使用 acme.sh 申请 Let’s Encrypt 免费泛域名证书,并配置 nginx。

1. 安装 acme.sh

curl https://get.acme.sh | sh
# 或
wget -O - https://get.acme.sh | sh

2. 设置证书颁发机构

# ZeroSSL(需要邮箱注册)
acme.sh --register-account -m your@email.com

# Let's Encrypt(无需邮箱)
# acme.sh --set-default-ca --server letsencrypt

3. 配置 DNS API(以阿里云为例)

export Ali_Key="your_key"
export Ali_Secret="your_secret"

4. 申请证书

acme.sh --issue --dns dns_ali -d example.com -d *.example.com

5. 安装证书到 nginx

acme.sh --install-cert -d example.com \
  --key-file /etc/nginx/cert/example.com.key.pem \
  --fullchain-file /etc/nginx/cert/example.com.fullchain.pem \
  --reloadcmd "service nginx reload"

6. 配置 nginx

vim /etc/nginx/conf.d/example.com.conf

# HTTP → HTTPS 跳转
server {
    listen 80;
    server_name example.com www.example.com;
    root /home/www/example.com/html;

    location /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS 主站
server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate     /etc/nginx/cert/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/cert/example.com.key.pem;

    root /home/www/example.com/html;
}

验证并重载:

nginx -t && nginx -s reload

参考