跳转至

使用acme.sh自动申请免费ssl证书

约 324 个字 112 行代码 预计阅读时间 2 分钟

一、相关参数

  • 操作系统:Rocky Linux 9.3
  • Nginx:1.20.1
  • acme.sh:3.0.8

二、安装acme.sh

acme.sh是开源项目,项目地址:https://github.com/acmesh-official/acme.sh

执行如下代码,安装acme.sh: 

curl https://get.acme.sh | sh -s email=190045431@qq.com
执行示例: 
[fotianmoyin@fotianmoyin-ecs ~]$ curl https://get.acme.sh | sh -s email=190045431@qq.co
m
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0    450      0 --:--:--  0:00:02 --:--:--   450
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  217k  100  217k    0     0   327k      0 --:--:-- --:--:-- --:--:--  327k
[Sat Feb 24 03:34:22 PM CST 2024] Installing from online archive.
[Sat Feb 24 03:34:22 PM CST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat Feb 24 03:34:24 PM CST 2024] Extracting master.tar.gz
[Sat Feb 24 03:34:24 PM CST 2024] It is recommended to install socat first.
[Sat Feb 24 03:34:24 PM CST 2024] We use socat for standalone server if you use standalone mode.
[Sat Feb 24 03:34:24 PM CST 2024] If you don't use standalone mode, just ignore this warning.
[Sat Feb 24 03:34:24 PM CST 2024] Installing to /home/fotianmoyin/.acme.sh
[Sat Feb 24 03:34:24 PM CST 2024] Installed to /home/fotianmoyin/.acme.sh/acme.sh
[Sat Feb 24 03:34:24 PM CST 2024] Installing alias to '/home/fotianmoyin/.bashrc'
[Sat Feb 24 03:34:24 PM CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Sat Feb 24 03:34:24 PM CST 2024] Installing cron job
no crontab for fotianmoyin
no crontab for fotianmoyin
[Sat Feb 24 03:34:25 PM CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Feb 24 03:34:26 PM CST 2024] OK
[Sat Feb 24 03:34:26 PM CST 2024] Install success!

三、配置阿里云RAM API

登录阿里云,点击菜单【访问控制】,切换到【用户】页面,如下图: ram_user 点击【创建用户】按钮,输入登录名称(acme),显示名称(acme.sh账号),勾选【OpenAPI调用访问】选项,如下图: ram_user_new 点击【确定】按钮,经过授权验证后,出现下图: ram_user_done 在这个页面,注意要复制AccessKey IDAccessKey Secret,保存起来,后期会使用。也可以点击【下载CSV】按钮。 点击【用户登录名】,弹出如下界面: ram_user_auth 切换到【权限管理】选项卡,点击【新增授权】按钮,弹出如下界面: ram_user_auth_add 在【系统策略】中,搜索(dns),将【AliyunDNSFullAccess】勾选上。点击【确定】按钮。 ram_user_auth_done 点击【完成】按钮。

四、配置本地RAM API账号信息

配置阿里云授权Key: 

export Ali_Key="LTA3dR5DTtdY9f37WaK7CfMLq"
配置阿里云授权Secret: 
export Ali_Secret="RjFEE2LBfzYC9Hif3ElAsqPfaohw"

五、生成证书

执行如下命令,生成证书: 

