保姆级配置xxxxxx.com的泛域名,使用acme的DNS方式配置证书
2020年写过一篇通过acme的http方式生成证书,热度很高,但是Nginx 网站使用 acme配置 https证书访问步骤主要是单域名证书申请,今天追加另一种DNS方式配置证书申请泛域名方式。
第1步:安装
安装 acme.sh
这里不再赘述安装,直接参考:https://github.com/acmesh-official/acme.sh/wiki/How-to-install
第2步:配置DNS,配置阿里云的秘钥:
申请阿里云子账户(需要该域名的所有者开通子账户用户解析dns能力)
export Ali_Key='xxx'
export Ali_Secret='xxx'
第3步:生成泛域名证书:(会自动在域名所属服务器添加解析记录:_acme-challenge)
acme.sh --issue --dns dns_ali -d xxxxxx.com -d *.xxxxxx.com
第4步:生成证书结果
acme.sh --issue --dns dns_ali -d xxxxxx.com -d *.xxxxxx.com
[Thu Jun 30 11:59:14 CST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jun 30 11:59:14 CST 2022] Multi domain='DNS:xxxxxx.com,DNS:*.xxxxxx.com'
[Thu Jun 30 11:59:14 CST 2022] Getting domain auth token for each domain
[Thu Jun 30 11:59:39 CST 2022] Getting webroot for domain='xxxxxx.com'
[Thu Jun 30 11:59:39 CST 2022] Getting webroot for domain='*.xxxxxx.com'
[Thu Jun 30 11:59:40 CST 2022] Adding txt value: dBPlieXpeM764LnzPvvmD6rQ6LvvNvPKyGH1fLBeeI0 for domain: _acme-challenge.xxxxxx.com
[Thu Jun 30 11:59:42 CST 2022] The txt record is added: Success.
[Thu Jun 30 11:59:42 CST 2022] Adding txt value: cV5eImBksoK2c6_v9h75bPKz72YM_S3HkATpAvmSuYg for domain: _acme-challenge.xxxxxx.com
[Thu Jun 30 11:59:45 CST 2022] The txt record is added: Success.
[Thu Jun 30 11:59:45 CST 2022] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jun 30 12:00:06 CST 2022] You can use '--dnssleep' to disable public dns checks.
[Thu Jun 30 12:00:06 CST 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jun 30 12:00:06 CST 2022] Checking xxxxxx.com for _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:08 CST 2022] Domain xxxxxx.com '_acme-challenge.xxxxxx.com' success.
[Thu Jun 30 12:00:08 CST 2022] Checking xxxxxx.com for _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:10 CST 2022] Domain xxxxxx.com '_acme-challenge.xxxxxx.com' success.
[Thu Jun 30 12:00:10 CST 2022] All success, let's return
[Thu Jun 30 12:00:10 CST 2022] Verifying: xxxxxx.com
[Thu Jun 30 12:00:21 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jun 30 12:00:32 CST 2022] Success
[Thu Jun 30 12:00:32 CST 2022] Verifying: *.xxxxxx.com
[Thu Jun 30 12:00:43 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jun 30 12:00:52 CST 2022] Success
[Thu Jun 30 12:00:52 CST 2022] Removing DNS records.
[Thu Jun 30 12:00:52 CST 2022] Removing txt: dBPlieXpeM764LnzPvvmD6rQ6LvvNvPKyGH1fLBeeI0 for domain: _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:55 CST 2022] Removed: Success
[Thu Jun 30 12:00:55 CST 2022] Removing txt: cV5eImBksoK2c6_v9h75bPKz72YM_S3HkATpAvmSuYg for domain: _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:58 CST 2022] Removed: Success
[Thu Jun 30 12:00:58 CST 2022] Verify finished, start to sign.
[Thu Jun 30 12:00:58 CST 2022] Lets finalize the order.
[Thu Jun 30 12:00:58 CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/Ao8bsza8PLOjGEmnBOQPfw/finalize'
[Thu Jun 30 12:01:06 CST 2022] Order status is processing, lets sleep and retry.
[Thu Jun 30 12:01:06 CST 2022] Retry after: 15
[Thu Jun 30 12:01:22 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/Ao8bsza8PLOjGEmnBOQPfw
[Thu Jun 30 12:01:30 CST 2022] Downloading cert.
