T14:06:03","date_gmt":"2018-03-27T14:06:03","guid":{"rendered":"https:\/\/oimi.me\/?p=199"},"modified":"2018-03-27T14:06:03","modified_gmt":"2018-03-27T14:06:03","slug":"linux-%e4%b8%8b%e4%bd%bf%e7%94%a8-acme-sh-%e9%85%8d%e7%bd%ae-lets-encrypt-%e5%85%8d%e8%b4%b9-ssl-%e8%af%81%e4%b9%a6-%e9%80%9a%e9%85%8d%e7%ac%a6%e8%af%81%e4%b9%a6","status":"publish","type":"post","link":"https:\/\/myya.net\/index.php\/2018\/03\/27\/linux-%e4%b8%8b%e4%bd%bf%e7%94%a8-acme-sh-%e9%85%8d%e7%bd%ae-lets-encrypt-%e5%85%8d%e8%b4%b9-ssl-%e8%af%81%e4%b9%a6-%e9%80%9a%e9%85%8d%e7%ac%a6%e8%af%81%e4%b9%a6\/","title":{"rendered":"Linux \u4e0b\u4f7f\u7528 acme.sh \u914d\u7f6e Let’s Encrypt \u514d\u8d39 SSL \u8bc1\u4e66 + \u901a\u914d\u7b26\u8bc1\u4e66"},"content":{"rendered":"

\"\"<\/h2>\n

1\u3001\u4ec0\u4e48\u662f SSL \u8bc1\u4e66\uff1f<\/h2>\n

<\/p>\n

SSL \u662f\u4fdd\u62a4\u7528\u6237\u6570\u636e\u548c\u9632\u6b62\u8eab\u4efd\u88ab\u76d7\u7528\u7684\u6700\u4f73\u65b9\u5f0f\u3002\u62e5\u6709 SSL \u8bc1\u4e66\u7684\u7f51\u7ad9\u53ef\u4ee5\u544a\u8bc9\u7528\u6237\uff0c\u4ed6\u4eec\u53ef\u4ee5\u653e\u5fc3\u7684\u6d4f\u89c8\uff0cSSL \u53ef\u4ee5\u4fdd\u62a4\u4ed6\u4eec\u7684\u6570\u636e\u5b89\u5168\u3002\u4e0d\u540c\u7684 SSL \u8bc1\u4e66\u63d0\u4f9b\u4e0d\u540c\u7ea7\u522b\u7684\u9a8c\u8bc1\u3002\u4e86\u89e3\u66f4\u591a ><\/p>\n

\u76ee\u524d\u6bd4\u8f83\u706b\u7684\u9002\u5408\u4e2a\u4eba\u7528\u6237\u7684\u8bc1\u4e66\u5c31\u662f Let\u2019s Encrypt<\/a>\uff0c\u8fd9\u8d27\u662f\u514d\u8d39\u7684\uff0c\u4e0b\u9762\u6211\u4eec\u5c31\u4ecb\u7ecd\u4e00\u4e0b\u5982\u4f55\u5728 Linux \u670d\u52a1\u5668\u4e0a\u914d\u7f6e SSL \u8bc1\u4e66<\/p>\n

2\u3001\u4f7f\u7528 acme.sh \u5b89\u88c5 Let\u2019s Encrypt \u8bc1\u4e66<\/h2>\n

Let\u2019s Encrypt \u63d0\u4f9b\u5f88\u591a\u65b9\u5f0f\uff0c\u7f51\u4e0a\u4e5f\u6709\u4e0d\u5c11\u6559\u7a0b\uff0c\u4f46\u662f\u90fd\u4e0d\u65b9\u4fbf\u64cd\u4f5c\uff0c\u4e0b\u9762\u6211\u4eec\u5c31\u4ecb\u7ecd\u4e00\u6b3e\u56fd\u4eba\u5199\u7684\u5f00\u6e90\u811a\u672c acme.sh<\/a><\/p>\n

\u9996\u5148\uff0c\u8fdb\u5165\u670d\u52a1\u5668\u540e\u83b7\u53d6 acme.sh \u811a\u672c\uff0c\u6b64\u64cd\u4f5c\u4e0d\u4e00\u5b9a\u9700\u8981 root<\/code> \u7528\u6237\u767b\u9646<\/p>\n

\u4f7f\u7528 curl<\/code> \u65b9\u5f0f\u83b7\u53d6\uff0c\u7cfb\u7edf\u9700\u8981\u5b89\u88c5 curl<\/code> \u8f6f\u4ef6<\/p>\n

\n
curl https:\/\/get.acme.sh |<\/span> sh<\/code><\/pre>\n<\/div>\n
\u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528 wget<\/code> \u65b9\u5f0f<\/p>\n
\n
wget -O - https:\/\/get.acme.sh |<\/span> sh<\/code><\/pre>\n<\/div>\n
\u66f4\u591a\u5b89\u88c5\u65b9\u5f0f\u8bf7\u6478<\/a>\u8fd9\u513f<\/p>\n
\u56e0\u4e3a\u8fd9\u8d27\u7684\u811a\u672c\u670d\u52a1\u5668\u653e\u5728\u4e86 Google Cloud Platform<\/a>\uff0c\u56fd\u5185\u670d\u52a1\u5668\u64cd\u4f5c\u5076\u5c14\u4f1a\u62bd\u98ce\uff0c\u89e3\u51b3\u65b9\u6cd5\u7684\u8bdd\uff0c\u8981\u4e48\u6302\u4ee3\u7406\uff0c\u8981\u4e48\u9009\u62e9\u5927\u534a\u591c\u7f51\u7edc\u597d\u7684\u65f6\u5019<\/p>\n
\u63a5\u7740\u91cd\u65b0\u52a0\u8f7d Bash<\/p>\n
\n
source<\/span> ~\/.bashrc<\/code><\/pre>\n<\/div>\n
\u8f93\u5165 acme.sh --help<\/code> \u5373\u53ef\u67e5\u770b acme.sh \u7684\u5e2e\u52a9\u547d\u4ee4<\/p>\n
\n
root@sb-blog ~ # acme.sh --help\n<\/span>https:\/\/github.com\/Neilpang\/acme.sh\nv2.7.8\nUsage: acme.sh  command<\/span> ...[<\/span>parameters]<\/span>....\nCommands:\n  --help, -h               Show this help<\/span> message.\n  --version, -v            Show version info.\n  --install                Install acme.sh to your system.\n  --uninstall              Uninstall acme.sh, and uninstall the cron job.\n  --upgrade                Upgrade acme.sh to the latest code from https:\/\/github.com\/Neilpang\/acme.sh.\n  --issue                  Issue a cert.\n  --signcsr                Issue a cert from an existing csr.\n  --deploy                 Deploy the cert to your server.\n  --install-cert           Install the issued cert to apache\/nginx or any other server.\n  --renew, -r              Renew a cert.\n  --renew-all              Renew all the certs.\n  --revoke                 Revoke a cert.\n  --remove                 Remove the cert from list of certs known to acme.sh.\n  --list                   List all the certs.