以我 youcute.cn 为例,首先安装 acme 脚本 https://github.com/Neilpang/acme.sh。然后生成证书,将证书拷贝到相应的目录。

  • 因为我的 nginx 的配置只有 root 有权限,所以为图方便,acme.sh 也是安装在 root 的用户目录下
  • nginx 是从一个普通用户目录里读取 ssl 证书文件

生成多个证书

1
acme.sh --issue  -d youcute.cn -d liulidun.youcute.cn -d blog.youcute.cn -d jenkins.youcute.cn   --nginx

将证书拷到对应目录

1
acme.sh --installcert  -d  youcute.cn --key-file /home/jy/ssl/youcute.cn.key --fullchain-file /home/jy/ssl/fullchain.cer --reloadcmd  "service nginx force-reload"

Nginx 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# 导入其他反向代理域名 server 配置
include /etc/nginx/conf.d/*.conf;

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name youcute.cn www.youcute.cn;
root /home/jy/static_web/index/;
rewrite ^(.*) https://$server_name$1 permanent;

# 导入配置,例如 ssl.conf
include /etc/nginx/default.d/*.conf;

location / {
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name youcute.cn www.youcute.cn;
root /home/jy/static_web/index/;

include /etc/nginx/default.d/*.conf;

location / {
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

}

SSL 配置放在了 default.d/ssl.conf

1
2
3
4
5
6
ssl_certificate "/home/jy/ssl/fullchain.cer";
ssl_certificate_key "/home/jy/ssl/youcute.cn.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

每个子域名的配置

例如 blog.youcute.cn

每个子域名也会去读取上面的 ssl 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
server {
listen 80;
listen [::]:80;
server_name blog.youcute.cn;
root /home/jy/static_web/blog/;
#rewrite ^(.*) https://$server_name$1 permanent;

location / {
}
}

server {
listen 443;
listen [::]:443;
server_name blog.youcute.cn;
root /home/jy/static_web/blog/;
include /etc/nginx/default.d/*.conf;
}