Let s Encrypt SSL证书


NEW Let's Encrypt SSL通配符证书

DNSPOD TOKEN操作修改DNS

curl https://get.acme.sh | sh
export DP_Id="xxxxx"
export DP_Key="xxxxxxxxxxxxxxxxxxxxxxxxxxx"
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O ~/.acme.sh/lets-encrypt-x3-cross-signed.pem
acme.sh --issue --dns dns_dp \\
-d *.blizzmi.cn \\
-d *.dev.blizzmi.cn \\
-d *.sit.blizzmi.cn \\
-d *.msupporting-sit.blizzmi.cn \\
-d *.msupporting-dev.blizzmi.cn \\
-d *.dev.app.blizzmi.cn \\
-d *.sit.app.blizzmi.cn \\
-d *.pt.blizzmi.cn \\
-d *.fg.blizzmi.cn \\
-d *.blizzmi.net \\
-d *.pdev.blizzmi.net \\
-d *.psit.blizzmi.net \\
-d *.os.blizzmi.net \\
-d *.osit.blizzmi.net \\
-d *.odev.blizzmi.net \\
-d *.sit.wl.blizzmi.cn \\
--debug

cat /root/.acme.sh/\\*.blizzmi.cn/\\*.blizzmi.cn.cer /root/.acme.sh/lets-encrypt-x3-cross-signed.pem > /var/www/html/cert/1.pem;\\cp -a /root/.acme.sh/\\*.blizzmi.cn/\\*.blizzmi.cn.key /var/www/html/cert/1.key

lets-encrypt-x3-cross-signed.pem

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

account.key

acme_tiny.py

chained.pem

domain.csr

domain.key

intermediate.pem

https://github.com/diafygi/acme-tiny

openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key  (2048)
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem  > intermediate.pem
#中间证书是用 lets-encrypt-x3-cross-signed.pem 不是 lets-encrypt-x1-cross-signed.pem,用x1的好多手机浏览器都提示证书无效

#缺少中间证书可能会引起手机APP访问报错 javax.net.ssl.SSLHandshakeException
HK
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:fungaming.com,DNS:www.fungaming.com,DNS:static.fungaming.com,DNS:web.fungaming.com")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem
#dev/sit
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:blizzmi.cn,DNS:crm.sit.blizzmi.cn,DNS:msupporting.blizzmi.cn,DNS:msupporting.dev.blizzmi.cn,DNS:msupporting.sit.blizzmi.cn,DNS:msupporting-dev.blizzmi.cn,DNS:msupporting-sit.blizzmi.cn,DNS:bm.msupporting-sit.blizzmi.cn,DNS:agent.fg.blizzmi.cn,DNS:agent.pt.blizzmi.cn,DNS:api.fg.blizzmi.cn,DNS:api.pt.blizzmi.cn,DNS:by.blizzmi.cn,DNS:cattle.blizzmi.cn,DNS:fruit.blizzmi.cn,DNS:lobby.fg.blizzmi.cn,DNS:lobby.pt.blizzmi.cn,DNS:m.fg.blizzmi.cn,DNS:m.pt.blizzmi.cn,DNS:pt.blizzmi.cn,DNS:royal.blizzmi.cn,DNS:slot.blizzmi.cn,DNS:static.fg.blizzmi.cn,DNS:static.pt.blizzmi.cn,DNS:texas.blizzmi.cn,DNS:blizzmi.cn,DNS:crm.blizzmi.cn,DNS:agent.dev.blizzmi.cn,DNS:api.dev.blizzmi.cn,DNS:crm.dev.blizzmi.cn,DNS:fg-agent.dev.blizzmi.cn,DNS:fg-lobby.dev.blizzmi.cn,DNS:fg-m.dev.blizzmi.cn,DNS:fgslot.dev.blizzmi.cn,DNS:fg-static.dev.blizzmi.cn,DNS:im.dev.blizzmi.cn,DNS:lobby.dev.blizzmi.cn,DNS:lobby2.fg.blizzmi.cn,DNS:m.dev.blizzmi.cn,DNS:pt.dev.blizzmi.cn,DNS:static.dev.blizzmi.cn,DNS:logs.blizzmi.cn,DNS:record.blizzmi.cn,DNS:record.dev.blizzmi.cn,DNS:texas.dev.blizzmi.cn,DNS:h5.pt.blizzmi.cn,DNS:fish.dev.blizzmi.cn,DNS:h5.fg.blizzmi.cn,DNS:pc28.dev.blizzmi.cn,DNS:pc28.sit.blizzmi.cn,DNS:swf.blizzmi.cn,DNS:swf.dev.blizzmi.cn,DNS:fg-lobby2.dev.blizzmi.cn,DNS:wlcasino.blizzmi.cn,DNS:wlcasino.dev.blizzmi.cn,DNS:by-111.blizzmi.cn,DNS:by-222.blizzmi.cn,DNS:by-333.blizzmi.cn,DNS:texas-111.blizzmi.cn,DNS:texas-222.blizzmi.cn,DNS:texas-333.blizzmi.cn,DNS:swf-111.blizzmi.cn,DNS:swf-222.blizzmi.cn,DNS:swf-333.blizzmi.cn")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem
#pdev/psit
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:blizzmi.net,DNS:www.blizzmi.net,DNS:static.pdev.blizzmi.net,DNS:h5.pdev.blizzmi.net,DNS:lobby.pdev.blizzmi.net,DNS:m.pdev.blizzmi.net,DNS:agent.pdev.blizzmi.net,DNS:api.pdev.blizzmi.net,DNS:fruit.pdev.blizzmi.net,DNS:slot.pdev.blizzmi.net,DNS:chess.pdev.blizzmi.net,DNS:hunter.pdev.blizzmi.net,DNS:static.psit.blizzmi.net,DNS:h5.psit.blizzmi.net,DNS:lobby.psit.blizzmi.net,DNS:m.psit.blizzmi.net,DNS:agent.psit.blizzmi.net,DNS:api.psit.blizzmi.net,DNS:fruit.psit.blizzmi.net,DNS:slot.psit.blizzmi.net,DNS:chess.psit.blizzmi.net,DNS:hunter.psit.blizzmi.net,DNS:swf.psit.blizzmi.net,DNS:swf.pdev.blizzmi.net,DNS:record.psit.blizzmi.net,DNS:record.pdev.blizzmi.net")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem

#os.blizzmi.net
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:agent.os.blizzmi.net,DNS:api.os.blizzmi.net,DNS:chess.os.blizzmi.net,DNS:swf.os.blizzmi.net,DNS:hunter.os.blizzmi.net,DNS:h5.os.blizzmi.net,DNS:lobby.os.blizzmi.net,DNS:lobby2.os.blizzmi.net,DNS:logs.os.blizzmi.net,DNS:m.os.blizzmi.net,DNS:record.os.blizzmi.net,DNS:static.os.blizzmi.net,DNS:wlcasino.os.blizzmi.net,DNS:agent.osit.blizzmi.net,DNS:api.osit.blizzmi.net,DNS:chess.osit.blizzmi.net,DNS:swf.osit.blizzmi.net,DNS:hunter.osit.blizzmi.net,DNS:h5.osit.blizzmi.net,DNS:lobby.osit.blizzmi.net,DNS:lobby2.osit.blizzmi.net,DNS:logs.osit.blizzmi.net,DNS:m.osit.blizzmi.net,DNS:record.osit.blizzmi.net,DNS:static.osit.blizzmi.net,DNS:wlcasino.osit.blizzmi.net,DNS:agent.odev.blizzmi.net,DNS:api.odev.blizzmi.net,DNS:chess.odev.blizzmi.net,DNS:swf.odev.blizzmi.net,DNS:hunter.odev.blizzmi.net,DNS:h5.odev.blizzmi.net,DNS:lobby.odev.blizzmi.net,DNS:lobby2.odev.blizzmi.net,DNS:logs.odev.blizzmi.net,DNS:m.odev.blizzmi.net,DNS:record.odev.blizzmi.net,DNS:static.odev.blizzmi.net,DNS:wlcasino.odev.blizzmi.net")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem

需要的文件:domain.key chained.pem

vi nginx.conf
user nginx;
worker_processes auto;
#error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /usr/local/nginx/conf/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    #include /etc/nginx/conf.d/*.conf;
server {
        listen 80 default_server;
        server_name  _;
        location ^~ /.well-known/acme-challenge/ {
            alias /var/www/challenges/;
            try_files $uri =404;
            }
       }
server {
        listen 443;
        server_name _;
        ssl on;
        ssl_certificate /root/ssl/chained.pem;
        ssl_certificate_key /root/ssl/domain.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
        ssl_session_cache shared:SSL:50m;
        ssl_prefer_server_ciphers on;
       }
}