\n  --showcsr                Show the content of a csr.\n  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The '<\/span>install' command can automatically install the cron job.\n<\/span>  --uninstall-cronjob      Uninstall the cron job. The '<\/span>uninstall' command can do this automatically.\n<\/span>  --cron                   Run cron job to renew all the certs.\n<\/span>  --toPkcs                 Export the certificate and key to a pfx file.\n<\/span>  --toPkcs8                Convert to pkcs8 format.\n<\/span>  --update-account         Update account info.\n<\/span>  --register-account       Register account key.\n<\/span>  --deactivate-account     Deactivate the account.\n<\/span>  --create-account-key     Create an account private key, professional use.\n<\/span>  --create-domain-key      Create an domain private key, professional use.\n<\/span>  --createCSR, -ccsr       Create CSR , professional use.\n<\/span>  --deactivate             Deactivate the domain authz, professional use.\n<\/span>\nParameters:\n<\/span>  --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.\n<\/span>  --challenge-alias domain.tld      The challenge domain alias for DNS alias mode: https:\/\/github.com\/Neilpang\/acme.sh\/wiki\/DNS-alias-mode\n<\/span>  --domain-alias domain.tld         The domain alias for DNS alias mode: https:\/\/github.com\/Neilpang\/acme.sh\/wiki\/DNS-alias-mode\n<\/span>  --force, -f                       Used to force to install or force to renew a cert immediately.\n<\/span>  --staging, --test                 Use staging server, just for test.\n<\/span>  --debug                           Output debug info.\n<\/span>  --output-insecure                 Output all the sensitive messages. By default all the credentials\/sensitive messages are hidden from the output\/debug\/log for secure.\n<\/span>  --webroot, -w  \/path\/to\/webroot   Specifies the web root folder for web root mode.\n<\/span>  --standalone                      Use standalone mode.\n<\/span>  --stateless                       Use stateless mode, see: https:\/\/github.com\/Neilpang\/acme.sh\/wiki\/Stateless-Mode\n<\/span>  --apache                          Use apache mode.\n<\/span>  --dns [dns_cf|dns_dp|dns_cx|\/path\/to\/api\/file]   Use dns mode or dns api.\n<\/span>  --dnssleep  [120]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.\n<\/span>\n  --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.\n<\/span>  --accountkeylength, -ak [2048]    Specifies the account key length.\n<\/span>  --log    [\/path\/to\/logfile]       Specifies the log file. The default is: \"\/root\/.acme.sh\/acme.sh.log\" if you don'<\/span>t give a file path here.\n  --log-level 1<\/span>|<\/span>2<\/span>                   Specifies the log level, default is 1<\/span>.\n  --syslog [<\/span>0<\/span>|<\/span>3<\/span>|<\/span>6<\/span>|<\/span>7<\/span>]<\/span>                Syslog level, 0<\/span>: disable syslog, 3<\/span>: error, 6<\/span>: info, 7<\/span>: debug.\n\n  These parameters are to install the cert to nginx\/apache or anyother server after issue\/renew a cert:\n\n  --cert-file                       After issue\/renew, the cert will be copied to this path.\n  --key-file                        After issue\/renew, the key will be copied to this path.\n  --ca-file                         After issue\/renew, the intermediate cert will be copied to this path.\n  --fullchain-file                  After issue\/renew, the fullchain cert will be copied to this path.\n\n  --reloadcmd \"service nginx reload\"<\/span> After issue\/renew, it's used to reload the server.\n<\/span>\n  --server SERVER                   ACME Directory Resource URI. (default: https:\/\/acme-v01.api.letsencrypt.org\/directory)\n<\/span>  --accountconf                     Specifies a customized account config file.\n<\/span>  --home                            Specifies the home dir for acme.sh .\n<\/span>  --cert-home                       Specifies the home dir to save all the certs, only valid for '<\/span>--install' command.\n<\/span>  --config-home                     Specifies the home dir to save all the configurations.\n<\/span>  --useragent                       Specifies the user agent string. it will be saved for future use too.