保姆级配置xxxxxx.com的泛域名,使用acme的DNS方式配置证书

2020年写过一篇通过acme的http方式生成证书,热度很高,但是Nginx 网站使用 acme配置 https证书访问步骤主要是单域名证书申请,今天追加另一种DNS方式配置证书申请泛域名方式。

第1步:安装

安装 acme.sh

这里不再赘述安装,直接参考:https://github.com/acmesh-official/acme.sh/wiki/How-to-install

第2步:配置DNS,配置阿里云的秘钥:

申请阿里云子账户(需要该域名的所有者开通子账户用户解析dns能力)

export Ali_Key='xxx'
export Ali_Secret='xxx'

第3步:生成泛域名证书:(会自动在域名所属服务器添加解析记录:_acme-challenge)

acme.sh --issue --dns dns_ali  -d xxxxxx.com -d *.xxxxxx.com

第4步:生成证书结果

acme.sh --issue --dns dns_ali  -d xxxxxx.com -d *.xxxxxx.com
[Thu Jun 30 11:59:14 CST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jun 30 11:59:14 CST 2022] Multi domain='DNS:xxxxxx.com,DNS:*.xxxxxx.com'
[Thu Jun 30 11:59:14 CST 2022] Getting domain auth token for each domain
[Thu Jun 30 11:59:39 CST 2022] Getting webroot for domain='xxxxxx.com'
[Thu Jun 30 11:59:39 CST 2022] Getting webroot for domain='*.xxxxxx.com'
[Thu Jun 30 11:59:40 CST 2022] Adding txt value: dBPlieXpeM764LnzPvvmD6rQ6LvvNvPKyGH1fLBeeI0 for domain:  _acme-challenge.xxxxxx.com
[Thu Jun 30 11:59:42 CST 2022] The txt record is added: Success.
[Thu Jun 30 11:59:42 CST 2022] Adding txt value: cV5eImBksoK2c6_v9h75bPKz72YM_S3HkATpAvmSuYg for domain:  _acme-challenge.xxxxxx.com
[Thu Jun 30 11:59:45 CST 2022] The txt record is added: Success.
[Thu Jun 30 11:59:45 CST 2022] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jun 30 12:00:06 CST 2022] You can use '--dnssleep' to disable public dns checks.
[Thu Jun 30 12:00:06 CST 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jun 30 12:00:06 CST 2022] Checking xxxxxx.com for _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:08 CST 2022] Domain xxxxxx.com '_acme-challenge.xxxxxx.com' success.
[Thu Jun 30 12:00:08 CST 2022] Checking xxxxxx.com for _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:10 CST 2022] Domain xxxxxx.com '_acme-challenge.xxxxxx.com' success.
[Thu Jun 30 12:00:10 CST 2022] All success, let's return
[Thu Jun 30 12:00:10 CST 2022] Verifying: xxxxxx.com
[Thu Jun 30 12:00:21 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jun 30 12:00:32 CST 2022] Success
[Thu Jun 30 12:00:32 CST 2022] Verifying: *.xxxxxx.com
[Thu Jun 30 12:00:43 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jun 30 12:00:52 CST 2022] Success
[Thu Jun 30 12:00:52 CST 2022] Removing DNS records.
[Thu Jun 30 12:00:52 CST 2022] Removing txt: dBPlieXpeM764LnzPvvmD6rQ6LvvNvPKyGH1fLBeeI0 for domain: _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:55 CST 2022] Removed: Success
[Thu Jun 30 12:00:55 CST 2022] Removing txt: cV5eImBksoK2c6_v9h75bPKz72YM_S3HkATpAvmSuYg for domain: _acme-challenge.xxxxxx.com
[Thu Jun 30 12:00:58 CST 2022] Removed: Success
[Thu Jun 30 12:00:58 CST 2022] Verify finished, start to sign.
[Thu Jun 30 12:00:58 CST 2022] Lets finalize the order.
[Thu Jun 30 12:00:58 CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/Ao8bsza8PLOjGEmnBOQPfw/finalize'
[Thu Jun 30 12:01:06 CST 2022] Order status is processing, lets sleep and retry.
[Thu Jun 30 12:01:06 CST 2022] Retry after: 15
