FILE TREE

Screen-Shot-2019-05-08-at-18.35.48

IN SSL DIR

创建一个 RSA 私钥用于 Let's Encrypt 识别你的身份

openssl genrsa 4096 > account.key

创建 CSR 文件

  1. 创建 RSA 私钥(兼容性好)
    openssl genrsa 4096 > domain.key

  2. 生成 CSR 文件
    openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:skylan.wang,DNS:www.skylan.wang")) > domain.csr

IN CHALLENGE DIR

创建用于存放验证文件的目录,例如:

mkdir ~/Workon/Site/www/challenges

Nginx Config

    server {
        listen 80;
        server_name skylan.wang www.skylan.wang;
        location /.well-known/acme-challenge/ {
            alias /home/ubuntu/Workon/Site/www/challenges/;
            try_files $uri =404;
        }
        location / {
            rewrite ^/(.*)$ https://skylan.wang/$1 permanent;
        }
    } 

acme-tiny in SSL DIR

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/ubuntu/Workon/Site/www/challenges/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem

cat signed.crt intermediate.pem > chained.pem
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem

cat intermediate.pem root.pem > full_chained.pem

FINALLY

nginx config

server {
    listen 443 ssl;
    server_name skylan.wang www.skylan.wang;
    
    ssl on;
    ssl_certificate /home/ubuntu/Workon/Site/www/ssl/chained.pem;
    ssl_certificate_key /home/ubuntu/Workon/Site/www/ssl/domain.key;
    ssl_session_timeout 5m;
    
    location / {
        proxy_pass http://127.0.0.1:3001; 
    }
}