ACME on Rickyhttps://linzeyan.github.io/zh-tw/categories/acme/Recent content in ACME on RickyHugo -- gohugo.iozh-twMon, 20 Oct 2025 16:31:00 +0800NGINX 原生 ACME 支持:从根本上重塑 TLS 自动化部署https://linzeyan.github.io/zh-tw/posts/2025/20251020-nginx-acme-module/Mon, 20 Oct 2025 16:31:00 +0800https://linzeyan.github.io/zh-tw/posts/2025/20251020-nginx-acme-module/<ul> <li><a href="https://sconts.com/post/nginx-native-acme-support/" target="_blank" rel="noopener">NGINX 原生 ACME 支持:从根本上重塑 TLS 自动化部署</a></li> </ul> <h2 id="ngx_http_acme_module"><code>ngx_http_acme_module</code></h2> <ul> <li>NGINX 1.25.1</li> </ul> <h2 id="pre-install">pre-install</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 在 Debian/Ubuntu 系统上安装基础编译工具和 NGINX 依赖</span> </span></span><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install build-essential libpcre3-dev zlib1g-dev libssl-dev pkg-config libclang-dev git -y </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 安装 Rust 工具链 (cargo 和 rustc)</span> </span></span><span style="display:flex;"><span>curl --proto <span style="color:#e6db74">&#39;=https&#39;</span> --tlsv1.2 -sSf https://sh.rustup.rs | sh </span></span><span style="display:flex;"><span>source $HOME/.cargo/env </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>mkdir -pv /app/nginx/<span style="color:#f92672">{</span>logs,conf,cache, acme<span style="color:#f92672">}</span> /app/nginx-build </span></span><span style="display:flex;"><span>cd /app/nginx-build </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 克隆 ACME 模块的源码</span> </span></span><span style="display:flex;"><span>git clone https://github.com/nginx/nginx-acme.git /app/nginx-build/nginx-acme </span></span><span style="display:flex;"><span><span style="color:#75715e"># 或者</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># git clone git@github.com:nginx/nginx-acme.git /app/nginx-build/nginx-acme</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 下载 NGINX 源码(请替换为您需要的版本)</span> </span></span><span style="display:flex;"><span>wget https://nginx.org/download/nginx-1.28.0.tar.gz </span></span><span style="display:flex;"><span>tar -zxf nginx-1.28.0.tar.gz </span></span></code></pre></div><h2 id="compile">compile</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd nginx-1.28.0 </span></span><span style="display:flex;"><span>./configure <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --prefix<span style="color:#f92672">=</span>/app/nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --error-log-path<span style="color:#f92672">=</span>/app/nginx/error.log <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-log-path<span style="color:#f92672">=</span>/app/nginx/access.log <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --pid-path<span style="color:#f92672">=</span>/app/nginx/nginx.pid <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --lock-path<span style="color:#f92672">=</span>/app/nginx/nginx.lock <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-client-body-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/client_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-proxy-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/proxy_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-fastcgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/fastcgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-uwsgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/uwsgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-scgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/scgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --user<span style="color:#f92672">=</span>nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --group<span style="color:#f92672">=</span>nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-compat <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-file-aio <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-threads <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_addition_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_auth_request_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_dav_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_flv_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_gunzip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_gzip_static_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_mp4_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_random_index_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_secure_link_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_slice_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_stub_status_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_sub_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_v2_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_v3_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-mail <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-mail_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_ssl_preread_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-cc-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;-g -O2 -ffile-prefix-map=/home/builder/debuild/nginx-1.28.0/debian/debuild-base/nginx-1.28.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-ld-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --add-dynamic-module<span style="color:#f92672">=</span>/app/nginx-build/nginx-acme </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>make <span style="color:#f92672">&amp;&amp;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> make modules <span style="color:#f92672">&amp;&amp;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> make install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 运行配置脚本,这里的关键是 --add-dynamic-module</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 注意:您需要在这里包含您当前 NGINX 已有的所有编译参数,可以通过 nginx -V 查看</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 编译模块,注意是 make modules 而不是 make install</span> </span></span></code></pre></div><h2 id="config">config</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e"># /app/nginx/conf/nginx.conf </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">user</span> <span style="color:#e6db74">nginx</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">error_log</span> <span style="color:#e6db74">error.log</span> <span style="color:#e6db74">debug</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">pid</span> <span style="color:#e6db74">nginx.pid</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">load_module</span> <span style="color:#e6db74">modules/ngx_http_acme_module.so</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">events</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">worker_connections</span> <span style="color:#ae81ff">1024</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">multi_accept</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">include</span> <span style="color:#e6db74">mime.types</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/octet-stream</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">log_format</span> <span style="color:#e6db74">main</span> <span style="color:#e6db74">&#39;</span>$remote_addr <span style="color:#e6db74">-</span> $remote_user <span style="color:#e6db74">[</span>$time_local] <span style="color:#e6db74">&#34;</span>$host&#34; <span style="color:#e6db74">&#34;</span>$request&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;</span>$status $body_bytes_sent <span style="color:#e6db74">&#34;</span>$http_referer&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;</span>$http_user_agent&#34; <span style="color:#e6db74">&#34;</span>$http_x_forwarded_for&#34;&#39;; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_log</span> <span style="color:#e6db74">access.log</span> <span style="color:#e6db74">main</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">sendfile</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">tcp_nopush</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">charset</span> <span style="color:#e6db74">utf-8</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">keepalive_timeout</span> <span style="color:#ae81ff">65</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">gzip</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">resolver</span> 8.8.8.8 1.1.1.1; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 定义一个名为 letsencrypt 的 ACME 颁发机构实例 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_issuer</span> <span style="color:#e6db74">letsencrypt</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 指定 ACME 服务提供商的目录 URL,这里是 Let&#39;s Encrypt 的生产环境 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">uri</span> <span style="color:#e6db74">https://acme-v02.api.letsencrypt.org/directory</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 提供一个联系邮箱,用于接收 CA 的重要通知(如证书即将过期) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">contact</span> <span style="color:#e6db74">mailto:security-alerts@aidig.co</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 指定状态文件的存储路径,用于保存 ACME 账户密钥,非常重要 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">state_path</span> <span style="color:#e6db74">acme/letsencrypt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 同意服务条款,对于 Let&#39;s Encrypt 等 CA 这是必需的步骤 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">accept_terms_of_service</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 可选指令 acme_shared_zone,用于存储所有配置的证书颁发者的证书、私钥和挑战数据。该区域默认大小为 256K,可根据需要增加 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_shared_zone</span> <span style="color:#e6db74">zone=acme_shared:1M</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">ssl.aidig.co</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 步骤一:声明此 server 块启用 ACME,并指定使用上面定义的 letsencrypt 颁发机构 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_certificate</span> <span style="color:#e6db74">letsencrypt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 步骤二:使用动态变量加载由 ACME 模块在内存中管理的证书和私钥 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_certificate</span> $acme_certificate; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> $acme_certificate_key; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_cache</span> <span style="color:#e6db74">max=2</span>; <span style="color:#75715e"># required ngx 1.27.4+ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">text/plain</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">200</span> <span style="color:#e6db74">&#39;OK&#39;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span> <span style="color:#e6db74">default_server</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">_</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ACME 模块会自动处理 /.well-known/acme-challenge/ 的请求,此 location 用于处理所有其他请求 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">301</span> <span style="color:#e6db74">https://</span>$host$request_uri; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div>