\n<\/span>  --accountemail                    Specifies the account email, only valid for the '<\/span>--install' and '<\/span>--update-account' command.\n<\/span>  --accountkey                      Specifies the account key path, only valid for the '<\/span>--install' command.\n<\/span>  --days                            Specifies the days to renew the cert when using '<\/span>--issue' command. The max value is 60 days.\n<\/span>  --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.\n<\/span>  --local-address                   Specifies the standalone\/tls server listening address, in case you have multiple ip addresses.\n<\/span>  --listraw                         Only used for '<\/span>--list' command, list the certs in raw format.\n<\/span>  --stopRenewOnError, -se           Only valid for '<\/span>--renew-all' command. Stop if one cert has error in renewal.\n<\/span>  --insecure                        Do not check the server certificate, in some devices, the api server'<\/span>s certificate may not be trusted.\n  --ca-bundle                       Specifies the path to the CA certificate bundle to verify api server's certificate.\n<\/span>  --ca-path                         Specifies directory containing CA certificates in PEM format, used by wget or curl.\n<\/span>  --nocron                          Only valid for '<\/span>--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.\n<\/span>  --no-color                        Do not output color text.\n<\/span>  --ecc                             Specifies to use the ECC cert. Valid for '<\/span>--install-cert', '<\/span>--renew', '<\/span>--revoke', '<\/span>--toPkcs' and '<\/span>--createCSR'\n<\/span>  --csr                             Specifies the input csr.\n<\/span>  --pre-hook                        Command to be run before obtaining any certificates.\n<\/span>  --post-hook                       Command to be run after attempting to obtain\/renew certificates. No matter the obtain\/renew is success or failed.\n<\/span>  --renew-hook                      Command to be run once for each successfully renewed certificate.\n<\/span>  --deploy-hook                     The hook file to deploy cert\n<\/span>  --ocsp-must-staple, --ocsp        Generate ocsp must Staple extension.\n<\/span>  --always-force-new-domain-key     Generate new domain key when renewal. Otherwise, the domain key is not changed by default.\n<\/span>  --auto-upgrade   [0|1]            Valid for '<\/span>--upgrade'<\/span> command, indicating whether to upgrade automatically in future.\n  --listen-v4                       Force standalone\/tls server to listen at ipv4.\n  --listen-v6                       Force standalone\/tls server to listen at ipv6.\n  --openssl-bin                     Specifies a custom openssl bin location.\n  --use-wget                        Force to use wget, if<\/span> you have both curl and wget installed.<\/code><\/pre>\n<\/div>\n
\u7136\u540e\u53ef\u4ee5\u6267\u884c acme.sh --upgrade --auto-upgrade<\/code> \u83b7\u53d6 acme.sh \u66f4\u65b0\uff0c\u5e76\u8bbe\u7f6e\u4e4b\u540e\u90fd\u81ea\u52a8\u66f4\u65b0 acme.sh \u811a\u672c<\/p>\n
3\u3001\u83b7\u53d6 Let\u2019s Encrypt \u8bc1\u4e66<\/h2>\n
\u5982\u679c\u4f60\u672c\u5730\u6ca1\u6709\u88c5\u4efb\u4f55 Web \u670d\u52a1\u5668\u8f6f\u4ef6\uff0c\u6216\u8005\u4f60\u7684 Web \u670d\u52a1\u5668\u8f6f\u4ef6\u5e76\u6ca1\u6709\u76d1\u542c TCP 80 \u7aef\u53e3\uff0c\u90a3\u4e48\u53ef\u4ee5\u7528 Standalone \u65b9\u5f0f\u76f4\u63a5\u83b7\u53d6\u591a\u57df\u540d\u8bc1\u4e66\uff0c\u6ce8\u610f\u4ee5\u4e0b\u64cd\u4f5c\u5fc5\u987b\u4f7f\u7528 root \u6216 sudo \u5207\u6362<\/p>\n
\u6211\u4eec\u4ee5 example.com<\/code> \/ www.example.com<\/code> \/ subdomain.example.com<\/code> \u8fd9\u4e09\u4e2a\u57df\u540d\u4e3a\u4f8b<\/p>\n
\u9996\u5148\uff0c\u4f60\u9700\u8981\u628a\u8fd9\u4e09\u4e2a\u57df\u540d\u90fd\u89e3\u6790\u5230\u4f60\u7684\u670d\u52a1\u5668 IPv4 \u4e0a\uff0c\u5e76\u4e14\u786e\u4fdd\u4f60\u7684\u670d\u52a1\u5668\u53ef\u4ee5\u8bbf\u95ee\u516c\u7f51\uff0c\u65e0\u6cd5\u8bbf\u95ee\u516c\u7f51\u7684\u5185\u7f51\u670d\u52a1\u5668\u662f\u4e0d\u884c\u7684<\/p>\n
\u53e6\u5916\uff0c\u4f60\u4e5f\u53ef\u4ee5\u7ed9 example.com<\/code> \u589e\u52a0\u4e00\u4e2a CAA \u8bb0\u5f55\u4e3a 0 issue \"letsencrypt.org\"<\/code> \u8fd9\u6837\u53ef\u4ee5\u544a\u8bc9 Let\u2019s Encrypt \u7684 CA \uff0c\u4f60\u6388\u6743\u7ed9\u4ed6\u4eec\u7b7e\u53d1 SSL \u8bc1\u4e66<\/p>\n
