NEW Let's Encrypt SSL通配符证书

DNSPOD TOKEN操作修改DNS

curl https://get.acme.sh | sh
export DP_Id="xxxxx"
export DP_Key="xxxxxxxxxxxxxxxxxxxxxxxxxxx"
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O ~/.acme.sh/lets-encrypt-x3-cross-signed.pem
acme.sh --issue --dns dns_dp \\
-d *.bxxxxx.cn \\
-d *.dev.bxxxxx.cn \\
-d *.sit.bxxxxx.cn \\
-d *.msu-sit.bxxxxx.cn \\
-d *.msu-dev.bxxxxx.cn \\
-d *.dev.app.bxxxxx.cn \\
-d *.sit.app.bxxxxx.cn \\
-d *.pt.bxxxxx.cn \\
-d *.fx.bxxxxx.cn \\
-d *.bxxxxx.net \\
-d *.pdev.bxxxxx.net \\
-d *.psit.bxxxxx.net \\
-d *.os.bxxxxx.net \\
-d *.osit.bxxxxx.net \\
-d *.odev.bxxxxx.net \\
-d *.sit.wl.bxxxxx.cn \\
--debug

cat /root/.acme.sh/\\*.bxxxxx.cn/\\*.bxxxxx.cn.cer /root/.acme.sh/lets-encrypt-x3-cross-signed.pem > /var/www/html/cert/1.pem;\\cp -a /root/.acme.sh/\\*.bxxxxx.cn/\\*.bxxxxx.cn.key /var/www/html/cert/1.key
lets-encrypt-x3-cross-signed.pem
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl0dsffwrrvq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

account.key

acme_tiny.py

chained.pem

domain.csr

domain.key

intermediate.pem

https://github.com/diafygi/acme-tiny

openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key  (2048)
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem  > intermediate.pem
#中间证书是用 lets-encrypt-x3-cross-signed.pem 不是 lets-encrypt-x1-cross-signed.pem，用x1的好多手机浏览器都提示证书无效

#缺少中间证书可能会引起手机APP访问报错 javax.net.ssl.SSLHandshakeException
HK
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:fungaming.com,DNS:www.fungaming.com,DNS:static.fungaming.com,DNS:web.fungaming.com")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem
#dev/sit
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:bxxxxx.cn,DNS:crm.sit.bxxxxx.cn,DNS:msupporting.bxxxxx.cn,DNS:msupporting.dev.bxxxxx.cn,DNS:msupporting.sit.bxxxxx.cn,DNS:msu-dev.bxxxxx.cn,DNS:msu-sit.bxxxxx.cn,DNS:bm.msu-sit.bxxxxx.cn,DNS:agent.fx.bxxxxx.cn,DNS:agent.pt.bxxxxx.cn,DNS:api.fx.bxxxxx.cn,DNS:api.pt.bxxxxx.cn,DNS:by.bxxxxx.cn,DNS:cattle.bxxxxx.cn,DNS:fruit.bxxxxx.cn,DNS:lobby.fx.bxxxxx.cn,DNS:lobby.pt.bxxxxx.cn,DNS:m.fx.bxxxxx.cn,DNS:m.pt.bxxxxx.cn,DNS:pt.bxxxxx.cn,DNS:royal.bxxxxx.cn,DNS:slot.bxxxxx.cn,DNS:static.fx.bxxxxx.cn,DNS:static.pt.bxxxxx.cn,DNS:texas.bxxxxx.cn,DNS:bxxxxx.cn,DNS:crm.bxxxxx.cn,DNS:agent.dev.bxxxxx.cn,DNS:api.dev.bxxxxx.cn,DNS:crm.dev.bxxxxx.cn,DNS:fg-agent.dev.bxxxxx.cn,DNS:fg-lobby.dev.bxxxxx.cn,DNS:fg-m.dev.bxxxxx.cn,DNS:fgslot.dev.bxxxxx.cn,DNS:fg-static.dev.bxxxxx.cn,DNS:im.dev.bxxxxx.cn,DNS:lobby.dev.bxxxxx.cn,DNS:loxxx2.fx.bxxxxx.cn,DNS:m.dev.bxxxxx.cn,DNS:pt.dev.bxxxxx.cn,DNS:static.dev.bxxxxx.cn,DNS:logs.bxxxxx.cn,DNS:record.bxxxxx.cn,DNS:record.dev.bxxxxx.cn,DNS:texas.dev.bxxxxx.cn,DNS:h5.pt.bxxxxx.cn,DNS:fish.dev.bxxxxx.cn,DNS:h5.fx.bxxxxx.cn,DNS:pc28.dev.bxxxxx.cn,DNS:pc28.sit.bxxxxx.cn,DNS:swf.bxxxxx.cn,DNS:swf.dev.bxxxxx.cn,DNS:fg-loxxx2.dev.bxxxxx.cn,DNS:wlcasino.bxxxxx.cn,DNS:wlcasino.dev.bxxxxx.cn,DNS:by-111.bxxxxx.cn,DNS:by-222.bxxxxx.cn,DNS:by-333.bxxxxx.cn,DNS:texas-111.bxxxxx.cn,DNS:texas-222.bxxxxx.cn,DNS:texas-333.bxxxxx.cn,DNS:swf-111.bxxxxx.cn,DNS:swf-222.bxxxxx.cn,DNS:swf-333.bxxxxx.cn")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem
#pdev/psit
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:bxxxxx.net,DNS:www.bxxxxx.net,DNS:static.pdev.bxxxxx.net,DNS:h5.pdev.bxxxxx.net,DNS:lobby.pdev.bxxxxx.net,DNS:m.pdev.bxxxxx.net,DNS:agent.pdev.bxxxxx.net,DNS:api.pdev.bxxxxx.net,DNS:fruit.pdev.bxxxxx.net,DNS:slot.pdev.bxxxxx.net,DNS:chess.pdev.bxxxxx.net,DNS:hunter.pdev.bxxxxx.net,DNS:static.psit.bxxxxx.net,DNS:h5.psit.bxxxxx.net,DNS:lobby.psit.bxxxxx.net,DNS:m.psit.bxxxxx.net,DNS:agent.psit.bxxxxx.net,DNS:api.psit.bxxxxx.net,DNS:fruit.psit.bxxxxx.net,DNS:slot.psit.bxxxxx.net,DNS:chess.psit.bxxxxx.net,DNS:hunter.psit.bxxxxx.net,DNS:swf.psit.bxxxxx.net,DNS:swf.pdev.bxxxxx.net,DNS:record.psit.bxxxxx.net,DNS:record.pdev.bxxxxx.net")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem

