安装 Https 证书

使用 acme 工具来安装免费证书，具体仓库地址可参照：[https://github.com/acmesh-official/acme.sh]

1、安装工具

[root@ acme]# curl https://get.acme.sh | sh -s email=163@examples.com
[Wed May 21 19:46:07 CST 2025] Installing from online archive.
[Wed May 21 19:46:07 CST 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Wed May 21 19:46:08 CST 2025] Extracting master.tar.gz
[Wed May 21 19:46:08 CST 2025] It is recommended to install socat first.
[Wed May 21 19:46:08 CST 2025] We use socat for the standalone server, which is used for standalone mode.
[Wed May 21 19:46:08 CST 2025] If you don't want to use standalone mode, you may ignore this warning.
[Wed May 21 19:46:08 CST 2025] Installing to /root/.acme.sh
[Wed May 21 19:46:08 CST 2025] Installed to /root/.acme.sh/acme.sh # 安装路径，可以使用 alias 暴露出来，也可以直接全路径使用
[Wed May 21 19:46:09 CST 2025] Installing alias to '/root/.bashrc'
[Wed May 21 19:46:09 CST 2025] Close and reopen your terminal to start using acme.sh
[Wed May 21 19:46:09 CST 2025] Installing alias to '/root/.cshrc'
[Wed May 21 19:46:09 CST 2025] Installing alias to '/root/.tcshrc'
[Wed May 21 19:46:09 CST 2025] Installing cron job
no crontab for root
no crontab for root
[Wed May 21 19:46:09 CST 2025] bash has been found. Changing the shebang to use bash as preferred.
[Wed May 21 19:46:11 CST 2025] OK
[Wed May 21 19:46:11 CST 2025] Install success!

2、证书申请

官方文档里面多种方式可供使用，这里服务器和 dns 解析都是阿里云的，为此着重介绍 dns 方式生成证书。

2.1 DNS 生成

第一步需要准备一对 ask 用于向阿里云 dns 请求域名解析。由于权限暴露问题，可以创建一个 RAM 子用户并且赋予 AliyunVODFullAccess 的权限，使用子用户的 ask 来降低权限范围。

export Ali_Key="XXXXX"
export Ali_Secret="XXXXX"

2.2 证书生成

通过签证的方式，把需要进行验证的域名都使用参数 -d 加上，该步骤会使用 ask 向 dns 服务中写入解析记录，后续会自动删除。

/root/.acme.sh/acme.sh --issue --dns dns_ali -d beordie.cn
[Thu May 22 18:36:00 CST 2025] Your cert is in: /root/.acme.sh/beordie.cn_ecc/beordie.cn.cer
[Thu May 22 18:36:00 CST 2025] Your cert key is in: /root/.acme.sh/beordie.cn_ecc/beordie.cn.key
[Thu May 22 18:36:01 CST 2025] The intermediate CA cert is in: /root/.acme.sh/beordie.cn_ecc/ca.cer
[Thu May 22 18:36:01 CST 2025] And the full-chain cert is in: /root/.acme.sh/beordie.cn_ecc/fullchain.cer

3、安装证书

/root/.acme.sh/acme.sh --install-cert -d beordie.cn \
--key-file /etc/ssl/beordie.cn.key \
--fullchain-file /etc/ssl/beordie.cn.cer \
--reloadcmd "systemctl force-reload nginx"

首先把生成的证书提取出来，放在一个目录当中，上述的 etc/ssl 就是证书的存放路径，后续需要在 Nginx 中进行引用。

3.1 Nginx 配置 443

upstream www {
  server localhost:8090;
}
server {
  listen 443 ssl;
  server_name www.beordie.cn;

  ssl_certificate /etc/ssl/beordie.cn.cer; 
  ssl_certificate_key /etc/ssl/beordie.cn.key;

  location / {
    proxy_pass http://www;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  location /a78e64986c52640ca0de30379c8c4f03.txt {
    root /home/assets/static;
    try_files $uri =404;
  }
}

3.2 Nginx 配置 80 强制路由

server {
  listen 80;
  server_name www.beordie.cn;

  return 301 https://$server_name$request_uri; # 永久重定向到 https
}