\n
acme.sh --issue --standalone -d example.com -d www.example.com -d subdomain.example.com<\/code><\/pre>\n<\/div>\n
\u901a\u8fc7\u8fd9\u4e2a\u65b9\u5f0f\uff0c\u5373\u53ef\u4e3a example.com<\/code> www.example.com<\/code> \u548c subdomain.example.com<\/code> \u4e09\u4e2a\u57df\u540d\u7b7e\u53d1\u4e00\u5f20\u591a\u57df\u540d\u8bc1\u4e66<\/p>\n
\u4f46\u662f\u4e00\u822c\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u90fd\u88c5\u4e86 Web \u670d\u52a1\u5668\uff0c\u5e76\u4e14\u5b89\u88c5\u4e86 SSL \u4ee5\u540e\u5f88\u591a\u7528\u6237\u9009\u62e9 http \u8df3\u8f6c\u5230 https\uff0c\u6240\u4ee5\u4f60\u9700\u8981\u786e\u4fdd Let\u2019s Encrypt \u80fd\u8bbf\u95ee 80 \u7aef\u53e3\u4e0b\u7684 \/.well-known\/acme-challenge<\/code> \u76ee\u5f55\uff0c\u6211\u4eec\u4ee5 Nginx \u4e3a\u4f8b<\/p>\n
\u4ee5\u4e0b\u64cd\u4f5c\u4e4b\u524d\u53ef\u4ee5\u901a\u8fc7\u672c\u7ad9\u7684\u6559\u7a0b\u5b89\u88c5 LEMP<\/p>\n
Debian 9 \/ Debian 8 \u4f7f\u7528\u6e90\u5b89\u88c5 LEMP \u6559\u7a0b<\/a><\/p>\n
Ubuntu 16.04 \/ Ubuntu 14.04 \u4f7f\u7528\u6e90\u5b89\u88c5 LEMP \u6559\u7a0b<\/a><\/p>\n
CentOS \/ RHEL 7 \u4f7f\u7528 EPEL \u5b89\u88c5 LEMP \u6559\u7a0b<\/a><\/p>\n
Linux \u4e0b\u7f16\u8bd1\u5b89\u88c5\u6700\u65b0\u7248\u672c Nginx<\/a><\/p>\n
\u9996\u5148\u5efa\u7acb\u4e00\u4e2a \/var\/www\/letsencrypt<\/code> \u76ee\u5f55<\/p>\n
\n
mkdir -p \/var\/www\/letsencrypt<\/code><\/pre>\n<\/div>\n
\u7136\u540e\u4fee\u6539 \/etc\/nginx\/sites-enabled\/default<\/code> \u6587\u4ef6<\/p>\n
\n
server<\/span> {<\/span>\n\tlisten<\/span> 80<\/span> default_server<\/span>;<\/span>\n\tlisten<\/span> [::]:80<\/span> default_server<\/span>;<\/span>\n\tserver_name<\/span> _<\/span>;<\/span>\n\n\tlocation<\/span> \/.well-known\/acme-challenge<\/span> {<\/span>\n\t\troot<\/span> \/var\/www\/letsencrypt<\/span>;<\/span>\n\t}<\/span>\n\n\tlocation<\/span> \/<\/span> {<\/span>\n\t\treturn<\/span> 301<\/span> https:\/\/<\/span>$host$request_uri<\/span>;<\/span>\n\t}<\/span>\n}<\/span><\/code><\/pre>\n<\/div>\n
\u8fd9\u6bb5\u8bdd\u7684\u610f\u601d\u662f\uff0c\u6240\u6709\u8bbf\u95ee 80 \u7aef\u53e3\u7684\u8bf7\u6c42\uff0c\u90fd\u81ea\u52a8\u8df3\u8f6c\u5230 https \uff0c\u4f46\u662f \/.well-known\/acme-challenge<\/code> \u8fd9\u4e2a\u76ee\u5f55\u4ecd\u7136\u53ef\u4ee5\u901a\u8fc7 80 \u7aef\u53e3\u8fdb\u884c\u8bbf\u95ee<\/p>\n
\u7136\u540e\u91cd\u542f Nginx<\/p>\n
\n
nginx -t &&<\/span> nginx -s reload<\/code><\/pre>\n<\/div>\n
\u63a5\u4e0b\u6765\u7ed9 example.com<\/code> www.example.com<\/code> \u548c subdomain.example.com<\/code> \u4e09\u4e2a\u57df\u540d\u7b7e\u53d1\u4e00\u5f20\u591a\u57df\u540d\u8bc1\u4e66<\/p>\n
\n
acme.sh --issue -d example.com -d www.example.com -d subdomain.example.com -w \/var\/www\/letsencrypt<\/code><\/pre>\n<\/div>\n
\u5982\u679c\u6ca1\u6709\u95ee\u9898\uff0c\u5c31\u4f1a\u770b\u5230\u5982\u4e0b\u7ed3\u679c<\/p>\n
\n
root@example ~ # acme.sh --issue -d example.com -d www.example.com -w \/var\/www\/letsencrypt\n<\/span>[<\/span>Tue Mar 20<\/span> 15<\/span>:50:37 HKT 2018<\/span>]<\/span> Domains have changed.\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:37 HKT 2018<\/span>]<\/span> Multi domain<\/span>=<\/span>'DNS:example.com,DNS:www.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:37 HKT 2018<\/span>]<\/span> Getting domain auth token for<\/span> each domain\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:37 HKT 2018<\/span>]<\/span> Getting webroot for<\/span> domain<\/span>=<\/span>'example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:37 HKT 2018<\/span>]<\/span> Getting new-authz for<\/span> domain<\/span>=<\/span>'example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:38 HKT 2018<\/span>]<\/span> The new-authz request is ok.\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:38 HKT 2018<\/span>]<\/span> Getting webroot for<\/span> domain<\/span>=<\/span>'www.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:38 HKT 2018<\/span>]<\/span> Getting new-authz for<\/span> domain<\/span>=<\/span>'www.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:39 HKT 2018<\/span>]<\/span> The new-authz request is ok.