mkdir /home/wordpress/challenges然后配置一个HTTP服务,以Nginx为例:
server {
server_name www.nomansky.xyz nomansky.xyz;
location ^~ /.well-known/acme-challenge/ {
alias /home/wordpress/challenges/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://nomansky.xyz/$1 permanent;
}
}
以上配置表示查找 /home/wordpress/challenges/ 目录下的文件,如果找不到就重定向到 HTTPS 地址。这个验证服务以后更新证书还要用到,要一直保留。
接下来把acme-tiny保存到ssl目录wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
然后指定账户私钥、CSR 以及验证目录,执行脚本python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wordpress/challenges/ > ./signed.crt,看到如下图所示,则说明生成成功了
最后还要下载Let's Encrypt 的中间证书,配置HTTPS证书时既不要漏掉中间证书,也不要包含根证书。在 Nginx 配置中,需要把中间证书和网站证书合在一起:
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem
为了后续能顺利启用OCSP Stapling,我们再把根证书和中间证书合在一起(此步也可省略)
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem cat intermediate.pem root.pem > full_chained.pem
Let's Encrypt签发的证书只有90天有效期,推荐使用脚本定期更新。创建一个renew_cert.sh并通过chmod a+x renew_cert.sh赋予执行权限。文件内容如下:
#!/bin/bash cd /etc/nginx/ssl/ python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/wordpress/challenges/ > signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem systemctl restart nginx
在crontabl中配置定时任务0 0 1 * * /etc/nginx/ssl/renew_cert.sh >/dev/null 2>&1
0x07 下载WordPress并配置Nginx
将WordPress下载到/home/wordpress/目录下wget https://wordpress.org/latest.tar.gz
tar zxvf latest.tar.gz解压WordPress文件
chown -R wordpress:wordpress wordpress将wordpress目录的所有者改为wordpress用户
接着,打开vim /etc/nginx/nginx.conf将nginx的运行角色改为wordpress
··· user wordpress; worker_processes auto; ···
然后这里我把处于解耦合的目的,把主配置文件nginx.conf里的server配置块注释掉
