LNMP 集成环境下 SSL 续期优化
其他

LNMP 集成环境下 SSL 续期优化

lnmp 集成环境: https://lnmp.org

通过 Nginx 日志我们可以看到 Let’s Encrypt 的验证是通过项目根目录下的 .well-known 文件夹,所以我们需要把该目录排除即可。

/home/wwwlogs/sls.hongfs.cn.log

1
2
3
4
34.209.232.166 - - [02/Apr/2020:20:27:58 +0800] "GET /.well-known/acme-challenge/MXS_Z0y5XognhDh9U7ib-jf9yyRpKSvrK5kDT5V3lC8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [02/Apr/2020:20:27:59 +0800] "GET /.well-known/acme-challenge/MXS_Z0y5XognhDh9U7ib-jf9yyRpKSvrK5kDT5V3lC8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.14.255.131 - - [02/Apr/2020:20:28:00 +0800] "GET /.well-known/acme-challenge/MXS_Z0y5XognhDh9U7ib-jf9yyRpKSvrK5kDT5V3lC8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.194.58.132 - - [02/Apr/2020:20:28:01 +0800] "GET /.well-known/acme-challenge/MXS_Z0y5XognhDh9U7ib-jf9yyRpKSvrK5kDT5V3lC8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

/usr/local/nginx/conf/vhost/ssl.hongfs.cn.conf

项目的 Nginx 配置文件,这里只需修改监听 80 端口的配置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server
    {
        listen 80;
        #listen [::]:80;
        server_name ssl.hongfs.cn ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/ssl.hongfs.cn;

        # 非 /.well-known 目录进行跳转到 HTTPS
        if ($request_uri !~ /.well-known) {
            rewrite ^(.*)$  https://$host$1 permanent;
        }

        access_log  /home/wwwlogs/ssl.hongfs.cn.log;
    }

修改完配置后记得 重启 相关服务。

测试

强制重新生成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" --force
[Thu Apr  2 20:35:39 CST 2020] ===Starting cron===
[Thu Apr  2 20:35:39 CST 2020] Renew: 'ssl.hongfs.cn'
[Thu Apr  2 20:35:41 CST 2020] Single domain='ssl.hongfs.cn'
[Thu Apr  2 20:35:41 CST 2020] Getting domain auth token for each domain
[Thu Apr  2 20:35:44 CST 2020] Getting webroot for domain='ssl.hongfs.cn'
[Thu Apr  2 20:35:44 CST 2020] ssl.hongfs.cn is already verified, skip http-01.
[Thu Apr  2 20:35:44 CST 2020] Verify finished, start to sign.
[Thu Apr  2 20:35:44 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/82290940/2865693058
[Thu Apr  2 20:35:45 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03687f02361c1e714f1968819473f65bfd6d
[Thu Apr  2 20:35:46 CST 2020] Cert success.
[Thu Apr  2 20:35:46 CST 2020] Your cert is in  /usr/local/nginx/conf/ssl/ssl.hongfs.cn/ssl.hongfs.cn.cer
[Thu Apr  2 20:35:46 CST 2020] Your cert key is in  /usr/local/nginx/conf/ssl/ssl.hongfs.cn/ssl.hongfs.cn.key
[Thu Apr  2 20:35:46 CST 2020] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/ssl.hongfs.cn/ca.cer
[Thu Apr  2 20:35:46 CST 2020] And the full chain certs is there:  /usr/local/nginx/conf/ssl/ssl.hongfs.cn/fullchain.cer
[Thu Apr  2 20:35:46 CST 2020] Run reload cmd: /etc/init.d/nginx reload
Reload nginx...  done
[Thu Apr  2 20:35:46 CST 2020] Reload success
[Thu Apr  2 20:35:46 CST 2020] ===End cron===

通过浏览器我们可以看到证书的时间更新了,说明成功生成了。

网站灰度
CentOS 配置多个 GitHub 项目 SSH
往上