\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:39 HKT 2018<\/span>]<\/span> example.com is already verified, skip http-01.\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:39 HKT 2018<\/span>]<\/span> Verifying:www.example.com\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:43 HKT 2018<\/span>]<\/span> Success\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:43 HKT 2018<\/span>]<\/span> Verify finished, start to sign.\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:44 HKT 2018<\/span>]<\/span> Cert success.\n-----BEGIN CERTIFICATE-----\n\u8fd9\u91cc\u4e00\u957f\u4e32\u5c31\u662f\u8bc1\u4e66\u6587\u4ef6\u8f93\u51fa\n-----END CERTIFICATE-----\n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:44 HKT 2018<\/span>]<\/span> Your cert is in  \/root\/.acme.sh\/example.com\/example.com.cer \n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:44 HKT 2018<\/span>]<\/span> Your cert key is in  \/root\/.acme.sh\/example.com\/example.com.key \n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:45 HKT 2018<\/span>]<\/span> The intermediate CA cert is in  \/root\/.acme.sh\/example.com\/ca.cer \n[<\/span>Tue Mar 20<\/span> 15<\/span>:50:45 HKT 2018<\/span>]<\/span> And the full chain certs is there:  \/root\/.acme.sh\/example.com\/fullchain.cer<\/code><\/pre>\n<\/div>\n
\u7b7e\u53d1\u5b8c\u6210\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u5b89\u88c5\u5230 Nginx<\/p>\n
\u4e3a\u4e86\u8fdb\u540e\u65b9\u4fbf\u7ef4\u62a4\uff0c\u6211\u4eec\u5efa\u7acb\u4e00\u4e2a \/etc\/nginx\/ssl<\/code> \u76ee\u5f55\u7528\u6765\u653e\u8bc1\u4e66<\/p>\n
\n
mkdir -p \/etc\/nginx\/ssl<\/code><\/pre>\n<\/div>\n
\n
acme.sh --install-cert -d example.com \\\n<\/span>--key-file       \/etc\/nginx\/ssl\/example.com.key  \\\n<\/span>--fullchain-file \/etc\/nginx\/ssl\/example.com.crt \\\n<\/span>--reloadcmd     \"service nginx force-reload\"<\/span><\/code><\/pre>\n<\/div>\n
\u4e0d\u7ba1\u591a\u57df\u540d\u8bc1\u4e66\u91cc\u6709\u51e0\u4e2a\u57df\u540d\uff0c\u8fd9\u91cc\u7684 -d<\/code> \u53c2\u6570\u53ea\u9700\u8981\u5e26\u7b2c\u4e00\u4e2a\u57df\u540d\u5373\u53ef<\/p>\n
\u5982\u679c\u662f Apache 2.4.8 \u4ee5\u4e0a\u7248\u672c\u7684\u8bdd\uff0c\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u547d\u4ee4<\/p>\n
\n
acme.sh --install-cert -d example.com \\\n<\/span>--key-file       \/etc\/apache2\/ssl\/example.com.key  \\\n<\/span>--fullchain-file \/etc\/apache2\/ssl\/example.com.crt \\\n<\/span>--reloadcmd     \"service apache2 force-reload\"<\/span><\/code><\/pre>\n<\/div>\n
\u8fd9\u6837 SSL \u8bc1\u4e66\u5c31\u5df2\u7ecf\u83b7\u53d6\u5b8c\u6bd5\u5e76\u4e14\u52a0\u5165\u4e86\u81ea\u52a8\u66f4\u65b0<\/p>\n
4\u3001\u914d\u7f6e Nginx \u6216 Apache<\/h2>\n
\u8fd9\u90e8\u5206\u6559\u7a0b\u7f51\u7ad9\u5b9e\u5728\u592a\u591a\uff0c\u672c\u6587\u4e0d\u505a\u4e00\u4e00\u63cf\u8ff0\uff0c\u76f4\u63a5\u8d34\u4e0a\u6211\u4eec\u63a8\u8350\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n
4.1\u3001Nginx \u914d\u7f6e<\/h3>\n
\u4ee5\u4e0b\u7248\u672c\u9002\u7528\u4e8e Nginx 1.10+ \u9ed8\u8ba4\u5f00\u542f\u4e86 HTTP\/2.0<\/code> \u548c HSTS Preload<\/code> \u652f\u6301<\/p>\n
\u9996\u5148\u6211\u4eec\u751f\u6210 DHE \u53c2\u6570\u6587\u4ef6\uff0c\u8fd9\u8d27\u662f\u8fea\u83f2-\u8d6b\u5c14\u66fc\u5bc6\u94a5\u4ea4\u6362<\/a>\uff0c\u4e00\u79cd\u7070\u5e38\u5f3a\u5927\u7684\u5b89\u5168\u534f\u8bae<\/p>\n
\n
openssl dhparam -out \/etc\/nginx\/ssl\/dhparam.pem 2048<\/span><\/code><\/pre>\n<\/div>\n
\u7136\u540e\u7f16\u8f91 \/etc\/nginx\/sites-enable\/example.com.conf<\/code><\/p>\n
\n
server {<\/span>\n\tlisten 443<\/span> ssl http2 default_server;<\/span>\n\tlisten [<\/span>::]<\/span>:443 ssl http2 default_server;<\/span>\n\n\tserver_name example.com;<\/span>\n\n\troot \/var\/www\/example.com;<\/span>\n\tindex index.html index.htm index.php;<\/span>\n\n# \u6211\u4eec\u91c7\u7528\u5f3a\u5927\u7684\u8fea\u83f2-\u8d6b\u5c14\u66fc\u5bc6\u94a5\u4ea4\u6362\uff0c\u751f\u6210\u547d\u4ee4 openssl dhparam -out \/etc\/nginx\/ssl\/dhparam.pem 2048\n<\/span>\tssl_dhparam \/etc\/nginx\/ssl\/dhparam.pem;<\/span>\n\n\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;<\/span>\n\tssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'<\/span>;<\/span>\n\tssl_prefer_server_ciphers on;<\/span>\n\n\tssl_session_cache