[Thu Jun 30 12:01:22 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/Ao8bsza8PLOjGEmnBOQPfw
[Thu Jun 30 12:01:30 CST 2022] Downloading cert.
[Thu Jun 30 12:01:30 CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/QVWDvtfbC9TjKPx9ql69UQ'
[Thu Jun 30 12:01:37 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGfjCCBGagAwIBAgIRAJMJcZ0fFYqe6UmkMEkUxbgwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMjA2MzAwMDAwMDBaFw0y
MjA5MjgyMzU5NTlaMBkxFzAVBgNVBAMTDnlpbWFpaml5aW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuR9YOJyC/UObMZqzGeKGMaJ1oA7/fnjJ
HieThmY+CwAkF76dVTLDIZ5AkcF9470+xyLt0T0CroqC5ySQizI4xXnvMxAf1ZDS
QDWXCo94yb4zcVoROaWRwq92KGJ9zNU6cIy8h/varIW/RTXehYNjuBwsYj9EE0XX
SDM2Y+I92jNDeqawMXarcDUkcx0YLN5cx7SNFbHisvl5t925Bhl/BI5NhO6979D7
aESyEk2JQYbzkzBmalot/SF/e4A6fbrQjhDQy/N9cn8ztk6UWUrQAdKEQSksODKN
vHkxHLDFeW+WU3Q0Rl3KkTAJeAd2KAQku7iLlMMGv+5LVBz7vWC2IQIDAQABo4IC
jTCCAokwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYE
FPL7sGbM5X+PIbMeQ5DJZI8UCXEyMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG
CysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v
Q1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRw
Oi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3Vy
ZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2Vj
dGlnby5jb20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBGpVXrdfqRIDC1oolp
9PN9ESxBdL79SbiFq/L8cP5tRwAAAYGyyHtqAAAEAwBHMEUCIQDrktk/Sr/3TYni
pogkCRlb3LwV7qS7jIMlNLmEvIXPQAIgWV+tCb/SMv8PcAbnYm9cOIR0TArs8Ndj
8+buRJy3Fk4AdwBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAYGy
yHssAAAEAwBIMEYCIQDDLKwgO6GPBlV658POKxP1rsg34y6aQCsBCYdoKc/XRAIh
ANm1oKLGsGGuTuURwxLHzk2216WGQYW+sQfVD4cwFoKWMCsGA1UdEQQkMCKCDnlp
bWFpaml5aW4uY29tghAqLnlpbWFpaml5aW4uY29tMA0GCSqGSIb3DQEBDAUAA4IC
AQBHUTt/y98tr7rh3qrjwW7D2WE9W38F2qSmr6JIA3388XyLah/rFFDk1+9G1lmo
L2OKcGEbWTO3UjZ+bh/dN63Akc9nWDg3XLpymug66SXYDLosjLMOqfiFrbqv4gKt
QDR0L3wWx+ldSMzsfhUtPtuJEYPzzaxZrNVliFyZUxRNmsNnu+NQHS8zQWvQBdnL
ntGSkjrcXiiPzfrBpOWU0dJmTF+hQaeHAVcBe+RWLgAntr2MpHSUaitGYTq2UnsR
W6MArACXlNURVAXX2nv1x8/lo2z1yfpNRaC9pjVTYRVFHNto2QjN+igK5wV2WEhi
AAmlmqrbc1gy2lK/2QKxv6xHOQhNGrb+iDY90MvPNeABe6WgvLUSA8Ty2euZ3ew3
2uveIRuuDo6neCCxFKQqnZLlhKWVAc5QrRZ+kqxwG4JCGBQGCSIhaoytZq3cmxIs
IV2z0R7jKEzOxc56y0l4WsGxY7s0iwfbP9y53Hvu3GmST4Rjz8rJEyxWh53bwaqj
ts2/jXounNYUNd7UuGsZMNjmLA777iua1plhWhnjiUbTvvGfABUXRIikpwiF3hDk
dtLjt3I8RwdpfXwzbq9xw12E+eeuuWLP276O9hmZnueRH6rnv66H1HHDP6hSN5/9
x+pRIhmFdnkkVlx7E7pXJU+lZQZf/e5vTZq8LU3sysJblA==
-----END CERTIFICATE-----
[Thu Jun 30 12:01:37 CST 2022] Your cert is in: /root/.acme.sh/xxxxxx.com/xxxxxx.com.cer
[Thu Jun 30 12:01:37 CST 2022] Your cert key is in: /root/.acme.sh/xxxxxx.com/xxxxxx.com.key
[Thu Jun 30 12:01:37 CST 2022] The intermediate CA cert is in: /root/.acme.sh/xxxxxx.com/ca.cer
[Thu Jun 30 12:01:37 CST 2022] And the full chain certs is there: /root/.acme.sh/xxxxxx.com/fullchain.cer

第5步:拷贝到配置文件中并配置证书

acme.sh --installcert -d xxxxxx.com \
    --key-file /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.key \
    --fullchain-file /usr/local/nginx/conf/ssl/xxxxxx.com/fullchain.cer \
    --reloadcmd "service nginx force-reload"

