使用 acme 获取免费 https 证书

814次阅读
没有评论

共计 14006 个字符,预计需要花费 36 分钟才能阅读完成。

前言

国内的各大云厂,例如阿里云 & 华为云 & 腾讯云,都可以申请到免费的 OV级别 https 证书。但是有几个小缺陷。

  • 证书的有效期为一年,到期后需要手动再次申请
  • 免费额度为每年20个
  • 仅能申请单域名证书

如果域名较多,或者同一域名下的子域名较多,上述云厂提供的方式就不是那么好用,更新多个证书是个麻烦事。

本文介绍如何使用 acme​ 自动获取免费且不限量的泛域名证书。

acme 是什么

🙂 来问问万能的GPT:

使用 acme 获取免费 https 证书

顺便补充,是一个纯Shell脚本实现的ACME协议客户端,后文的操作都会在 Ubuntu 环境下实现。

链接:acme.sh

acme 工作流

一般来说,证书厂商验证域名所有权有两种方式:

  1. txt 文件验证

    证书颁发机构会提供一个特定的路径和令牌,需要在该路径下创建一个名为特定文件名的TXT文件,并将令牌作为文件的内容。然后,证书颁发机构将尝试通过HTTP或HTTPS访问该文件来验证令牌的存在。

    如果验证成功,证书颁发机构确认您对域名的控制权,并继续颁发证书。

  2. dns 验证

    证书颁发机构会提供一个随机的令牌(token),需要将该令牌添加到域名的DNS记录中。然后,证书颁发机构通过查询DNS记录来验证该令牌是否存在。

    如果验证成功,证书颁发机构确认域名的控制权,并继续颁发证书。

acme​ 对于这两种方式都是支持的,下面演示如何使用 dns​方式 获取证书。

演示

前置准备

既然选择了 dns 方式进行域名所有权的认证,那么就需要使 acme​ 有权限在域名托管商处对你的域名添加 dns 记录。

cloudflare​​ 和 阿里云​​ 作为域名托管商为示例。

tips:为了安全,请合理控制从云注册的密钥权限。以最小化原则授予和分配。即只授予密钥修改 dns 的权限即可。

cloudflare

  1. 登录 cloudflare 控制台

    链接:cloudflare 控制台

  2. 获取 API 令牌

    ​​使用 acme 获取免费 https 证书​​

    ========= 分割线 ========

    使用 acme 获取免费 https 证书

    然后一直下一步即可,保存获取的令牌,格式例如:JGwL_0WIiQ**********PIH5qkm3a4SpcilL

    使用 acme 获取免费 https 证书

阿里云

  1. 登录阿里云控制台

    链接:阿里云

  2. 创建 子用户 AccessKey

    使用 acme 获取免费 https 证书

    ======= 分割线 ==========

    使用 acme 获取免费 https 证书

    保存AccessKey ID​ 和 AccessKey Secret​ 。格式例如:LTAI********sExJAjto​ 和 nmAbWiLeRB*********IjwwPe2jWC​。

  3. 授予子用户权限

    使用 acme 获取免费 https 证书

acme 脚本配置

一键安装

root@ali-gz-relay:~# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0    426      0 --:--:--  0:00:02 --:--:--   426
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  216k  100  216k    0     0  40381      0  0:00:05  0:00:05 --:--:-- 53559
[Sat 12 Aug 2023 11:42:55 PM CST] Installing from online archive.
[Sat 12 Aug 2023 11:42:55 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat 12 Aug 2023 11:42:58 PM CST] Extracting master.tar.gz
[Sat 12 Aug 2023 11:42:58 PM CST] It is recommended to install socat first.
[Sat 12 Aug 2023 11:42:58 PM CST] We use socat for standalone server if you use standalone mode.
[Sat 12 Aug 2023 11:42:58 PM CST] If you don't use standalone mode, just ignore this warning.
[Sat 12 Aug 2023 11:42:58 PM CST] Installing to /root/.acme.sh
[Sat 12 Aug 2023 11:42:58 PM CST] Installed to /root/.acme.sh/acme.sh
[Sat 12 Aug 2023 11:42:58 PM CST] Installing alias to '/root/.bashrc'
[Sat 12 Aug 2023 11:42:58 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Sat 12 Aug 2023 11:42:58 PM CST] Installing cron job
[Sat 12 Aug 2023 11:42:58 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Sat 12 Aug 2023 11:42:59 PM CST] OK
[Sat 12 Aug 2023 11:42:59 PM CST] Install success!