shared:SSL:50m;<\/span>\n\tssl_session_timeout 1d;<\/span>\n\n# \u5982\u679c\u4f60 Nginx \u914d\u7f6e\u4e86 SNI \u5373\u591a\u4e2a\u7ad9\u70b9\uff0c\u591a\u4e2a\u8bc1\u4e66\uff0c\u5219\u9700\u8981\u7528\u5230\u5982\u4e0b\u914d\u7f6e\uff0c\u5148\u751f\u6210\u6587\u4ef6 openssl rand 48 > \/etc\/nginx\/ssl\/session_ticket.key\n<\/span>#\tssl_session_ticket_key     \/etc\/nginx\/ssl\/session_ticket.key;\n<\/span>#\tssl_session_tickets        off;\n<\/span>\n# \u5982\u679c\u9700\u8981\u5f00\u542f OSCP \u529f\u80fd\uff0c\u5219\u9700\u8981\u52a0\u5165\n<\/span>#\tssl_stapling               on;\n<\/span>#\tssl_stapling_verify        on;\n<\/span># ssl_trusted_certificate \/path\/to\/root_CA_cert_plus_intermediates;\n<\/span>#\tresolver                   8.8.8.8 8.8.4.4 valid=300s;\n<\/span>#\tresolver_timeout           10s;\n<\/span>\n# \u6b64\u5904\u662f\u8bc1\u4e66\u6587\u4ef6\n<\/span>\n\tssl_certificate \/etc\/nginx\/ssl\/example.com.crt;<\/span>\n\tssl_certificate_key \/etc\/nginx\/ssl\/example.com.key;<\/span>\n\n# \u5f00\u542f HSTS Preload \u652f\u6301\n<\/span>\n\tadd_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\"<\/span>;<\/span> \n\tadd_header X-Frame-Options SAMEORIGIN;<\/span>\n\tadd_header X-Content-Type-Options nosniff;<\/span>\n\tadd_header X-XSS-Protection \"1; mode=block\"<\/span>;<\/span>\n\n# \u5f00\u542f PHP7.2-fpm \u6a21\u5f0f\uff0c\u5982\u9700\u8981\u5b89\u88c5 PHP 7.1.x \u8bf7\u4fee\u6539\u4e3a fastcgi_pass unix:\/run\/php\/php7.1-fpm.sock;\n<\/span>#\tlocation ~ \\.php$ {\n<\/span>#\t  include snippets\/fastcgi-php.conf;\n<\/span>#    fastcgi_pass unix:\/run\/php\/php7.2-fpm.sock;\n<\/span>#  }\n<\/span>\n\taccess_log \/var\/log\/nginx\/example.com.access.log;<\/span>\n\terror_log \/var\/log\/nginx\/example.com.error.log;<\/span>\n}<\/span><\/code><\/pre>\n<\/div>\n
\u6ce8\u610f ssl_ciphers \u7684\u914d\u7f6e\uff0c\u8fd9\u91cc\u8d34\u7684\u914d\u7f6e\u9002\u5408\u5927\u591a\u6570\u7684\u6d4f\u89c8\u5668\uff0c\u6700\u4f4e\u6d4f\u89c8\u5668\u652f\u6301\u662f Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7<\/p>\n
\u5982\u679c\u9700\u8981\u66f4\u8001\u7684\u6d4f\u89c8\u5668\u652f\u6301\uff0c\u53ef\u4ee5\u6539\u6210<\/p>\n
\n
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;<\/span>\nssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP'<\/span>;<\/span>\nssl_prefer_server_ciphers on;<\/span><\/code><\/pre>\n<\/div>\n
\u5f53\u7136\u5982\u679c\u9700\u8981\u6fc0\u8fdb\u4e00\u70b9\uff0c\u53ef\u4ee5\u6539\u6210<\/p>\n
\n
ssl_protocols TLSv1.2;<\/span>\nssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'<\/span>;<\/span>\nssl_prefer_server_ciphers on;<\/span><\/code><\/pre>\n<\/div>\n
\u6b64\u65b9\u6848\u6700\u4f4e\u6d4f\u89c8\u5668\u652f\u6301\u662f Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8<\/p>\n
\u518d\u6fc0\u8fdb\u4e00\u70b9\u7684\uff0c\u5c31\u8981\u7528 TLSv1.3 \u4e86\uff0c\u5750\u7b49\u5404\u79cd\u6d4f\u89c8\u5668\u90fd\u652f\u6301\u5427<\/p>\n
\u7136\u540e\u68c0\u67e5\u914d\u7f6e\u5e76\u91cd\u542f Nginx<\/p>\n
\n
nginx -t &&<\/span> nginx -s reload<\/code><\/pre>\n<\/div>\n
4.2\u3001Apache 2.4 \u914d\u7f6e<\/h3>\n
\n
<VirtualHost *:80>\n\n  ServerName example.com\n  Redirect permanent \/ https:\/\/example.com\/\n<\/VirtualHost>\n\nLoadModule headers_module modules\/mod_headers.so\n\n<VirtualHost *:443>\n\n    SSLEngine on\n    SSLCertificateFile      \/etc\/apache2\/ssl\/example.com.crt\n    SSLCertificateKeyFile   \/etc\/apache2\/ssl\/example.com.key\n\n    # Uncomment the following directive when using client certificate authentication\n<\/span>    #SSLCACertificateFile    \/path\/to\/ca_certs_for_client_authentication\n<\/span>\n\n    # HSTS (mod_headers is required) (15768000 seconds = 6 months)\n<\/span>    Header always set<\/span> Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"<\/span>\n    Header always set<\/span> X-Frame-Options SAMEORIGIN\n    Header always set<\/span> X-Content-Type-Options nosniff\n    Header set<\/span> X-XSS-Protection \"1; mode=block\"<\/span>\n<\/VirtualHost>\n\n# intermediate configuration, tweak to your needs\n<\/span>SSLProtocol             all -SSLv3\nSSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS\nSSLHonorCipherOrder     on\nSSLCompression          off\nSSLSessionTickets       off\n\n# OCSP Stapling, only in httpd 2.3.3 and later\n<\/span># SSLUseStapling          on\n<\/span># SSLStaplingResponderTimeout 5\n<\/span># SSLStaplingReturnResponderErrors off\n<\/span># SSLStaplingCache        shmcb:\/var\/run\/ocsp(<\/span>128000<\/span>)<\/span><\/code><\/pre>\n<\/div>\n
