https://www.oschina.net/news/94188/acme-v2-and-wildcard-certificate-support-is-live https://my.oschina.net/kimver/blog/1634575 https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E ## Nginxåå‘代ç†httpçš„tomcat 1,执行 curl https://get.acme.sh | sh 2,执行 source ~/.bashrc 3,执行 # 阿里云åŽå°çš„密钥 export Ali_Key="1858118" export Ali_Secret="1858118" # 填写自己的域å acme.sh --issue --dns dns_ali -d springboot.io -d *.springboot.io * acme.sh比certbotçš„æ–¹å¼æ›´åŠ 自动化,çœåŽ»äº†æ‰‹åŠ¨åŽ»åŸŸååŽå°æ”¹DNS记录的æ¥éª¤,而且ä¸ç”¨ä¾èµ–Python * 第一次æˆåŠŸä¹‹åŽ,acme.sh会记录下App_Keyè·ŸApp_Secret,并且生æˆä¸€ä¸ªå®šæ—¶ä»»åŠ¡,æ¯å¤©å‡Œæ™¨0:00自动检测过期域å并且自动ç»æœŸ * 对这ç§æ–¹å¼æœ‰é¡¾è™‘çš„,请慎é‡,ä¸è¿‡ä¹Ÿå¯ä»¥è‡ªè¡Œåˆ 掉用户级的定时任务,并且清ç†æŽ‰~/.acme.sh文件夹就行 4,在è¯ä¹¦ç”Ÿæˆç›®å½•æ‰§è¡Œ acme.sh --installcert -d springboot.io -d *.springboot.io \ --keypath /usr/local/ssl/springboot/springboot.io.key \ --fullchainpath /usr/local/ssl/springboot/springboot.io.pem * 会把keyå’Œpem生æˆåˆ°æŒ‡å®šçš„目录 5,é…ç½®nginx server { listen 443; server_name springboot.io www.springboot.io; ssl on; ssl_certificate /usr/local/ssl/springboot/springboot.io.pem; ssl_certificate_key /usr/local/ssl/springboot/springboot.io.key; access_log logs/springboot.io.log main; error_log logs/springboot.io.error.log; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Requested-For $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; location / { proxy_pass http://127.0.0.1:1024; proxy_connect_timeout 600; proxy_read_timeout 600; } } server { listen 80; server_name springboot.io www.springboot.io; return 301 https://springboot.io$request_uri; } ## Springbootå•ç‹¬é…ç½® 1,(在è¯ä¹¦ç”Ÿæˆç›®å½•)生æˆkeystore * ç”Ÿæˆ p12 文件(会输入一次密ç ) openssl pkcs12 -export -in fullchain.cer -inkey springboot.io.key -out springboot.io.p12 * æ ¹æ®p12 æ–‡ä»¶ç”Ÿæˆ keystore 文件 keytool -importkeystore -v -srckeystore springboot.io.p12 -srcstoretype pkcs12 -srcstorepass [p12文件的密ç ] -destkeystore springboot.io.keystore -deststoretype jks -deststorepass [keytroe的密ç ] * 如果æ示è¦å‘Š,å¯ä»¥è€ƒè™‘æ ¹æ®è¦å‘Šçš„命令,å†æ‰§è¡Œä¸€æ³¢ keytool -importkeystore -srckeystore springboot.io.keystore -destkeystore springboot.io.keystore -deststoretype pkcs12 2,springbooté…ç½® #ssl server.ssl.enabled=true server.ssl.key-store=classpath:ssl/springboot.io.keystore server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=[key.store的密ç ] ------------------------------------ 手动安装å•åŸŸåè¯ä¹¦ | ------------------------------------ 1,clone git clone [email protected]:certbot/certbot.git 2,生æˆè¯ä¹¦ * 在当å‰æœåŠ¡å™¨ç”Ÿæˆ(standalone)建议 ./letsencrypt-auto certonly --standalone --email [邮箱] -d [域å] -d [域å] * éžå½“å‰æœåŠ¡å™¨ä¸Šç”Ÿæˆ(manual) ./letsencrypt-auto certonly --manual --email [邮箱] -d [域å] -d [域å] * 需è¦åœ¨æœåŠ¡å™¨çš„上安装å¯è®¿é—®çš„,脚本æ供的文本 CjhdUm0L4oQU0ZHg7F7832FtFweUPlRFJs0LxJGx_qg.