第6步:配置nginx.conf

基础配置如下:

server {
        listen          443 ssl;
        server_name     test.xxxxxx.com;
    
        ssl_certificate       /usr/local/nginx/conf/ssl/xxxxxx.com/fullchain.cer;
        ssl_certificate_key   /usr/local/nginx/conf/ssl/xxxxxx.com/xxxxxx.com.key;
        ssl_session_timeout     5m; 
        # 指定SSL服务器端支持的协议版本
        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        # ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;       指定加密算法
        ssl_ciphers  HIGH:!aNULL:!MD5;
        # 在使用SSLv3和TLS协议时指定服务器的加密算法要优先于客户端的加密算法
        ssl_prefer_server_ciphers   on; 

        root /var/www/html/test/;

        # ssl on; 
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
    
        index index.html index.htm index.php;
    
        charset utf-8;
    
        location / { 
            try_files $uri $uri/ /index.php?$query_string;
        }   
    
        location = /favicon.ico { access_log off; log_not_found off; }
        location = /robots.txt  { access_log off; log_not_found off; }
    
        error_page 404 /index.php;
    
        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9001;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;

        }   

        set $real_script_name $fastcgi_script_name;
        if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
            set $real_script_name $1; 
            set $path_info $2; 
        }   
        fastcgi_connect_timeout 1200;
        fastcgi_send_timeout 1200;
        fastcgi_read_timeout 1200;
        fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
        fastcgi_param SCRIPT_NAME $real_script_name;
        fastcgi_param PATH_INFO $path_info;

    }   
    # 配置转发
    server {
        listen          80; 
        server_name     test.xxxxxx.com;

        return 301 https://$server_name$request_uri;
}
  • 发现nginx 版本1.14,并且缺少组件:
  • 报错:nginx: [emerg] the “ssl” parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/conf.d/test.conf:2

第7步: Nginx 平滑升级操作(当前版本1.14)

处理前先备份

1、查看现有的 nginx 编译参数

cd /usr/local/nginx/sbin/nginx -V

2、按照原来的编译参数安装 nginx 的方法进行安装,只需要到 make,千万不要 make install 。如果make install 会将原来的配置文件覆盖

下载地址:wget https://nginx.org/download/nginx-1.16.1.tar.gz

 cd /usr/local/nginx-1.16.0/

./configure --prefix=/usr/local/nginx --group=www --user=www --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log  --pid-path=/usr/local/nginx/logs/nginx.pid --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_realip_module --with-stream --with-http_image_filter_module

make

3、备份原 nginx 二进制文件

备份二进制文件和 nginx 的配置文件(期间nginx不会停止服务)

mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_$(date +%F)

4、复制新的nginx二进制文件,进入新的nginx源码包

cp /home/humx/nginx-1.16.1/objs/nginx /usr/local/nginx/sbin/

5、测试新版本的nginx是否正常

/usr/local/nginx/sbin/nginx -t

6、重启nginx服务

如果是正式服务器,请平滑重启,严格执行:7-12步骤;否则如下强行操作下边命令重启,直接跳到13即可;

  • 杀掉所有nginx服务,即:killall nginx ,因为我是测试服务器,直接就杀掉就行
  • 然后 : nginx ,重启即可;

7、给nginx发送平滑迁移信号(若不清楚pid路径,请查看nginx配置文件)

kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`

8、查看nginx pid,会出现一个nginx.pid.oldbin

ll /usr/local/nginx/logs/nginx.pid*
-rw-r--r-- 1 root root 5 Jul  1 11:29 /usr/local/nginx/logs/nginx.pid
-rw-r--r-- 1 root root 5 Jul  1 09:54 /usr/local/nginx/logs/nginx.pid.oldbin

9、从容关闭旧的Nginx进程

kill -WINCH `cat /usr/local/nginx/logs/nginx.pid.oldbin`

10、此时不重载配置启动旧的工作进程

kill -HUP `cat /usr/local/nginx/logs/nginx.pid.oldbin`

11、结束工作进程,完成此次升级

kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`

12、验证Nginx是否升级成功

/usr/local/nginx/sbin/nginx -V

# 从1.14升级1.16.1完成

nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --group=www --user=www --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --pid-path=/usr/local/nginx/logs/nginx.pid --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre --with-http_realip_module --with-stream --with-http_image_filter_module

13、测试访问:https://test.xxxxxx.com/

成功返回:欢迎来到test地址,只用测试https

错误记录

1 、./configure: error: the HTTP image filter module requires the GD library.

yum install gd gd-devel

重新执行第7步第2小步:./configure … 命令

成功结果:

......
creating objs/Makefile

Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library

  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/sbin/nginx"
  nginx modules path: "/usr/local/nginx/modules"
  nginx configuration prefix: "/usr/local/nginx/conf"
  nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
  nginx pid file: "/usr/local/nginx/logs/nginx.pid"
  nginx error log file: "/usr/local/nginx/logs/error.log"
  nginx http access log file: "/usr/local/nginx/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"