Centos acme.sh 申请 LetsEncrypt 通配证书
1. 安装 acme.sh
注意:如果需要使用 Standalone Mode请先安装socat
# yum intall socat
It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore this warning.
[test@ssh ~]$ curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 775 0 775 0 0 67 0 --:--:-- 0:00:11 --:--:-- 194
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 193k 100 193k 0 0 234k 0 --:--:-- --:--:-- --:--:-- 234k
Installing from online archive.
Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
Extracting master.tar.gz
It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore this warning.
Installing to /home/test/.acme.sh
Installed to /home/test/.acme.sh/acme.sh
Installing alias to '/home/test/.bashrc'
OK, Close and reopen your terminal to start using acme.sh
Installing cron job
no crontab for test
Good, bash is found, so change the shebang to use bash as preferred.
OK
Install success!
安装成功
1.1 acme.sh 安装到你的 home 目录下:
/home/test/.acme.sh
可以创建 一个 bash 的 alias, 方便使用: alias acme.sh=~/.acme.sh/acme.sh
1.2 自动为你创建 cronjob
每天 0:00 点自动检测所有的证书, 如果快过期了, 需要更新, 则会自动更新证书
20 0 * * * "/home/test/.acme.sh"/acme.sh --cron --home "/home/test/.acme.sh" > /dev/null
2. 生成证书
acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证.
2.1 http
需要在你的网站根目录下放置一个文件, 来验证你的域名所有权,完成验证. 然后就可以生成证书了.
acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/
只需要指定域名, 并指定域名所在的网站根目录. acme.sh 会全自动的生成验证文件, 并放到网站的根目录, 然后自动完成验证. 最后会聪明的删除验证文件. 整个过程没有任何副作用.
如果你用的 apache服务器, acme.sh 还可以智能的从 apache的配置中自动完成验证, 你不需要指定网站根目录:
acme.sh --issue -d mydomain.com --apache
如果你用的 nginx服务器, 或者反代, acme.sh 还可以智能的从 nginx的配置中自动完成验证, 你不需要指定网站根目录:
acme.sh --issue -d mydomain.com --nginx
注意, 无论是 apache 还是 nginx 模式, acme.sh在完成验证之后, 会恢复到之前的状态, 都不会私自更改你本身的配置. 好处是你不用担心配置被搞坏, 也有一个缺点, 你需要自己配置 ssl 的配置, 否则只能成功生成证书, 你的网站还是无法访问https. 但是为了安全, 你还是自己手动改配置吧.
如果你还没有运行任何 web 服务, 80 端口是空闲的, 那么 acme.sh 还能假装自己是一个webserver, 临时听在80 端口, 完成验证:
acme.sh --issue -d mydomain.com --standalone
2.2 手动 dns 方式
手动在域名上添加一条 txt 解析记录, 验证域名所有权.
这种方式的好处是, 你不需要任何服务器, 不需要任何公网 ip, 只需要 dns 的解析记录即可完成验证. 坏处是,如果不同时配置 Automatic DNS API,使用这种方式 acme.sh 将无法自动更新证书,每次都需要手动再次重新解析验证域名所有权。
acme.sh --issue --dns -d mydomain.com
然后, acme.sh 会生成相应的解析记录显示出来, 你只需要在你的域名管理面板中添加这条 txt 记录即可.
等待解析完成之后, 重新生成证书:
acme.sh --renew -d mydomain.com
注意第二次这里用的是 --renew
2.3 dns api 方式
dns 方式的真正强大之处在于可以使用域名解析商提供的 api 自动添加 txt 记录完成验证.
acme.sh 目前支持 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.
以 dnspod 为例, 你需要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是免费的. 然后:
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
acme.sh --issue --dns dns_dp -d aa.com -d www.aa.com
证书就会自动生成了. 这里给出的 api id 和 api key 会被自动记录下来, 将来你在使用 dnspod api 的时候, 就不需要再次指定了. 直接生成就好了:
acme.sh --issue -d mydomain2.com --dns dns_dp
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
How to use DNS API If your DNS provider doesn't provide API access, you can use our DNS alias mode: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode 1. CloudFlare Option: CloudFlare Domain API offers two methods to automatically issue certs. Using the global API key First you need to login to your CloudFlare account to get your API key. export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Email="xxxx@sss.com" Using the new cloudflare api token export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Account_ID="xxxxxxxxxxxxx" In order to use the new token, the token currently needs access read access to Zone.Zone, and write access to Zone.DNS, across all Zones. See Issue #2398 for more info. Alternatively, if the certificate only covers a single zone, you can restrict the API Token only for write access to Zone.DNS for a single domain, and then specify the CF_Zone_ID directly: export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Account_ID="xxxxxxxxxxxxx" export CF_Zone_ID="xxxxxxxxxxxxx" Ok, let's issue a cert now: acme.sh --issue --dns dns_cf -d example.com -d www.example.com The CF_Key and CF_Email or CF_Tokenand CF_Account_IDwill be saved in ~/.acme.sh/account.conf and will be reused when needed. 2. DNSPod.cn Option: The DNSPod.cn Domain API option requires that you first login to your account to get a DNSPod API Key and ID. export DP_Id="1234" export DP_Key="sADDsdasdgdsf" Ok, let's issue a cert now: acme.sh --issue --dns dns_dp -d example.com -d www.example.com The DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed. 3. Use CloudXNS.com domain API to automatically issue cert First you need to login to your CloudXNS account to get your API Key and Secret. export CX_Key="1234" export CX_Secret="sADDsdasdgdsf" Ok, let's issue a cert now: acme.sh --issue --dns dns_cx -d example.com -d www.example.com The CX_Key and CX_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed. 4. Use GoDaddy.com domain API to automatically issue cert First you need to login to your GoDaddy account to get your API Key and Secret. https://developer.godaddy.com/keys/ Please create a Production key, instead of a Test key. export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd" Ok, let's issue a cert now: acme.sh --issue --dns dns_gd -d example.com -d www.example.com The GD_Key and GD_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed. 5. Use PowerDNS embedded API to automatically issue cert First you need to login to your PowerDNS account to enable the API and set your API-Token in the configuration. https://doc.powerdns.com/md/httpapi/README/ export PDNS_Url="http://ns.example.com:8081" export PDNS_ServerId="localhost" export PDNS_Token="0123456789ABCDEF" export PDNS_Ttl=60 Ok, let's issue a cert now: acme.sh --issue --dns dns_pdns -d example.com -d www.example.com The PDNS_Url, PDNS_ServerId, PDNS_Token and PDNS_Ttl will be saved in ~/.acme.sh/account.conf and will be reused when needed.
