Let’s Encrypt 免费HTTPS（getssl）

为了在您的网站上启用 HTTPS，您需要从证书颁发机构（CA）获取证书（一种文件）。Let’s Encrypt 是一个证书颁发机构（CA）。要从 Let’s Encrypt 获取您网站域名的证书，您必须证明您对域名的实际控制权。您可以在您的 Web 主机上运行使用 ACME 协议的软件来获取 Let’s Encrypt 证书。

为了找出最适合您获取证书的方法，您需要知道您是否拥有服务器的命令行访问权限（注：链接为英文）（有时也被被称为 SSH 访问权限）。如果您仅使用控制面板（例如 cPanel、Plesk 或 WordPress）管理您的网站，您很有可能没有命令行访问权限。您可以联系您的托管服务提供商确认。

 

ACME客户端getssl开启HTTPS步骤如下：

• 步骤一：

 

curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl

或者
git clone https://github.com/srvrco/getssl.git

• 步骤二：

./getssl -c yourdomain.com

 

• 步骤三：

vim ~/.getssl/yourdomain.com/getssl.cfg

#测试环境API
#CA="https://acme-staging-v02.api.letsencrypt.org
#正式签发API
CA="https://acme-v02.api.letsencrypt.org/directory"
SANS="www.aymar.cn"
USE_SINGLE_ACL="true"
ACL=('/var/www/html/.well-known/acme-challenge')
DOMAIN_CERT_LOCATION="/var/www/html/aymar.cn.crt"
DOMAIN_KEY_LOCATION="/var/www/html/aymar.cn.key"

 

速率限制

测试环境使用与生产环境类似的速率限制，但具体数据有所变化：

• 每个注册域名允许颁发的证书数量限制为每周 30000 张。
• 重复证书限制为每周 30000 张。
• 每小时允许 60 次验证失败。
• 每个 IP 地址注册账户数量限制为每个 IP 每 3 小时允许注册 50 个账户。
• 对于 ACME v2，新订单限制为每个帐户每 3 小时 1500 个。

• 步骤四：

创建网址站根目录/.well-known/acme-challenge

mkdir -p /var/www/html/.well-known/acme-challenge
chown -R nginx:nginx /var/www/html/.well-known/

 

• 步骤五：
  

 

getssl yourdomain.com
systemctl force-reload nginx 

done!

 

自动续签：

crontab -e

23  5 * * * /root/scripts/getssl -u -a -q

 

 

 

getssl ver. 2.02
Obtain SSL certificates from the letsencrypt.org ACME server

Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-k|--keep #] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] domain

Options:
  -a, --all          Check all certificates
  -d, --debug        Outputs debug information
  -c, --create       Create default config files
  -f, --force        Force renewal of cert (overrides expiry checks)
  -h, --help         Display this help message and exit
  -q, --quiet        Quiet mode (only outputs on error, success of new cert, or getssl was upgraded)
  -Q, --mute         Like -q, but mutes notification about successful upgrade
  -r, --revoke   "cert" "key" [CA_server] Revoke a certificate (the cert and key are required)
  -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
  -k, --keep     "#" Maximum amount of old getssl versions to keep when upgrading
  -U, --nocheck      Do not check if a more recent version is available
  -w working_dir "Working directory"

 

 泛域名参考配置：

VALIDATE_VIA_DNS=true
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
#https://github.com/srvrco/getssl/tree/master/dns_scripts
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_dynu
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_dynu
AUTH_DNS_SERVER=ns1.dynu.com
CHECK_ALL_AUTH_DNS="true"
SANS=""
# Certificate locations
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"

# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="service nginx restart"

# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="true"

 

官方推荐客户端：Certbot

我们建议大多数人从 Certbot 客户端开始。 它既可以仅为您获取证书，也可以帮助您安装证书（如果您需要的话）。它易于使用，适用于许多操作系统，并且具有出色的文档。

如果 Certbot 不能满足您的需求，或者您只是想尝试其他软件，那么下面有更多的客户端可供选择，这些客户端按照编写所用的语言或是使用环境排序。

其他客户端

此列表上的所有客户端都支持ACMEv2 API (RFC 8555)。 我们将很快淘汰ACMEv1 API。

如果您使用的客户端在该列表中，请确保您将其升级到最新版本。 如果下面没有列出您正在使用的客户端，则该客户端有几率不支持ACMEv2 API，请与项目维护者联系或更换其他客户端。