[Thu Jun 30 12:01:30 CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/QVWDvtfbC9TjKPx9ql69UQ'
[Thu Jun 30 12:01:37 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGfjCCBGagAwIBAgIRAJMJcZ0fFYqe6UmkMEkUxbgwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMjA2MzAwMDAwMDBaFw0y
MjA5MjgyMzU5NTlaMBkxFzAVBgNVBAMTDnlpbWFpaml5aW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuR9YOJyC/UObMZqzGeKGMaJ1oA7/fnjJ
HieThmY+CwAkF76dVTLDIZ5AkcF9470+xyLt0T0CroqC5ySQizI4xXnvMxAf1ZDS
QDWXCo94yb4zcVoROaWRwq92KGJ9zNU6cIy8h/varIW/RTXehYNjuBwsYj9EE0XX
SDM2Y+I92jNDeqawMXarcDUkcx0YLN5cx7SNFbHisvl5t925Bhl/BI5NhO6979D7
aESyEk2JQYbzkzBmalot/SF/e4A6fbrQjhDQy/N9cn8ztk6UWUrQAdKEQSksODKN
vHkxHLDFeW+WU3Q0Rl3KkTAJeAd2KAQku7iLlMMGv+5LVBz7vWC2IQIDAQABo4IC
jTCCAokwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYE
FPL7sGbM5X+PIbMeQ5DJZI8UCXEyMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG
CysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v
Q1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRw
Oi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3Vy
ZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2Vj
dGlnby5jb20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBGpVXrdfqRIDC1oolp
9PN9ESxBdL79SbiFq/L8cP5tRwAAAYGyyHtqAAAEAwBHMEUCIQDrktk/Sr/3TYni
pogkCRlb3LwV7qS7jIMlNLmEvIXPQAIgWV+tCb/SMv8PcAbnYm9cOIR0TArs8Ndj
8+buRJy3Fk4AdwBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAYGy
yHssAAAEAwBIMEYCIQDDLKwgO6GPBlV658POKxP1rsg34y6aQCsBCYdoKc/XRAIh
ANm1oKLGsGGuTuURwxLHzk2216WGQYW+sQfVD4cwFoKWMCsGA1UdEQQkMCKCDnlp
bWFpaml5aW4uY29tghAqLnlpbWFpaml5aW4uY29tMA0GCSqGSIb3DQEBDAUAA4IC
AQBHUTt/y98tr7rh3qrjwW7D2WE9W38F2qSmr6JIA3388XyLah/rFFDk1+9G1lmo
L2OKcGEbWTO3UjZ+bh/dN63Akc9nWDg3XLpymug66SXYDLosjLMOqfiFrbqv4gKt
QDR0L3wWx+ldSMzsfhUtPtuJEYPzzaxZrNVliFyZUxRNmsNnu+NQHS8zQWvQBdnL
ntGSkjrcXiiPzfrBpOWU0dJmTF+hQaeHAVcBe+RWLgAntr2MpHSUaitGYTq2UnsR
W6MArACXlNURVAXX2nv1x8/lo2z1yfpNRaC9pjVTYRVFHNto2QjN+igK5wV2WEhi
AAmlmqrbc1gy2lK/2QKxv6xHOQhNGrb+iDY90MvPNeABe6WgvLUSA8Ty2euZ3ew3
2uveIRuuDo6neCCxFKQqnZLlhKWVAc5QrRZ+kqxwG4JCGBQGCSIhaoytZq3cmxIs
IV2z0R7jKEzOxc56y0l4WsGxY7s0iwfbP9y53Hvu3GmST4Rjz8rJEyxWh53bwaqj
ts2/jXounNYUNd7UuGsZMNjmLA777iua1plhWhnjiUbTvvGfABUXRIikpwiF3hDk
dtLjt3I8RwdpfXwzbq9xw12E+eeuuWLP276O9hmZnueRH6rnv66H1HHDP6hSN5/9
x+pRIhmFdnkkVlx7E7pXJU+lZQZf/e5vTZq8LU3sysJblA==
-----END CERTIFICATE-----
[Thu Jun 30 12:01:37 CST 2022] Your cert is in: /root/.acme.sh/xxxxxx.com/xxxxxx.com.cer
[Thu Jun 30 12:01:37 CST 2022] Your cert key is in: /root/.acme.sh/xxxxxx.com/xxxxxx.com.key
[Thu Jun 30 12:01:37 CST 2022] The intermediate CA cert is in: /root/.acme.sh/xxxxxx.com/ca.cer
[Thu Jun 30 12:01:37 CST 2022] And the full chain certs is there: /root/.acme.sh/xxxxxx.com/fullchain.cer
第5步:拷贝到配置文件中并配置证书
acme.sh --installcert -d xxxxxx.com \
--key-file /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.key \
--fullchain-file /usr/local/nginx/conf/ssl/xxxxxx.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
第6步:配置nginx.conf
