acme.sh 免费泛解析证书生成
环境准备
本篇文章使用的 ACME 客户端是基于 Docker 容器使用的,所以需要准备 Docker 运行环境。本文使用的是 CentOS 7.x 与 Docker CE - 19.03.13,且已经安装了 Docker Compose 工具。
我已经参考官方的 GitHub 文章编写了 acme.sh 需要的 Docker Compose 文件,标准模版如下:
version: "3"
services:
acme.sh:
image: neilpang/acme.sh:latest
container_name: acme.sh
command: daemon
volumes:
- "<ACME 证书文件的生成目录>:/acme.sh"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- Ali_Key=<填写阿里云的 Access Key>
- Ali_Secret=<填写阿里云的 Access Secret>
- DEPLOY_DOCKER_CONTAINER_LABEL=__nginx__
- DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="nginx -s reload -c /etc/nginx/nginx.conf"
restart: always
networks:
- internal-network
networks:
internal-network:
external: true
参数配置
针对 ACME 的默认参数,我们只需要提供 DNS 服务商的 API 访问密钥即可,acme.sh 会自动对我们的域名进行配置验证,我这里以阿里云的为例,其他受支持的 DNS 服务商可以前往 Github 文档 查看。
除开环境变量的配置参数以外,针对 Acme 的证书文件生成目录也需要单独进行配置,这块可以用于
具体使用
拉取镜像
执行一下命令拉取 acme.sh 的 Docker 镜像。
docker pull neilpang/acme.sh:latest
运行容器
docker-compose up -d
生成证书
由于已经在环境变量配置了阿里云的参数,所以现在只需要指定域名即可生成对应的证书,域名验证等一系列步骤都交由 acme.sh 自动完成。
进入到 acme.sh 的容器,执行生成命令。
acme.sh --issue --dns dns_ali -d example.com -d www.example.com
等待验证成功以后,就会在 acme.sh 文件夹生成对应的证书文件。
[Tue Mar 16 07:07:44 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 16 07:07:45 UTC 2021] Create account key ok.
[Tue Mar 16 07:07:45 UTC 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 16 07:07:46 UTC 2021] Registered
[Tue Mar 16 07:07:46 UTC 2021] ACCOUNT_THUMBPRINT='账号信息'
[Tue Mar 16 07:07:46 UTC 2021] Creating domain key
[Tue Mar 16 07:07:47 UTC 2021] The domain key is here: /acme.sh/example.com/example.com.key
[Tue Mar 16 07:07:47 UTC 2021] Multi domain='DNS:example.com,DNS:www.example.com'
[Tue Mar 16 07:07:47 UTC 2021] Getting domain auth token for each domain
[Tue Mar 16 07:07:49 UTC 2021] Getting webroot for domain='example.com'
[Tue Mar 16 07:07:49 UTC 2021] Getting webroot for domain='www.example.com'
[Tue Mar 16 07:07:49 UTC 2021] Adding txt value: eJ2UJrvi_lAMmY0D-BFrM4WNvDXkICUR0BSJ3EXyBtw for domain: _acme-challenge.example.com
[Tue Mar 16 07:07:51 UTC 2021] The txt record is added: Success.
[Tue Mar 16 07:07:51 UTC 2021] Adding txt value: u_T1kks2iNU1E_1bAtE8zpz-e81uTISws8o_ZL8YE40 for domain: _acme-challenge.www.example.com
[Tue Mar 16 07:07:53 UTC 2021] The txt record is added: Success.
[Tue Mar 16 07:07:53 UTC 2021] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Mar 16 07:08:14 UTC 2021] You can use '--dnssleep' to disable public dns checks.
[Tue Mar 16 07:08:14 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Tue Mar 16 07:08:14 UTC 2021] Checking example.com for _acme-challenge.example.com
[Tue Mar 16 07:08:16 UTC 2021] Domain example.com '_acme-challenge.example.com' success.
[Tue Mar 16 07:08:16 UTC 2021] Checking www.example.com for _acme-challenge.www.example.com
[Tue Mar 16 07:08:17 UTC 2021] Domain www.example.com '_acme-challenge.www.example.com' success.
[Tue Mar 16 07:08:17 UTC 2021] All success, let's return
[Tue Mar 16 07:08:17 UTC 2021] Verifying: example.com
[Tue Mar 16 07:08:21 UTC 2021] Success
[Tue Mar 16 07:08:21 UTC 2021] Verifying: www.example.com
[Tue Mar 16 07:08:25 UTC 2021] Success
[Tue Mar 16 07:08:25 UTC 2021] Removing DNS records.
[Tue Mar 16 07:08:25 UTC 2021] Removing txt: eJ2UJrvi_lAMmY0D-BFrM4WNvDXkICUR0BSJ3EXyBtw for domain: _acme-challenge.example.com
[Tue Mar 16 07:08:27 UTC 2021] Removed: Success
[Tue Mar 16 07:08:27 UTC 2021] Removing txt: u_T1kks2iNU1E_1bAtE8zpz-e81uTISws8o_ZL8YE40 for domain: _acme-challenge.www.example.com
[Tue Mar 16 07:08:30 UTC 2021] Removed: Success
[Tue Mar 16 07:08:30 UTC 2021] Verify finished, start to sign.
[Tue Mar 16 07:08:30 UTC 2021] Lets finalize the order.
[Tue Mar 16 07:08:30 UTC 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/123456'
[Tue Mar 16 07:08:31 UTC 2021] Downloading cert.
[Tue Mar 16 07:08:31 UTC 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/123456123456'
[Tue Mar 16 07:08:32 UTC 2021] Cert success.
-----BEGIN CERTIFICATE-----
你的证书文件信息。
-----END CERTIFICATE-----
[Tue Mar 16 07:08:32 UTC 2021] Your cert is in /acme.sh/example.com/example.com.cer
[Tue Mar 16 07:08:32 UTC 2021] Your cert key is in /acme.sh/example.com/example.com.key
[Tue Mar 16 07:08:32 UTC 2021] The intermediate CA cert is in /acme.sh/example.com/ca.cer
[Tue Mar 16 07:08:32 UTC 2021] And the full chain certs is there: /acme.sh/example.com/fullchain.cer