cloudflare 示例

# cd /root/.acme.sh/

# 查看版本
# ./acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.7

# 注册你自己的邮箱至acme
# ./acme.sh --register-account -m testaccount@gmail.com

# 编辑账号配置文件,填入 账号注册邮箱 和 获取的API令牌
# vim ../acme.sh-bak/account.conf 
SAVED_CF_Key='JGwL_0WIiQW2oWaqN_2qoFY5OIH5qkm3a4SpcilL'
SAVED_CF_Email='testaccount@gmail.com'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'

# 获取泛域名证书
# ./acme.sh --issue  --dns dns_cf -d *.bwbit.com -d bwbit.com --force
[Sat 12 Aug 2023 11:54:41 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Sat 12 Aug 2023 11:54:41 PM CST] Multi domain='DNS:*.bwbit.com,DNS:bwbit.com'
[Sat 12 Aug 2023 11:54:41 PM CST] Getting domain auth token for each domain
[Sat 12 Aug 2023 11:54:53 PM CST] Getting webroot for domain='*.bwbit.com'
[Sat 12 Aug 2023 11:54:53 PM CST] Getting webroot for domain='bwbit.com'
[Sat 12 Aug 2023 11:54:53 PM CST] Adding txt value: pnwUtJhuqA_Zd0Eifr2toQbbdoWaFCuVANex7DT9i3g for domain:  _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:54:58 PM CST] Adding record
[Sat 12 Aug 2023 11:55:00 PM CST] Added, OK
[Sat 12 Aug 2023 11:55:00 PM CST] The txt record is added: Success.
[Sat 12 Aug 2023 11:55:00 PM CST] Adding txt value: iS0uXFsZ5an7N99sETMTmce2mCkVCOMI7fDQ9CReEWk for domain:  _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:55:06 PM CST] Adding record
[Sat 12 Aug 2023 11:55:07 PM CST] Added, OK
[Sat 12 Aug 2023 11:55:07 PM CST] The txt record is added: Success.
[Sat 12 Aug 2023 11:55:07 PM CST] Let's check each DNS record now. Sleep 20 seconds first.
[Sat 12 Aug 2023 11:55:28 PM CST] You can use '--dnssleep' to disable public dns checks.
[Sat 12 Aug 2023 11:55:28 PM CST] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sat 12 Aug 2023 11:55:28 PM CST] Checking bwbit.com for _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:55:30 PM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sat 12 Aug 2023 11:55:40 PM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Sat 12 Aug 2023 11:55:41 PM CST] Domain bwbit.com '_acme-challenge.bwbit.com' success.
[Sat 12 Aug 2023 11:55:41 PM CST] Checking bwbit.com for _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:55:41 PM CST] Domain bwbit.com '_acme-challenge.bwbit.com' success.
[Sat 12 Aug 2023 11:55:41 PM CST] All success, let's return
[Sat 12 Aug 2023 11:55:41 PM CST] Verifying: *.bwbit.com
[Sat 12 Aug 2023 11:55:44 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sat 12 Aug 2023 11:55:52 PM CST] Success
[Sat 12 Aug 2023 11:55:52 PM CST] Verifying: bwbit.com
[Sat 12 Aug 2023 11:55:54 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sat 12 Aug 2023 11:55:59 PM CST] Success
[Sat 12 Aug 2023 11:55:59 PM CST] Removing DNS records.
[Sat 12 Aug 2023 11:55:59 PM CST] Removing txt: pnwUtJhuqA_Zd0Eifr2toQbbdoWaFCuVANex7DT9i3g for domain: _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:56:05 PM CST] Removed: Success
[Sat 12 Aug 2023 11:56:05 PM CST] Removing txt: iS0uXFsZ5an7N99sETMTmce2mCkVCOMI7fDQ9CReEWk for domain: _acme-challenge.bwbit.com
[Sat 12 Aug 2023 11:56:10 PM CST] Removed: Success
[Sat 12 Aug 2023 11:56:10 PM CST] Verify finished, start to sign.
[Sat 12 Aug 2023 11:56:10 PM CST] Lets finalize the order.
[Sat 12 Aug 2023 11:56:10 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/U008F0zf9OyX2RCzyA_qpw/finalize'
[Sat 12 Aug 2023 11:56:13 PM CST] Order status is processing, lets sleep and retry.
[Sat 12 Aug 2023 11:56:13 PM CST] Retry after: 15
[Sat 12 Aug 2023 11:56:29 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/U008F0zf9OyX2RCzyA_qpw
[Sat 12 Aug 2023 11:56:31 PM CST] Downloading cert.
[Sat 12 Aug 2023 11:56:31 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/clzFvKSiM6ULxtaxdx784A'
[Sat 12 Aug 2023 11:56:36 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIEADCCA4egAwIBAgIQT1R05hp/wSt/1MrLRHwbZDAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMDgxMjAwMDAwMFoXDTIzMTEx
MDIzNTk1OVowFjEUMBIGA1UEAwwLKi5id2JpdC5jb20wWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAATpqm4DA6vsFj0HCdP2MQVoTCu2I3E4sSwrDEv2Hlg94aozzl2r
FSi2WmH9Ye49eKY/bx2EQMT+bVB+q6LfAprFo4ICgDCCAnwwHwYDVR0jBBgwFoAU
D2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFD7mecbbzAbdM0HXjmkjRNWW
6vjNMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYI
KwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYI
KwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2Vj
dGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYB
BQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggECBgorBgEE
AdZ5AgQCBIHzBIHwAO4AdQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yC
igAAAYnqdmKDAAAEAwBGMEQCIAxhhV23QntH6PLgiXmZDW81TCFRIAvcHp00vmmn
mQNkAiATACrzyrlt3TNOfiLwbIvx7ZO1iRSX5NU1cVDB5YdwmgB1AHoyjFTYty22
IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiep2YuQAAAQDAEYwRAIgGOMjrciR
S+zzDzsN458ARF4j8GmaRqU2+Yrj9NR9CrkCIFoyiKlSLSMaXGC+lHHpBG+Va7Ur
i32N6c+RaE9cMKdqMCEGA1UdEQQaMBiCCyouYndiaXQuY29tgglid2JpdC5jb20w
CgYIKoZIzj0EAwMDZwAwZAIwVUxQuAy7bmjDDuLB0NtHjC/5uMO98nM9PICRca0H
6yGMWxT8GS2WCEDjq4TNPzm4AjBCoKVKi5lNBhRDyBF0uTp1HEm1ed+FQVX4QHCl
dXjf4FcgdWwiYmZbDmoa4g06k/0=
-----END CERTIFICATE-----
[Sat 12 Aug 2023 11:56:36 PM CST] Your cert is in: /root/.acme.sh/*.bwbit.com_ecc/*.bwbit.com.cer
[Sat 12 Aug 2023 11:56:36 PM CST] Your cert key is in: /root/.acme.sh/*.bwbit.com_ecc/*.bwbit.com.key
[Sat 12 Aug 2023 11:56:36 PM CST] The intermediate CA cert is in: /root/.acme.sh/*.bwbit.com_ecc/ca.cer
[Sat 12 Aug 2023 11:56:36 PM CST] And the full chain certs is there: /root/.acme.sh/*.bwbit.com_ecc/fullchain.cer