-ielpqOUtyZI_Q0f9xYi8-Bj57TsuD5y4mGIMxW9GwM 文本 http://[域å]/.well-known/acme-challenge/CjhdUm0L4oQU0ZHg7F7832FtFweUPlRFJs0LxJGx_qg è®¿é—®åœ°å€ * 执行期间会与控制å°æœ‰ä¸¤æ¬¡äº¤äº’,第一次输入A,表示åŒæ„åè®®,第二次输入YES,表示å…è®¸ä»–ä»¬æ”¶é›†ä½ çš„é‚®ç®± * 创建期间,å¿…é¡»ä¿è¯80端å£ä¸è¢«å 用,脚本会在80端å£å¯åŠ¨httpæœåŠ¡æ¥éªŒè¯åŸŸå所属(standalone) * 创建æˆåŠŸåŽä¼šåœ¨ /etc/letsencrypt/ 下生æˆè¯ä¹¦æ–‡ä»¶ * 如果é‡åˆ°å› 为 pip 带æ¥çš„异常,å°è¯•åˆ 除(建议é‡å‘½å处ç†) ~/.pip/pip.conf 文件 * 记得安全组/防ç«å¢™å¼€æ”¾80ç«¯å£ 3,è¯ä¹¦ç»çº¦(需è¦åœ¨ç”Ÿæˆè¯ä¹¦çš„æœåŠ¡å™¨ä¸Šè¿›è¡Œ) ./letsencrypt-auto renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/springcloud.io.conf(处ç†/etc/letsencrypt/renewal/springcloud.io.conf) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal(è¯ä¹¦è¿˜æ²¡æœ‰åˆ°æœŸ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet:(下列è¯ä¹¦å°šæœªåˆ°æœŸç»æœŸ) /etc/letsencrypt/live/springcloud.io/fullchain.pem expires on 2018-11-29 (skipped) No renewals were attempted.(没有å°è¯•æ›´æ–°) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # nginxé…ç½® ssl on; ssl_certificate /etc/letsencrypt/live/[域å]/fullchain.pem ssl_certificate_key /etc/letsencrypt/live/[域å]/privkey.pem # 转æ¢ä¸º tomcat çš„æ ¼å¼ 1,进入目录 /etc/letsencrypt/live/[域å]/ 执行 openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out [域å].p12 * ç”Ÿæˆ p12 文件(会输入一次密ç ) 2,æ ¹æ®p12 æ–‡ä»¶ç”Ÿæˆ keystore 文件 keytool -importkeystore -v -srckeystore [域å].p12 -srcstoretype pkcs12 -srcstorepass [p12文件的密ç ] -destkeystore [域å].keystore -deststoretype jks -deststorepass [keytroe的密ç ] * 如果æ示è¦å‘Š,å¯ä»¥è€ƒè™‘å¤åˆ¶è¦å‘Šçš„命令,å†æ‰§è¡Œä¸€æ³¢ keytool -importkeystore -srckeystore [域å].keystore -destkeystore [域å].keystore -deststoretype pkcs12 ------------------------------------ 手动安装泛域åè¯ä¹¦ | ------------------------------------ 1,下载 wget https://dl.eff.org/certbot-auto chmod 775 certbot-auto * 也å¯é‡‡ç”¨certbot官方 yumå®‰è£…æ–¹å¼ 2,执行 ./certbot-auto certonly -d *.example.com -d example.com --manual --email [邮箱] --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory * 其实就是跟上é¢çš„é‚£ç§æ–¹æ³•ä¸€æ ·,采用的是,éžå½“å‰æœåŠ¡å™¨ä¸Šç”Ÿæˆ(manual) 3,æ·»åŠ TXT解æžè®°å½•åˆ°dnsæœåŠ¡å™¨,æ·»åŠ å®ŒæˆåŽ,ç‰å¾…è¯ä¹¦ç”Ÿæˆ,生æˆåŽ * 创建æˆåŠŸåŽä¼šåœ¨ /etc/letsencrypt/ 下生æˆè¯ä¹¦æ–‡ä»¶ * 跟手动创建å•åŸŸåè¯ä¹¦ä¸€æ ·çš„ 4,æ›´æ–°è¯ä¹¦ ./certbot-auto renew ------------------------------------ 在线è¯ä¹¦è½¬æ¢å·¥å…· | ------------------------------------ https://myssl.com/