\u914d\u7f6e\u5b8c\u6210\u540e\u91cd\u542f Apache 2.4<\/p>\n
\n
service apache2 reload<\/code><\/pre>\n<\/div>\n
\u53e6\u5916\uff0c\u5f00\u542f\u4e86 HSTS Preload \u540e\uff0c\u53ef\u4ee5\u53bb HSTS Preload List Submission<\/a> \u68c0\u67e5\u5e76\u4e14\u63d0\u4ea4\u4f60\u7684\u7f51\u7ad9\uff0c\u8fd9\u6837\u4ee5\u540e\u7684\u5404\u79cd\u6d4f\u89c8\u5668\u5c31\u4f1a\u628a\u4f60\u7684\u7f51\u5740\u52a0\u5165\u5230 HSTS Preload List \u8bbf\u95ee example.com \u7684\u65f6\u5019\u5c31\u4e0d\u9700\u8981\u989d\u5916\u53bb\u8bf7\u6c42 80 \u7aef\u53e3\u4e86<\/p>\n
5\u3001\u83b7\u53d6 Let\u2019s Encrypt \u901a\u914d\u7b26\u8bc1\u4e66<\/h2>\n
\u901a\u914d\u7b26\u8bc1\u4e66\uff0c\u82f1\u6587 Wildcard Certificate \u56fd\u5185\u9ed1\u8bdd\u53eb\u505a\u91ce\u5361\uff0c\u7ecf\u8fc7\u4e00\u4e2a\u6708\u7684\u8df3\u7968\u540e\uff0cLet\u2019s Encrypt \u76ee\u524d\u5df2\u7ecf\u652f\u6301\u901a\u914d\u7b26\u7684\u8bc1\u4e66\uff0c\u540c\u6837 acme.sh \u4e5f\u662f\u652f\u6301\u7684\uff0c\u548c\u591a\u57df\u540d\u8bc1\u4e66\u4e0d\u540c\uff0c\u901a\u914d\u7b26\u8bc1\u4e66\u5fc5\u987b\u4f7f\u7528 DNS TXT \u8bb0\u5f55\u9a8c\u8bc1\u65b9\u5f0f\uff0c\u6211\u4eec\u4ee5 example.com<\/code> \u548c *.example.com<\/code> \u4e3a\u4f8b<\/p>\n
\n
acme.sh --issue -d example.com -d '*.example.com'<\/span> --dns<\/code><\/pre>\n<\/div>\n
\u5982\u679c\u4f60\u7684 DNS \u63d0\u4f9b\u5546\u652f\u6301 API\uff0c\u4f60\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 API \u800c\u4e0d\u9700\u8981\u624b\u5de5\u4fee\u6539 TXT \u8bb0\u5f55\uff0c\u8be6\u7ec6\u7528\u6cd5\u8bf7\u89c1\u8fd9\u91cc<\/a><\/p>\n
\u7136\u540e\u4f1a\u770b\u5230\u5982\u4e0b\u7684\u8f93\u51fa<\/p>\n
\n
root@example ~ # acme.sh --issue -d example.com -d '*.example.com' --dns\n<\/span>[<\/span>Tue Mar 20<\/span> 16<\/span>:34:35 HKT 2018<\/span>]<\/span> Domains have changed.\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:35 HKT 2018<\/span>]<\/span> Registering account\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:36 HKT 2018<\/span>]<\/span> Registered\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:36 HKT 2018<\/span>]<\/span> ACCOUNT_THUMBPRINT<\/span>=<\/span>'blablablabla'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:36 HKT 2018<\/span>]<\/span> Multi domain<\/span>=<\/span>'DNS:example.com,DNS:*.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:36 HKT 2018<\/span>]<\/span> Getting domain auth token for<\/span> each domain\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Getting webroot for<\/span> domain<\/span>=<\/span>'example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Getting webroot for<\/span> domain<\/span>=<\/span>'*.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Add the following TXT record:\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Domain: '_acme-challenge.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> TXT value: 'blablablabla1'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Please be aware that you prepend _acme-challenge. before your domain\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> so the resulting subdomain will be: _acme-challenge.example.com\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Add the following TXT record:\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Domain: '_acme-challenge.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> TXT value: 'blablablabla2'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Please be aware that you prepend _acme-challenge. before your domain\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> so the resulting subdomain will be: _acme-challenge.example.com\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Please add the TXT records to the domains, and re-run with --renew.\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> Please add '--debug'<\/span> or '--log'<\/span> to check more details.\n[<\/span>Tue Mar 20<\/span> 16<\/span>:34:38 HKT 2018<\/span>]<\/span> See: https:\/\/github.com\/Neilpang\/acme.sh\/wiki\/How-to-debug-acme.sh<\/code><\/pre>\n<\/div>\n
