分类 Nginx 下的文章

server
{
  listen  443 ssl;
  server_name    gpt.wdzs.cn;
  include  /data/nginx/wdzs.cn.ssl;
  location / {
    root    /;
    index index.html index.htm;
    proxy_set_header Host      $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme  $scheme;
    proxy_redirect   off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass    http://192.168.101.42:8501;
  }
}

参考地址

https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E

https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
https://juejin.cn/post/7136001093720342542

https://github.com/Neilpang/acme.sh/wiki/dnsapi

操作记录

curl https://get.acme.sh | sh -s email=admin@qq.com && ln -s ~/.acme.sh/ /data/acme && cd /data/acme && ./acme.sh --upgrade

export GD_Key="9jNKkbv5CWc_W2eNpeo8EpPuzentQE84ea"
export GD_Secret="9CgpFtEs54gBYndYBnnVFb"

a、使用letsencrypt

acme.sh --set-default-ca --server letsencrypt

证书申请

./acme.sh ---force --issue  --dns dns_cf -d *.xxx.com \
  --key-file        /data/nginx/ssl/xxx.com.key \
  --fullchain-file  /data/nginx/ssl/xxx.com.cer \
  --reloadcmd     "docker restart nginx"
  # --reloadcmd     "service nginx force-reload"

http2https.conf

vi /data/nginx/conf/http2https.conf
server {
        listen 80;
        server_name *.domain.com;
        return 301 https://$host:20443$request_uri;
}

自动同步脚本-泛域名证书

vi syn_ssl.sh

./acme.sh --force --issue --dns dns_dp -d *.$1
./acme.sh --install-cert -d *.$1   \
   --key-file        /data/nginx/ssl/$1.key\
   --fullchain-file  /data/nginx/ssl/$1.cer\
   --reloadcmd     "service nginx force-reload"

domain.com.conf

server
{
  server_name test.domain.com;
  ssl_certificate     "/ssl/test.domain.com.cer";
  ssl_certificate_key "/ssl/test.domain.com.key";
  listen       443 ssl http2;
  listen       [::]:443 ssl http2;
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout  10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  sendfile        on;
  location /wmswebapi/
  {
      root /;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
       add_header Cache-Control 'no-store,no-cache,must-revalidate, proxy-revalidate, max-age=0';
      proxy_pass http://192.168.100.1:8025/;
  }
  location /
  {
      root /;     
      proxy_pass http://192.168.100.1:9025/;
      index  index.html index.htm;
  }
}

FAQ

DNSpod CN key申请地址

https://console.dnspod.cn/account/token/token

、CentOS release 6.8 (Final)

Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] The JWS Signature MUST be present"}

1 系统环境

系统:CentOS release 6.8 (Final)
OpenSSL版本:OpenSSL 1.0.1e-fips 11 Feb 2013

2 下载最新版本OpenSSL

打开OpenSSL官网,发现最新版本为openssl-1.1.1k

//下载最新版本,可以在本机下载后上传至服务器

wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

//解压

tar -zvxf openssl-1.1.1k.tar.gz
cd openssl-1.1.1k

3 安装依赖

//安装依赖包
yum install -y zlib zlib-devel
//安装gcc
yum install -y gcc

4 编译安装

//配置openssl安装目录和openssldir

./config --prefix=/usr/local/openssl --openssldir=/usr/local/ssl
//使用2个线程同时编译
make -j 2
make install

5 软连接到新版本

//备份当前openssl
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak //这个有些场景不存在
//配置软连接到新版本
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
//更新动态链接库数据并重新加载
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
//查看是否升级成功
[root@salve openssl-1.1.1k]# openssl version
OpenSSL 1.1.1k  25 Mar 2021
1. Cloudflare Option:
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"

或者
export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Account_ID="xxxxxxxxxxxxx"
export CF_Zone_ID="xxxxxxxxxxxxx"
./acme.sh --issue --dns dns_cf -d example.com -d www.example.com

2. DNSPod.cn
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
./acme.sh --issue --dns dns_dp -d example.com -d www.example.com

4. GoDaddy.com
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"
./acme.sh --issue --dns dns_gd -d example.com -d www.example.com

5. Use PowerDNS
https://doc.powerdns.com/md/httpapi/README/

export PDNS_Url="http://ns.example.com:8081"
export PDNS_ServerId="localhost"
export PDNS_Token="0123456789ABCDEF"
export PDNS_Ttl=60
./acme.sh --issue --dns dns_pdns -d example.com -d www.example.com

8. Use LuaDNS domain API
Get your API token at https://api.luadns.com/settings

export LUA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export LUA_Email="xxxx@sss.com"
To issue a cert:

./acme.sh --issue --dns dns_lua -d example.com -d www.example.com

9. Use DNSMadeEasy domain API
Get your API credentials at https://cp.dnsmadeeasy.com/account/info

export ME_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export ME_Secret="qdfqsdfkjdskfj"
To issue a cert:

./acme.sh --issue --dns dns_me -d example.com -d www.example.com


10. Use Amazon Route53 domain API
https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API

export  AWS_ACCESS_KEY_ID=XXXXXXXXXX
export  AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX
To issue a cert:

./acme.sh --issue --dns dns_aws -d example.com -d www.example.com


11. Use Aliyun domain API to automatically issue cert
First you need to login to your Aliyun account to get your RAM API key. https://ram.console.aliyun.com/users

export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_ali -d example.com -d www.example.com

13. Use Alwaysdata domain API
First you need to login to your Alwaysdata account to get your API Key.

export AD_API_KEY="myalwaysdataapikey"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_ad -d example.com -d www.example.com

15. Use FreeDNS

export FREEDNS_User="..."
export FREEDNS_Password="..."
./acme.sh --issue --dns dns_freedns -d example.com

21. Use ClouDNS.net 
# Use this for a sub auth ID
export CLOUDNS_SUB_AUTH_ID=XXXXX
# Use this for a regular auth ID
#export CLOUDNS_AUTH_ID=XXXXX
export CLOUDNS_AUTH_PASSWORD="YYYYYYYYY"

./acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com

28. Use Name.com API
Create your API token here: https://www.name.com/account/settings/api
export Namecom_Username="testuser"
export Namecom_Token="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
And now you can issue certs with:

./acme.sh --issue --dns dns_namecom -d example.com -d www.example.com

37. Use Azure DNS
export AZUREDNS_SUBSCRIPTIONID="12345678-9abc-def0-1234-567890abcdef"
export AZUREDNS_TENANTID="11111111-2222-3333-4444-555555555555"
export AZUREDNS_APPID="3b5033b5-7a66-43a5-b3b9-a36b9e7c25ed"
export AZUREDNS_CLIENTSECRET="1b0224ef-34d4-5af9-110f-77f527d561bd"
./acme.sh --issue --dns dns_azure -d example.com -d www.example.com