./acme.sh --issue --dns dns_ali -d fotianmoyin.com -d *.fotianmoyin.com
执行示例: 
[fotianmoyin@fotianmoyin-ecs ~]$ ./.acme.sh/acme.sh --issue --dns dns_ali -d fotianmoyin.com -d
 *.fotianmoyin.com
[Sat Feb 24 03:38:30 PM CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Sat Feb 24 03:38:31 PM CST 2024] Create account key ok.
[Sat Feb 24 03:38:31 PM CST 2024] No EAB credentials found for ZeroSSL, let's get one
[Sat Feb 24 03:38:33 PM CST 2024] Registering account: https://acme.zerossl.com/v2/DV90
[Sat Feb 24 03:38:36 PM CST 2024] Registered
[Sat Feb 24 03:38:36 PM CST 2024] ACCOUNT_THUMBPRINT='mOcEZwc2x-RGQOmZGL4jpSBXiCJdToiXFXlIjUCfAiA'
[Sat Feb 24 03:38:36 PM CST 2024] Creating domain key
[Sat Feb 24 03:38:36 PM CST 2024] The domain key is here: /home/fotianmoyin/.acme.sh/fotianmoyin.com_ecc/fotianmoyin.com.key
[Sat Feb 24 03:38:36 PM CST 2024] Multi domain='DNS:fotianmoyin.com,DNS:*.fotianmoyin.com'
[Sat Feb 24 03:38:41 PM CST 2024] Getting webroot for domain='fotianmoyin.com'
[Sat Feb 24 03:38:41 PM CST 2024] Getting webroot for domain='*.fotianmoyin.com'
[Sat Feb 24 03:38:41 PM CST 2024] Adding txt value: erwhEh7ULydNxQxF2s2iohGt8DQPw262-tEWA5--Ts8 for domain:  _acme-challenge.fotianmoyin.com
[Sat Feb 24 03:38:44 PM CST 2024] The txt record is added: Success.
[Sat Feb 24 03:38:44 PM CST 2024] Adding txt value: J54a9r04N2q2aAQt8YShIQBJ1f09vdViz2QGSIvHnKA for domain:  _acme-challenge.fotianmoyin.com
[Sat Feb 24 03:38:47 PM CST 2024] The txt record is added: Success.
[Sat Feb 24 03:38:47 PM CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Sat Feb 24 03:39:08 PM CST 2024] You can use '--dnssleep' to disable public dns checks.
[Sat Feb 24 03:39:08 PM CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sat Feb 24 03:39:08 PM CST 2024] Checking fotianmoyin.com for _acme-challenge.fotianmoyin.com
[Sat Feb 24 03:39:09 PM CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sat Feb 24 03:39:16 PM CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Sat Feb 24 03:39:16 PM CST 2024] Domain fotianmoyin.com '_acme-challenge.fotianmoyin.com' success.
[Sat Feb 24 03:39:16 PM CST 2024] Checking fotianmoyin.com for _acme-challenge.fotianmoyin.com
[Sat Feb 24 03:39:17 PM CST 2024] Domain fotianmoyin.com '_acme-challenge.fotianmoyin.com' success.
[Sat Feb 24 03:39:17 PM CST 2024] All success, let's return
[Sat Feb 24 03:39:17 PM CST 2024] Verifying: fotianmoyin.com
[Sat Feb 24 03:39:19 PM CST 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Sat Feb 24 03:39:24 PM CST 2024] Success
[Sat Feb 24 03:39:24 PM CST 2024] Verifying: *.fotianmoyin.com
[Sat Feb 24 03:39:26 PM CST 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Sat Feb 24 03:39:30 PM CST 2024] Success
[Sat Feb 24 03:39:30 PM CST 2024] Removing DNS records.
[Sat Feb 24 03:39:31 PM CST 2024] Removing txt: erwhEh7ULydNxQxF2s2iohGt8DQPw262-tEWA5--Ts8 for domain: _acme-challenge.fotianmoyin.com
[Sat Feb 24 03:39:34 PM CST 2024] Removed: Success
[Sat Feb 24 03:39:34 PM CST 2024] Removing txt: J54a9r04N2q2aAQt8YShIQBJ1f09vdViz2QGSIvHnKA for domain: _acme-challenge.fotianmoyin.com
[Sat Feb 24 03:39:38 PM CST 2024] Removed: Success
[Sat Feb 24 03:39:38 PM CST 2024] Verify finished, start to sign.