# cronta -l 
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

阿里云示例

# cd /root/.acme.sh/

# 查看版本
# ./acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.7

# 注册你自己的邮箱至acme
# ./acme.sh --register-account -m testaccount@gmail.com

# 编辑账号配置文件,填入阿里云子用户的`AccessKey ID` 和 `AccessKey Secret`
# vim ../acme.sh-bak/account.conf 
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
SAVED_Ali_Key='LTAI5t*******ExJAjto'
SAVED_Ali_Secret='nmAbWiLeR*******CQ1IjwwPe2jWC'

# 获取泛域名证书
# .acme.sh# ./acme.sh --issue --dns dns_ali -d aaaa.zone -d *.aaaa.zone
[Sun 13 Aug 2023 12:02:58 AM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Sun 13 Aug 2023 12:02:58 AM CST] Creating domain key
[Sun 13 Aug 2023 12:02:58 AM CST] The domain key is here: /root/.acme.sh/aaaa.zone_ecc/aaaa.zone.key
[Sun 13 Aug 2023 12:02:58 AM CST] Multi domain='DNS:aaaa.zone,DNS:*.aaaa.zone'
[Sun 13 Aug 2023 12:02:58 AM CST] Getting domain auth token for each domain
[Sun 13 Aug 2023 12:03:11 AM CST] Getting webroot for domain='aaaa.zone'
[Sun 13 Aug 2023 12:03:11 AM CST] Getting webroot for domain='*.aaaa.zone'
[Sun 13 Aug 2023 12:03:12 AM CST] Adding txt value: YI2uGn8WOKDtjjRrgXfIBgvlfFTx25i8vlHJ0LndFTE for domain:  _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:14 AM CST] The txt record is added: Success.
[Sun 13 Aug 2023 12:03:14 AM CST] Adding txt value: gV94Cb2D6ZloN3Ulj57UWaJag9Mb411sdv6akWjbOQk for domain:  _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:16 AM CST] The txt record is added: Success.
[Sun 13 Aug 2023 12:03:16 AM CST] Let's check each DNS record now. Sleep 20 seconds first.
[Sun 13 Aug 2023 12:03:37 AM CST] You can use '--dnssleep' to disable public dns checks.
[Sun 13 Aug 2023 12:03:37 AM CST] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sun 13 Aug 2023 12:03:37 AM CST] Checking aaaa.zone for _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:39 AM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun 13 Aug 2023 12:03:49 AM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Sun 13 Aug 2023 12:03:50 AM CST] Domain aaaa.zone '_acme-challenge.aaaa.zone' success.
[Sun 13 Aug 2023 12:03:50 AM CST] Checking aaaa.zone for _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:03:50 AM CST] Domain aaaa.zone '_acme-challenge.aaaa.zone' success.
[Sun 13 Aug 2023 12:03:50 AM CST] All success, let's return
[Sun 13 Aug 2023 12:03:50 AM CST] Verifying: aaaa.zone
[Sun 13 Aug 2023 12:03:51 AM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sun 13 Aug 2023 12:03:57 AM CST] Success
[Sun 13 Aug 2023 12:03:57 AM CST] Verifying: *.aaaa.zone
[Sun 13 Aug 2023 12:03:58 AM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Sun 13 Aug 2023 12:04:03 AM CST] Success
[Sun 13 Aug 2023 12:04:03 AM CST] Removing DNS records.