先到 Godaddy 后台申请 API KEY
https://developer.godaddy.com/keys#
然后倒入Godaddy key和生成证书
export GD_Key="daxaaaaaaaaaaaabbdn"
export GD_Secret="Eafsfbbbbq4"
$ acme.sh --issue --dns dns_gd -d cnblog.xyz -d '*.cnblog.xyz'
注意:申请通配包含 www
颁发成功
-----END CERTIFICATE-----
[Sun Jul] Your cert is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.cer
[Sun Jul] Your cert key is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.key
[Sun Jul] The intermediate CA cert is in /home/test/.acme.sh/cnblog.xyz/ca.cer
[Sun Jul] And the full chain certs is there: /home/test/.acme.sh/cnblog.xyz/fullchain.cer
[test@ssh .acme.sh]$
[test@ssh .acme.sh]$ acme.sh --issue --dns dns_gd -d cnblog.xyz -d '*.cnblog.xyz' [Sun Jul] Multi domain='DNS:cnblog.xyz,DNS:*.cnblog.xyz' [Sun Jul] Getting domain auth token for each domain [Sun Jul] Getting webroot for domain='cnblog.xyz' [Sun Jul] Getting webroot for domain='*.cnblog.xyz' [Sun Jul] Adding txt value: R2LSKSVk2h3S_YfBd7olT84Tbv-6QvfsD5DBEqar2A0 for domain: _acme-challenge.cnblog.xyz [Sun Jul] Adding record [Sun Jul] Added, sleeping 10 seconds [Sun Jul] The txt record is added: Success. [Sun Jul] Adding txt value: BWsOvaC8CSpI2Uad5lHlLp3JXVitYr5C3QpHjB29NME for domain: _acme-challenge.cnblog.xyz [Sun Jul] Adding record [Sun Jul] Added, sleeping 10 seconds [Sun Jul] The txt record is added: Success. [Sun Jul] Let's check each DNS record now. Sleep 20 seconds first. [Sun Jul] Checking cnblog.xyz for _acme-challenge.cnblog.xyz [Sun Jul] Domain cnblog.xyz '_acme-challenge.cnblog.xyz' success. [Sun Jul] Checking cnblog.xyz for _acme-challenge.cnblog.xyz [Sun Jul] Domain cnblog.xyz '_acme-challenge.cnblog.xyz' success. [Sun Jul] All success, let's return [Sun Jul] Verifying: cnblog.xyz [Sun Jul] Success [Sun Jul] Verifying: *.cnblog.xyz [Sun Jul] Success [Sun Jul] Removing DNS records. [Sun Jul] Removing txt: R2LSKSVk2h3S_YfBd7olT84Tbv-6QvfsD5DBEqar2A0 for domain: _acme-challenge.cnblog.xyz [Sun Jul] Removed: Success [Sun Jul] Removing txt: BWsOvaC8CSpI2Uad5lHlLp3JXVitYr5C3QpHjB29NME for domain: _acme-challenge.cnblog.xyz [Sun Jul] Removed: Success [Sun Jul] Verify finished, start to sign. [Sun Jul] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/90525602/4059024784 [Sun Jul] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/036a09d2a53a2deae0004c16b4ea1e4c62a9 [Sun Jul] Cert success. -----BEGIN CERTIFICATE----- MIIFWTCCBEGgAwIBAgISA2oJ0qU6LergAEwWtOoeTGKpMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MDUwMDUyMzlaFw0y izw7hnQZSa9ghwzOsSypkXx9QO8VppwevPTU7lo= -----END CERTIFICATE----- [Sun Jul] Your cert is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.cer [Sun Jul] Your cert key is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.key [Sun Jul] The intermediate CA cert is in /home/test/.acme.sh/cnblog.xyz/ca.cer [Sun Jul] And the full chain certs is there: /home/test/.acme.sh/cnblog.xyz/fullchain.cer [test@ssh .acme.sh]$