基础配置如下:
server {
listen 443 ssl;
server_name test.xxxxxx.com;
ssl_certificate /usr/local/nginx/conf/ssl/xxxxxx.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.key;
ssl_session_timeout 5m;
# 指定SSL服务器端支持的协议版本
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; 指定加密算法
ssl_ciphers HIGH:!aNULL:!MD5;
# 在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算法
ssl_prefer_server_ciphers on;
root /var/www/html/test/;
# ssl on;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_connect_timeout 1200;
fastcgi_send_timeout 1200;
fastcgi_read_timeout 1200;
fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
}
# 配置转发
server {
listen 80;
server_name test.xxxxxx.com;
return 301 https://$server_name$request_uri;
}
- 发现nginx 版本1.14,并且缺少组件:
- 报错:nginx: [emerg] the “ssl” parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/conf.d/test.conf:2
第7步: Nginx 平滑升级操作(当前版本1.14)
处理前先备份
1、查看现有的 nginx 编译参数
cd /usr/local/nginx/sbin/nginx -V
2、按照原来的编译参数安装 nginx 的方法进行安装,只需要到 make,千万不要 make install 。如果make install 会将原来的配置文件覆盖
下载地址:wget https://nginx.org/download/nginx-1.16.1.tar.gz
cd /usr/local/nginx-1.16.0/
./configure --prefix=/usr/local/nginx --group=www --user=www --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --pid-path=/usr/local/nginx/logs/nginx.pid --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_realip_module --with-stream --with-http_image_filter_module
make
3、备份原 nginx 二进制文件
备份二进制文件和 nginx 的配置文件(期间nginx不会停止服务)
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_$(date +%F)
4、复制新的nginx二进制文件,进入新的nginx源码包
cp /home/humx/nginx-1.16.1/objs/nginx /usr/local/nginx/sbin/
5、测试新版本的nginx是否正常
/usr/local/nginx/sbin/nginx -t
6、重启nginx服务
如果是正式服务器,请平滑重启,严格执行:7-12步骤;否则如下强行操作下边命令重启,直接跳到13即可;
- 杀掉所有nginx服务,即:killall nginx ,因为我是测试服务器,直接就杀掉就行
- 然后 : nginx ,重启即可;
7、给nginx发送平滑迁移信号(若不清楚pid路径,请查看nginx配置文件)
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
8、查看nginx pid,会出现一个nginx.pid.oldbin
ll /usr/local/nginx/logs/nginx.pid*
-rw-r--r-- 1 root root 5 Jul 1 11:29 /usr/local/nginx/logs/nginx.pid
-rw-r--r-- 1 root root 5 Jul 1 09:54 /usr/local/nginx/logs/nginx.pid.oldbin
9、从容关闭旧的Nginx进程
kill -WINCH `cat /usr/local/nginx/logs/nginx.pid.oldbin`
10、此时不重载配置启动旧的工作进程
kill -HUP `cat /usr/local/nginx/logs/nginx.pid.oldbin`
11、结束工作进程,完成此次升级
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
12、验证Nginx是否升级成功
/usr/local/nginx/sbin/nginx -V
# 从1.14升级1.16.1完成
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --group=www --user=www --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --pid-path=/usr/local/nginx/logs/nginx.pid --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_realip_module --with-stream --with-http_image_filter_module
13、测试访问:https://test.xxxxxx.com/
成功返回:欢迎来到test地址,只用测试https
错误记录
1 、./configure: error: the HTTP image filter module requires the GD library.
yum install gd gd-devel
重新执行第7步第2小步:./configure … 命令
成功结果:
......
creating objs/Makefile
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"