1、背景

    apple要求2017.1.1 提交审核的app必须使用https。接下来https要成为成了互联网公司后台服务的标配。其实让后台服务同时支持https和http 只是分分钟的事情。但是因为https需要ssl证书,证书又和域名相关。所以如果网站规划好的话。配置起来还是很简单。本文加入要配置的域名是 *.domain.com 。那么只需要申请一个 *.domain.com通配符证书就搞定。但是会存在多个子域名情况。譬如 test.api.domain.com test.www.domain.com  test.m.domain.com 等三级域名,这时候通配符证书就无法搞定,一般情况下,证书服务商都会多域名域名的证书这样服务。
假设先做有 www.domain.com, m.domain.com, api.domain.com, test.www.domain.com, test.m.domain.com,test.api.domain.com 6个域名需要配置ssl证书.
   本文选择 Let's Encrypt 免费证书。优点是1、免费、2、虽然有有效期3个月,但是可以通过脚本自动化更新,3、不用到对方网站注册任何账户,所有过程全在本机搞定。

2、环境

1、本文使用的是centos 7.2.1511,内核版本 3.10.0;
2、nginx 已经安装,版本为 nginx version: nginx/1.10.2;
3、nginx 的工作目录 为 /opt/service/nginx/, 目录如下


  1. # tree /opt/service/nginx/
  2. /opt/service/nginx/
  3. |-- conf
  4. | -- domain.com.conf
  5. |-- log -> /opt/logs/nginx
  6. |-- nginx -> /usr/sbin/nginx
  7. |-- nginx.pid
  8. |-- nginx.sh
  9. |-- ssl 存放ssl证书文件目录
先剧透一下安装完后程序目录下有哪些文件

  1. # tree /opt/service/nginx/
  2. /opt/service/nginx/
  3. |-- conf
  4.     | -- domain.com.conf
  5. |-- log -> /opt/logs/nginx
  6. |-- nginx -> /usr/sbin/nginx
  7. |-- nginx.pid
  8. |-- nginx.sh
  9. |-- ssl
  10.     |-- account.key
  11.     |-- acme_tiny.py
  12.     |-- intermediate.pem
  13.     |-- signed.crt
  14.     |-- domain.com.crt
  15.     |-- domain.com.csr
  16.     |-- domain.com.key
  17.     |-- update_crt.sh


3、安装证书

安装证书一共需要4个wenj
1、生成私钥文件
# openssl genrsa -out domain.com.key 2048 

Generating RSA private key, 2048 bit long modulus
................+++
..........................................................................................................+++
e is 65537 (0x10001)

2、根据key文件生成csr件
注意: a、把域名全部包含进来; b、openssl.cnf 路径不一定和我这里一样。先查一下系统中这个文件路径。
# openssl req -new -sha256 -key domain.com.key -subj "/" -reqexts SAN -config domain.com,DNS:test.api.domain.com,DNS:www.domain.com,DNS:m.domain.com,DNS:api.domain.com")) > domain.com.csr

3、配置域名验证
提交证书申请前,需要告知证书授予方,这个网站是属于你的。首先保证dns是解析到你的机器来,外网能通过这些域名正常请求。

  1. server {
  2.         listen 80 default backlog=2048;
  3.         server_name www.domain.com m.domain.com api.domain.com test.www.domain.com test.api.domain.com test.m.domain.com;
  4.         charset utf8;
  5.         access_log /opt/service/nginx/log/domain.com.access.log main;
  6.         error_log /opt/service/nginx/log/domain.com.error.log error;

  7.        
  8.         location ^~ /.well-known/acme-challenge/ {
  9.             alias /opt/service/www/challenges/;
  10.             try_files $uri =404;
  11.         }

  12.         location / {
  13.             root /opt/service/www/;
  14.         }
  15. }

注意:a、这个配置项只需要申请/更新的的时候才需要。证书申请完成后,部署机器是不需要这个配置。b、更改完需要重启nginx

4、创建/更新证书
# cd /opt/service/nginx/ssl
# openssl genrsa 4096 > account.key                                                              
# wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py                        
# chmod a+rwx acme_tiny.py

注意:a、检查预习机器上是否安装有python,没有的话请安装

编辑证书更新脚本 update_crt.sh (该脚本也可以同时用来创建证书,通用的)

  1. #!/bin/bash

    cd  /opt/service/nginx/ssl
    python acme_tiny.py --account-key account.key --csr domain.com.csr --acme-dir /opt/service/www/challenges/ > signed.crt || exit
    wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
    cat signed.crt intermediate.pem > domain.com.crt
    /opt/service/nginx/nginx.sh restart


执行更新命令

  1. # ./update_crt.sh 
    Parsing account key...
    Parsing CSR...
    Registering account...
    Already registered!
    Verifying m.domain.com...
    m.domain.com verified!
    Verifying www.domain.com...
    www.domain.com verified!
    Verifying test.m.domain.com...
    test.m.domain.com verified!
    Verifying test.api.domain.com...
    test.api.domain.com verified!
    Verifying test.www.domain.com...
    test.www.domain.com verified!
    Verifying api.domain.com...
    api.domain.com verified!
    Signing certificate...
    Certificate signed!
    --2016-12-23 12:36:33--  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
    Resolving letsencrypt.org (letsencrypt.org)... 96.7.106.59, 2600:1417:8000:389::2a1f, 2600:1417:8000:3aa::2a1f
    Connecting to letsencrypt.org (letsencrypt.org)|96.7.106.59|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1647 (1.6K) [application/x-x509-ca-cert]
    Saving to: 'STDOUT'




    100%[==================================================================================================================================>] 1,647       --.-K/s   in 0s      




    2016-12-23 12:36:33 (404 MB/s) - written to stdout [1647/1647]

5、nginx 配置ssl

  1. # vim ../conf/domain.com.conf
  2. server {
  3. listen 80 default backlog=2048;
  4. server_name domain.com;
  5. charset utf8;
  6. access_log /opt/service/nginx/log/domain.com.access.log main;
  7. error_log /opt/service/nginx/log/domain.com.error.log error;
  8. listen 443 ssl;
  9. ssl_certificate /opt/service/nginx/ssl/domain.com.crt;
  10. ssl_certificate_key /opt/service/nginx/ssl/domain.com.key;
  11. ssl_session_cache shared:SSL:10m;
  12. ssl_session_timeout 60m;
  13. ssl_session_tickets on;
  14. ssl_prefer_server_ciphers on;
  15. ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  16. location ^~ /.well-known/acme-challenge/ {
  17. alias /opt/service/www/challenges/;
  18. try_files $uri =404;
  19. }
  20. location / {
  21. root /opt/service/www/;
  22. }
  23. }

启动nginx。使用 https://www.ssllabs.com/ssltest/analyze.html? 检查一下




10-07 17:41