Bash

• GetSSL (bash, also automates certs on remote hosts via ssh)
• acme.sh (Compatible to bash, dash and sh)
• dehydrated (Compatible to bash and zsh)
• ght-acme.sh (batch update of http-01 and dns-01 challenges is available)
• bacme (simple yet complete scripting of certificate generation)

C

• OpenBSD acme-client
• uacme
• acme-client-portable
• Apache httpd Support via the module mod_md.
• mod_md Separate, more frequent releases of the Apache module.
• CycloneACME (client implementation of ACME dedicated to microcontrollers)

C++

• acme-lw
• esp32-acme-client allows IoT devices to get certificates

Clojure

• certificaat

Configuration management tools

• Ansible acme_certificate module

D

• acme-lw-d

Domino

• CertMatica (ACME certificate installation and renewals for HCL Domino™ servers)

Docker

• ZeroSSL

Go

• Caddy
• Lego
• acmetool
• Lets-proxy2 (Reverse proxy to handle https/tls)
• autocert
• Traefik
• ACMEz
• Step CLI

HAProxy

• HAProxy client

Java

• PJAC
• ManageEngine Key Manager Plus

Lua

• Mako Server's ACME Plugin The plugin’s main objective is to provide certificates for servers on private networks.

Microsoft Azure

• Azure WebApp SSL Manager (Serverless, Compatible with any App Service, requires Azure DNS)
• App Service Acmebot (Compatible to Azure Web Apps / Functions / Web App for Containers)
• Key Vault Acmebot (Work with Azure Key Vault Certificates)

nginx

• lua-resty-auto-ssl
• Nginx ACME
• lua-resty-acme

Node.js

• Greenlock for Express.js
• acme-http-01-azure-key-vault-middleware (Express middleware for storing certificates securely on Azure Key Vault)

OpenShift

• openshift-acme

Perl

• acme (Simple json config, autogen keys, issue cert, refresh cert, apache/nginx integration)
• Crypt::LE

PHP

• Hiawatha
• FreeSSL.tech Auto
• Yet another ACME client
• itr-acme-client PHP library
• Acme PHP
• RW ACME client

Python

• ACME Tiny
• simp_le
• acmebot
• sewer
• acme-dns-tiny (Python 3)
• Automatoes ACME V2 ManuaLE replacement with new features
• acertmgr
• acme-cert-tool
• serverPKI PKI for internet server infrastructure, supporting distribution of certs, FreeBSD jails, DNS DANE support

Ruby

• unixcharles/acme-client
• acme-distributed
• Combine-acme: Generate and upload crt to CloudFlare(enterprise) and GCP.

Rust

• ACMEd
• acme-redirect

Windows / IIS

• ZeroSSL project
• win-acme (.NET)
• Posh-ACME (PowerShell)
• Certes
• ACME-PS (PowerShell)
• Certify The Web (Windows)
• WinCertes Windows client
• GetCert2 (simple GUI - .Net, C#, WPF, WCF)

库

4D

• acme component ACME Client v2 for 4D v18+

C++

• acme-lw
• esp32-acme-client allows IoT devices to get certificates

D

• acme-lw-d

Delphi

• DelphiACME (Embarcadero Delphi)

Go

• Lego
• acmetool
• eggsampler/acme
• ACMEz

Java

• ACME4J

.NET

• Certes (.NET Standard)
• PKISharp/ACMESharpCore (.NET Standard)

Node.js

• Greenlock for node.js
• publishlab/node-acme-client

Perl

• acme (Simple json config, autogen keys, issue cert, refresh cert, apache/nginx integration)
• ZeroSSL project
• Crypt::LE
• Net::ACME2

PHP

• ACMECert PHP library
• LEClient PHP library
• le-acme2-php library
• stonemax/acme2 PHP client
• Acme PHP Library

Python

• Python 模块 acme 是 Certbot 的一部分，但它也被许多其他客户端使用，并在 PyPI、Debian、Ubuntu、Fedora 和其他一些发行版中作为独立软件包提供。

Ruby

• unixcharles/acme-client