#os.bxxxxx.net
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\\nsubjectAltName=DNS:agent.os.bxxxxx.net,DNS:api.os.bxxxxx.net,DNS:chess.os.bxxxxx.net,DNS:swf.os.bxxxxx.net,DNS:hunter.os.bxxxxx.net,DNS:h5.os.bxxxxx.net,DNS:lobby.os.bxxxxx.net,DNS:loxxx2.os.bxxxxx.net,DNS:logs.os.bxxxxx.net,DNS:m.os.bxxxxx.net,DNS:record.os.bxxxxx.net,DNS:static.os.bxxxxx.net,DNS:wlcasino.os.bxxxxx.net,DNS:agent.osit.bxxxxx.net,DNS:api.osit.bxxxxx.net,DNS:chess.osit.bxxxxx.net,DNS:swf.osit.bxxxxx.net,DNS:hunter.osit.bxxxxx.net,DNS:h5.osit.bxxxxx.net,DNS:lobby.osit.bxxxxx.net,DNS:loxxx2.osit.bxxxxx.net,DNS:logs.osit.bxxxxx.net,DNS:m.osit.bxxxxx.net,DNS:record.osit.bxxxxx.net,DNS:static.osit.bxxxxx.net,DNS:wlcasino.osit.bxxxxx.net,DNS:agent.odev.bxxxxx.net,DNS:api.odev.bxxxxx.net,DNS:chess.odev.bxxxxx.net,DNS:swf.odev.bxxxxx.net,DNS:hunter.odev.bxxxxx.net,DNS:h5.odev.bxxxxx.net,DNS:lobby.odev.bxxxxx.net,DNS:loxxx2.odev.bxxxxx.net,DNS:logs.odev.bxxxxx.net,DNS:m.odev.bxxxxx.net,DNS:record.odev.bxxxxx.net,DNS:static.odev.bxxxxx.net,DNS:wlcasino.odev.bxxxxx.net")) > domain.csr
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
cat signed.crt intermediate.pem > chained.pem
需要的文件：domain.key chained.pem

vi nginx.conf
user nginx;
worker_processes auto;
#error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /usr/local/nginx/conf/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    #include /etc/nginx/conf.d/*.conf;
server {
        listen 80 default_server;
        server_name  _;
        location ^~ /.well-known/acme-challenge/ {
            alias /var/www/challenges/;
            try_files $uri =404;
            }
       }
server {
        listen 443;
        server_name _;
        ssl on;
        ssl_certificate /root/ssl/chained.pem;
        ssl_certificate_key /root/ssl/domain.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
        ssl_session_cache shared:SSL:50m;
        ssl_prefer_server_ciphers on;
       }
}