[Sun 13 Aug 2023 12:04:03 AM CST] Removing txt: YI2uGn8WOKDtjjRrgXfIBgvlfFTx25i8vlHJ0LndFTE for domain: _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:04:06 AM CST] Removed: Success
[Sun 13 Aug 2023 12:04:06 AM CST] Removing txt: gV94Cb2D6ZloN3Ulj57UWaJag9Mb411sdv6akWjbOQk for domain: _acme-challenge.aaaa.zone
[Sun 13 Aug 2023 12:04:09 AM CST] Removed: Success
[Sun 13 Aug 2023 12:04:09 AM CST] Verify finished, start to sign.
[Sun 13 Aug 2023 12:04:09 AM CST] Lets finalize the order.
[Sun 13 Aug 2023 12:04:09 AM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/L8o0rRbNdCsG093pLV1Gtg/finalize'
[Sun 13 Aug 2023 12:04:13 AM CST] Order status is processing, lets sleep and retry.
[Sun 13 Aug 2023 12:04:13 AM CST] Retry after: 15
[Sun 13 Aug 2023 12:04:29 AM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/L8o0rRbNdCsG093pLV1Gtg
[Sun 13 Aug 2023 12:04:33 AM CST] Downloading cert.
[Sun 13 Aug 2023 12:04:33 AM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/g8jZwKG0bW_Uie-aNPdoaQ'
[Sun 13 Aug 2023 12:04:35 AM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIEAjCCA4egAwIBAgIRAMKv9hcXvspvstS5NeJpeyAwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMzA4MTIwMDAwMDBaFw0yMzEx
MTAyMzU5NTlaMBQxEjAQBgNVBAMTCWFhYWEuem9uZTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABGkRZCgGg6jgdyDaISTH5N1rPd1mw9c3zTCifwG3xLCVvzcAFnxq
eIZgA+sjB6MIk9NdI66+46xEKrypA6sZrUyjggKBMIICfTAfBgNVHSMEGDAWgBQP
a+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4EFgQUoW/7qMYzGjxGc+drpYXIGlbw
IeowDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAk4wJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGIBggr
BgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6Ly96ZXJvc3NsLmNydC5zZWN0
aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2VjdXJlU2l0ZUNBLmNydDArBggrBgEF
BQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0aWdvLmNvbTCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK
AAABiep9tKYAAAQDAEcwRQIhALkP7lRcIPfzhNsOnBYpZ6V4bko8+/GOs1h6cgEm
AIMBAiBVXXWHpmUSUB46NZ5ofgpY5yhuh4l/Gir+gC3T4DMFawB1AHoyjFTYty22
IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiep9tQsAAAQDAEYwRAIgXvVtMeoh
4oAn7XXlRrEIzeVcsv8dVbcZXfshW4MD34ACICOZADMZkdUSL7PSfz3/drlr/04m
vewzLiNZzKxVcdF5MCEGA1UdEQQaMBiCCWFhYWEuem9uZYILKi5hYWFhLnpvbmUw
CgYIKoZIzj0EAwMDaQAwZgIxAOmGUv5tH0BT1glRcp0sksiUJwtbYM2OyZEhK1uF
kcKFiKoG+YWRy6d1MXNu6Nn29AIxANqrj2NxxW/do8CFb/Y+hqb2jA05AGNq/5eP
tqDDf27nrKplXbX56HlgJS+a+VajHg==
-----END CERTIFICATE-----
[Sun 13 Aug 2023 12:04:35 AM CST] Your cert is in: /root/.acme.sh/aaaa.zone_ecc/aaaa.zone.cer
[Sun 13 Aug 2023 12:04:35 AM CST] Your cert key is in: /root/.acme.sh/aaaa.zone_ecc/aaaa.zone.key
[Sun 13 Aug 2023 12:04:35 AM CST] The intermediate CA cert is in: /root/.acme.sh/aaaa.zone_ecc/ca.cer
[Sun 13 Aug 2023 12:04:35 AM CST] And the full chain certs is there: /root/.acme.sh/aaaa.zone_ecc/fullchain.cer

