Get Let's Encrypt Cert In Five Minutes

缘由

想对 PHP 的 SSO 登录走一遍,加深理解,客户端服务端配置好之后。客户端点击登录发现
跳转的服务端是 https 协议,因此我需要去配置一个免费的 CA 证书。鉴于在社区已经有了一个方案链接
并且先前已使用该方法成功配置。但配置过程让我体验很不爽(自身的原因),所以看看有没有更优雅的方法(github 上寻找的)。

1 git 下来(为了描述方便 我下载到/var/www路径下)

git clone  https://github.com/kaienkira/acme-client-quick.git  /var/www/

2 配置你要验证的网站

cd acme-client-quick

echo "example.com" >> domain.txt
echo "www.example.com" >> domain.txt

3 修改你的网站配置文件(为能访问到并去验证你的域名)

把这个添加到你的配置文件中

location /.well-known/acme-challenge/ {
    default_type text/plain;
    alias /var/www/acme-client-quick/work/acme-challenge/;
    try_files $uri $uri/ =404;
}

我的配置文件(使用的是站长的服务器配置

server {
    listen 80;

    server_name sso.jc91715.top;

    root /var/www/html/sso.jc91715.top/public;

    index index.html index.htm index.php;
    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /var/www/acme-client-quick/work/acme-challenge/;
        try_files $uri $uri/ =404;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log /var/log/nginx/sso.jc91715.top-access.log;
    error_log  /var/log/nginx/sso.jc91715.top-error.log error;

    sendfile off;

    client_max_body_size 100m;

    include fastcgi.conf;
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }   
}

4 验证你的网站,并生成证书

需要用到80端口

sudo service nginx stop

sudo ./quick-start.sh

5 添加证书到配置文件

原有的基础上增加的是

ssl on;
listen 443 ssl;
ssl_certificate /var/www/acme-client-quick/cert/ssl.crt;
ssl_certificate_key /var/www/acme-client-quick/cert/ssl.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;
if ($scheme != "https") {
     return 301 https://$host$request_uri;
}

我的配置文件

server {
    listen 80;

    ssl on;
    listen 443 ssl;
    ssl_certificate /var/www/acme-client-quick/cert/ssl.crt;
    ssl_certificate_key /var/www/acme-client-quick/cert/ssl.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    if ($scheme != "https") {
         return 301 https://$host$request_uri;
    }

    server_name sso.jc91715.top;
    root /var/www/html/sso.jc91715.top/public;

    index index.html index.htm index.php;
    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /var/www/acme-client-quick/work/acme-challenge/;
        try_files $uri $uri/ =404;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log /var/log/nginx/sso.jc91715.top-access.log;
    error_log  /var/log/nginx/sso.jc91715.top-error.log error;

    sendfile off;

    client_max_body_size 100m;

    include fastcgi.conf;
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }   
}

DONE

DEMO