acme.sh批量申请Nginx ssl证书


0,下载并安装

1
2
curl https://get.acme.sh | sh -s [email protected]
ln -s /root/.acme.sh/acme.sh /usr/bin/

1,nginx配置,务必要在配置里加上这几行,要申请server_name域名对应的配置文件

1
2
3
location ~ \.well-known{
allow all;
}

Snipaste_2021-03-15_23-54-21.png


2,确保域名解析对应申请证书的这台服务器ip,开启nginx服务.

-w 后面接的是域名对应的根目录,目录下需要有.well-known目录

1
2
mkdir /usr/share/nginx/html/.well-known
acme.sh --issue -d a.com -d b.com -d n.com -w /usr/share/nginx/html

3, 最后会生成域名证书

1
路径是: /root/.acme/domain/fullchain.cer 和 domain.key

4, 配置到nginx即可

1
2
3
ssl_certificate        conf/key/domain/fullchain.cer;
ssl_certificate_key conf/key/domain/domain.com.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

5, 将申请证书的请求转发到统一的证书申请服务器

Nginx配置转发

1
2
3
4
5
6
server_name aaa.hello.com;
......
location ~ \.well-known{
proxy_pass http://your-cert-server;
allow all;
}

Apache配置转发

1
2
3
4
5
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/.well-known/
RewriteRule ^(.*)$ http://your-cert-server/$1 [P]
</VirtualHost>