# cronta -l 
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

nginx 示例

acme​ 做了以下事情

  • 调用 cloudflare api 添加 dns 记录
  • 调用 Let’s Encrypt 的API进行验证与证书的签发
  • 获取证书
  • 移除 dns 记录
  • 添加计划任务,定期renew证书

可以看到,相关证书已经被放在了/root/.acme.sh/*.bwbit.com_ecc​下。

tips:

  • 在nginx中配置的证书是 fullchain.cer​ 和 *.bwbit.com.key​,不能使用 “*.bwbit.com.cer`​。
  • 默认生成的证书都放在安装目录下: ~/.acme.sh/​, 请不要直接使用此目录下的文件, 例如: 不要直接让 nginx/apache 的配置文件使用这下面的文件. 这里面的文件都是内部使用, 而且目录结构可能会变化.

    正确的使用方法是使用 --install-cert​ 命令,并指定目标位置, 然后证书文件会被copy到相应的位置, 例如:

    acme.sh --install-cert -d example.com \
    --key-file       /path/to/keyfile/in/nginx/key.pem \
    --fullchain-file /path/to/fullchain/nginx/cert.pem
    

在 nginx 中配置使用https:

# 编辑 nginx 配置文件
# vim /etc/nginx/conf.d/bwbit.com.conf
server {
  listen 80;
  server_name img.bwbit.com;

#  # 重定向到 HTTPS
  return 301 https://$host$request_uri;

}

server {
  listen 443 ssl http2;
  server_name img.bwbit.com;

  ssl_certificate     /root/.acme.sh/*.bwbit.com_ecc/fullchain.cer;
  ssl_certificate_key /root/.acme.sh/*.bwbit.com_ecc/*.bwbit.com.key;
  ssl_session_timeout 5m;
  ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_prefer_server_ciphers on;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header     X-Forwarded_Proto    https;  
    proxy_pass https://frps;
  }
}

# 重载nginx
nginx -s reload

总结

免费,不限量,泛域名,自动更新。

用起来!

引用链接

正文完
 
pengyinwei
版权声明:本站原创文章,由 pengyinwei 2023-08-14发表,共计14006字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处:https://www.opshub.cn
评论(没有评论)