[Sat Feb 24 03:39:38 PM CST 2024] Lets finalize the order.
[Sat Feb 24 03:39:38 PM CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/LYMUVY3mgJoXXngJ0Dx6bg/finalize'
[Sat Feb 24 03:39:39 PM CST 2024] Order status is processing, lets sleep and retry.
[Sat Feb 24 03:39:39 PM CST 2024] Retry after: 15
[Sat Feb 24 03:39:55 PM CST 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/LYMUVY3mgJoXXngJ0Dx6bg
[Sat Feb 24 03:39:57 PM CST 2024] Downloading cert.
[Sat Feb 24 03:39:57 PM CST 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/nb29NHqWtzseyNSTVvHnVw'
[Sat Feb 24 03:39:59 PM CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIEFDCCA5qgAwIBAgIQDn6qtHoMAH0bFm6Vg5fxujAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDIyNDAwMDAwMFoXDTI0MDUy
NDIzNTk1OVowGjEYMBYGA1UEAxMPZm90aWFubW95aW4uY29tMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE9jWJ783lR8RF3DRChraWSRiCzpal0ZMqbhVCi74vJozf
edPpQ8t9uECNqtsAazjKdm+SMrXO5f6T1R5IKXFdi6OCAo8wggKLMB8GA1UdIwQY
MBaAFA9r5kvOOUeu9n6QHnnwMJGSyF+jMB0GA1UdDgQWBBTgGnXyI/2RCBfrfuQk
19s6bxMtLzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAl
MCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEw
gYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDovL3plcm9zc2wuY3J0
LnNlY3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsG
CCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBBQYK
KwYBBAHWeQIEAgSB9gSB8wDxAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m
Z0xaOnQAAAGN2g43VAAABAMARzBFAiB6lV+7liTI5Lwqc3vIAIlhUrdOw1RdYq9h
VQuIqg4JHQIhAPQT8JNeJl/btBlfGe7nSC+m2geJA0tAluX+0D3Ca6NsAHcAO1N3
dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGN2g44OwAABAMASDBGAiEA
2eF3KEYniHd2ddX64xVtF+1LicPHkpGSZ74LcrONkksCIQCed5YtDWSjFP6hvGnL
3MYKZ89DABVkdru9fLD8Dydt9TAtBgNVHREEJjAkgg9mb3RpYW5tb3lpbi5jb22C
ESouZm90aWFubW95aW4uY29tMAoGCCqGSM49BAMDA2gAMGUCMEEKphp23cGVfeFH
Djo5HCZOKjQI+WSqRbk4pwC4jqrr21JLmxSIDoZfdwGeFmh/YQIxAIAOLprpyfJa
03490y1I2XXw1EQatchKBygotP8rpotVatlC+utNHt4lmr429ntvgQ==
-----END CERTIFICATE-----
[Sat Feb 24 03:39:59 PM CST 2024] Your cert is in: /home/fotianmoyin/.acme.sh/fotianmoyin.com_ecc/fotianmoyin.com.cer
[Sat Feb 24 03:39:59 PM CST 2024] Your cert key is in: /home/fotianmoyin/.acme.sh/fotianmoyin.com_ecc/fotianmoyin.com.key
[Sat Feb 24 03:39:59 PM CST 2024] The intermediate CA cert is in: /home/fotianmoyin/.acme.sh/fotianmoyin.com_ecc/ca.cer
[Sat Feb 24 03:39:59 PM CST 2024] And the full chain certs is there: /home/fotianmoyin/.acme.sh/fotianmoyin.com_ecc/fullchain.cer
证书生成成功后,可以在.acme.sh/fotianmoyin.com_ecc目录中看到证书: 
[fotianmoyin@fotianmoyin-ecs ~]$ ll .acme.sh/fotianmoyin.com_ecc
total 32
-rw-r--r-- 1 fotianmoyin fotianmoyin 2668 Feb 24 15:39 ca.cer
-rw-r--r-- 1 fotianmoyin fotianmoyin 1476 Feb 24 15:39 fotianmoyin.com.cer
-rw-r--r-- 1 fotianmoyin fotianmoyin  575 Feb 24 15:39 fotianmoyin.com.conf
-rw-r--r-- 1 fotianmoyin fotianmoyin  497 Feb 24 15:38 fotianmoyin.com.csr
-rw-r--r-- 1 fotianmoyin fotianmoyin  210 Feb 24 15:38 fotianmoyin.com.csr.conf
-rw------- 1 fotianmoyin fotianmoyin  227 Feb 24 15:38 fotianmoyin.com.key
-rw-r--r-- 1 fotianmoyin fotianmoyin 4144 Feb 24 15:39 fullchain.cer

提醒:生成证书过程中,需要本地有安装nginx服务