\u63a5\u7740\u4f60\u9700\u8981\u7ed9 _acme-challenge.example.com<\/code> \u589e\u52a0\u4e24\u4e2a TXT \u8bb0\u5f55 \"blablablabla1\"<\/code> \u548c \"blablablabla2\"<\/code>\uff0c\u7136\u540e\u6162\u6162\u7b49 DNS \u751f\u6548<\/p>\n
\n
root@example ~ # dig TXT _acme-challenge.example.com @9.9.9.9 +short\n<\/span>\"blablablabla1\"<\/span>\n\"blablablabla2\"<\/span><\/code><\/pre>\n<\/div>\n
\u751f\u6548\u540e\u7ed9\u8bc1\u4e66\u7eed\u4e00\u79d2<\/p>\n
\n
acme.sh --renew -d example.com -d '*.example.com'<\/span><\/code><\/pre>\n<\/div>\n
\u8f93\u51fa\u5982\u4e0b<\/p>\n
\n
root@example ~ # acme.sh --renew -d example.com -d '*.example.com' --force\n<\/span>[<\/span>Tue Mar 20<\/span> 16<\/span>:41:25 HKT 2018<\/span>]<\/span> Renew: 'example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:26 HKT 2018<\/span>]<\/span> Multi domain<\/span>=<\/span>'DNS:example.com,DNS:*.example.com'<\/span>\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:26 HKT 2018<\/span>]<\/span> Getting domain auth token for<\/span> each domain\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:26 HKT 2018<\/span>]<\/span> Verifying:example.com\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:29 HKT 2018<\/span>]<\/span> Success\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:29 HKT 2018<\/span>]<\/span> Verifying:*.example.com\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:32 HKT 2018<\/span>]<\/span> Success\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:32 HKT 2018<\/span>]<\/span> Verify finished, start to sign.\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> Cert success.\n-----BEGIN CERTIFICATE-----\n\u8fd9\u91cc\u662f\u8bc1\u4e66\u6587\u4ef6\n-----END CERTIFICATE-----\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> Your cert is in  \/root\/.acme.sh\/example.com\/example.com.cer \n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> Your cert key is in  \/root\/.acme.sh\/example.com\/example.com.key \n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> The intermediate CA cert is in  \/root\/.acme.sh\/example.com\/ca.cer \n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> And the full chain certs is there:  \/root\/.acme.sh\/example.com\/fullchain.cer \n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'<\/span>d better use the other modes instead.\n[<\/span>Tue Mar 20<\/span> 16<\/span>:41:33 HKT 2018<\/span>]<\/span> Call hook error.<\/code><\/pre>\n<\/div>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u53c2\u8003\u4e0a\u9762\u7684 Nginx \u6216 Apache 2.4 \u7684\u914d\u7f6e\uff0c\u8fd9\u91cc\u4e0d\u518d\u91cd\u590d<\/p>\n
1\u3001\u4ec0\u4e48\u662f SSL \u8bc1\u4e66\uff1f<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"status","meta":{"footnotes":""},"categories":[5,9],"tags":[22,166],"class_list":["post-199","post","type-post","status-publish","format-status","hentry","category-lab","category-lifestyle","tag-acme-sh","tag-lets-encrypt","post_format-post-format-status"],"_links":{"self":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":0,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"wp:attachment":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u7406\u8bba\u4e0a\u6309\u7167\u672c\u7ad9\u7684 Nginx \u914d\u7f6e\u6559\u7a0b\u914d\u7f6e\u5b8c\u6210\u540e\uff0c SSL Lab \u5f97\u5206\u90fd\u4f1a\u5728 A+\uff0c\u53c2\u8003\u672c\u7ad9\u7684\u5f97\u5206<\/a>\uff0c\u9650\u4e8e\u7bc7\u5e45\uff0c\u6211\u4eec\u4e4b\u540e\u4f1a\u518d\u4ecb\u7ecd Nginx \u4e0b SSL \u914d\u7f6e\u7684\u66f4\u8be6\u7ec6\u6559\u7a0b\uff0c\u5982\u6709\u7591\u95ee\u8bf7\u968f\u65f6\u8fdb\u7fa4\u8ba8\u8bba<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4ee5\u4e0a Apache 2.4 \u7684\u914d\u7f6e\u5e76\u4e0d\u5b8c\u6574\uff0c\u9700\u8981\u4f60\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u8c03\u6574\uff0c\u66f4\u591a\u670d\u52a1\u5668\u8f6f\u4ef6\u7684 SSL \u914d\u7f6e\u53ef\u4ee5\u53c2\u8003 Mozilla SSL Configuration Generator<\/a><\/p>\n
\u6b64\u65b9\u6848\u9002\u5408\u6700\u4f4e IE6, Java 6 \u4f46\u662f\u6211\u4eec\u5f3a\u70c8\u4e0d\u63a8\u8350\uff0c\u56e0\u4e3a\u6f0f\u6d1e\u592a\u591a\uff0c SSLv3 \u76ee\u524d\u5df2\u7ecf\u57fa\u672c\u88ab\u6dd8\u6c70\uff0c\u53c2\u8003 #1<\/a> #2<\/a><\/p>\n