手记

acme.sh免费签发SSL证书

acme.sh 概述

  • 一个纯粹用Shell(Unix shell)语言编写的ACME协议客户端。
  • 完整的ACME协议实施。 支持ACME v1和ACME v2 支持ACME v2通配符证书
  • 简单,功能强大且易于使用。你只需要3分钟就可以学习它。
  • Let’s Encrypt免费证书客户端最简单的shell脚本。
  • 纯粹用Shell编写,不依赖于python或官方的Let’s Encrypt客户端。
  • 只需一个脚本即可自动颁发,续订和安装证书。 不需要root/sudoer访问权限。
  • 支持在Docker内使用,支持IPv6

安装 acme.sh

curl https://get.acme.sh | sh

并创建 一个 bash 的 alias, 方便你的使用: alias acme.sh=~/.acme.sh/acme.sh

生成证书

acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证. \

http方式

http 方式需要在你的网站根目录下放置一个文件, 来验证你的域名所有权,完成验证. 然后就可以生成证书了.

acme.sh  --issue  -d kubesre.com -d www.kubesre.com  --webroot  /application/nginx/html/

只需要指定域名, 并指定域名所在的网站根目录. acme.sh 会全自动的生成验证文件, 并放到网站的根目录, 然后自动完成验证. 最后会聪明的删除验证文件. 整个过程没有任何副作用.

如果你用的 web服务器, acme.sh 还可以智能的从 apache的配置中自动完成验证, 你不需要指定网站根目录:

acme.sh --issue  -d kubesre.com   --apache

acme.sh --issue  -d kubesre.com   --nginx

dns方式

手动 dns 方式, 手动在域名上添加一条 txt 解析记录, 验证域名所有权

这种方式的好处是, 你不需要任何服务器, 不需要任何公网 ip, 只需要 dns 的解析记录即可完成验证. 坏处是,如果不同时配置 Automatic DNS API,使用这种方式 acme.sh 将无法自动更新证书,每次都需要手动再次重新解析验证域名所有权。

acme.sh  --issue  --dns   -d kubesre.com \
 --yes-I-know-dns-manual-mode-enough-go-ahead-please

然后, acme.sh 会生成相应的解析记录显示出来, 你只需要在你的域名管理面板中添加这条 txt 记录即可.

等待解析完成之后, 重新生成证书:

acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Dec 21 17:21:23 CST 2021] Renew: 'kubesre.com'
[Tue Dec 21 17:21:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 17:21:28 CST 2021] Multi domain='DNS:kubesre.com,DNS:www.kubesre.com'
[Tue Dec 21 17:21:28 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 17:21:28 CST 2021] Verifying: kubesre.com
[Tue Dec 21 17:21:39 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 17:21:46 CST 2021] Success
[Tue Dec 21 17:21:46 CST 2021] Verifying: www.kubesre.com
[Tue Dec 21 17:21:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 17:21:58 CST 2021] Success
[Tue Dec 21 17:21:58 CST 2021] Verify finished, start to sign.
[Tue Dec 21 17:21:58 CST 2021] Lets finalize the order.
[Tue Dec 21 17:21:58 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ/finalize'
[Tue Dec 21 17:22:04 CST 2021] Order status is processing, lets sleep and retry.
[Tue Dec 21 17:22:04 CST 2021] Retry after: 15
[Tue Dec 21 17:22:20 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ
[Tue Dec 21 17:22:28 CST 2021] Downloading cert.
[Tue Dec 21 17:22:28 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/RIlS-0BCVnWMmTIzTSy69g'
[Tue Dec 21 17:22:32 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIGdjCCBF6gAwIBAgIRAOXiFOW5y1AyMNreWMhPmTAwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTEyMjEwMDAwMDBaFw0y
MjAzMjEyMzU5NTlaMBYxFDASBgNVBAMTC2t1YmVzcmUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRZurTH3SNPklcWjSvXu/fsUfz3CQUJs310
cdlTTQ2z1AC2oNLiw2JWVVPe6XXopDXiboynyMuJcfu+Yyqft3zSzmK1jtGZGt4+
wP2o8uQ8ppg9zKivk6IVY2PAyw7KoP20tgvWLkB/OeRyFERO0k/BwHeLssYunOy8
CEEPH05c0aeWBaYFRy6W5aTQ5gI9F+TxHkJMwNQ9S46Ymts1vT9NGGA21yD3nC8/
qQ9yojtSHalj95no/en+o1Gwv8LSBuiD0OrgfL/UmwjYaV60Q6ZFrb1OrkRrgRn4
cb/RCMAofzUEqE3ItwsBbo41gmI6i0uECktC9SKxMlTVG0M84wIDAQABo4ICiDCC
AoQwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFG5p
QAKZzOQ/Uk6L5d3Q7utQPbrfMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysG
AQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BT
MAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8v
emVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNp
dGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGln
by5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBGpVXrdfqRIDC1oolp9PN9
ESxBdL79SbiFq/L8cP5tRwAAAX3cTIkkAAAEAwBGMEQCIGaR8Z1cpbls5r76bwvW
cqhAmSxXofGdCwk4CG9to/UnAiBzb3AfHwRx/K1afFew+dUha8n5r4LdKpK2/idh
cTgNbQB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfdxMiOMA
AAQDAEgwRgIhAKEgFnDfhKUi9a/17W6ulKwy/JWDzW1x6GSi5wdJZUDsAiEA7jnc
2pLivTiZ189eoYQwEY+fAPLiB4Lt1MB4W3PkIk4wJwYDVR0RBCAwHoILa3ViZXNy
ZS5jb22CD3d3dy5rdWJlc3JlLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMU/wgqFc
m2yys2T5CRdGOl/dPNM9E5t2IMBMhzMVDr1czQRUgf6Yh/h7jkWihYqGxDVJSL8T
9KknzaRvUvDx3piGJLUyqPOQPrawI9N7bSz3ncIsv2cIzNWeDN9UVw54/Pxadl3/
2SGBay/hpV+miLcp/rr1WwoLnTU22djZRr1WjbPHxOIn3aI2CKVAzJfdYE3/N7rG
B+AOQnrmegKchxlV1EQN3lUy2hys0lNaohyWQs9GTeq7zFyrL5M4EFiG1fTO/rHw
YaY0doH8uv74W/vYCquaK033bvP7iOnm3JpfbDDez7QVLONemVf/SRRxVff2zgJx
F5m+XVZhPRoxohWm/AytUIqfDao37XnR9vBKJ4dIWNuyxWwfkuSA5d8i0wOFi5St
yvpeC0HWuuYBNJkX8yuFe3rYFh92TN6Qu3Rl19Z/QhysF9Yin1OunPia14bKxUnR
93hH827Sb5owYoC+3xx14WvzGtV6lov6siLBXhSNPbeaK9iQeWeRgxP7frLxuH3Z
0uHh1QJIoS7Gd1O6VHmqjkzOGuWuu92taDu53Bs+Xke6rXSILlPOMtI4aueTLkZL
AyyqGkcjv7Qhhj/VFmG4GZpRyBGGuFA5VbJ8PQsbjmMyn+8m5zF4Wy00Rt7xA99b
b4YhcvrzGJwehsPq6m0yjCbh3cCSd3vyGo0=
-----END CERTIFICATE-----
[Tue Dec 21 17:22:32 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer
[Tue Dec 21 17:22:32 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key
[Tue Dec 21 17:22:32 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer
[Tue Dec 21 17:22:32 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer

注意第二次这里用的是 --renew

dns 方式的真正强大之处在于可以使用域名解析商提供的 api 自动添加 txt 记录完成验证.

acme.sh 目前支持 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.

以 dnspod 为例, 你需要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是免费的. 然后:

export DP_Id="kube123"

export DP_Key="sADDsdasdgdsf"

acme.sh   --issue   --dns dns_dp   -d kubesre.com  -d www.kubesre.com

证书就会自动生成了. 这里给出的 api id 和 api key 会被自动记录下来, 将来你在使用 dnspod api 的时候, 就不需要再次指定了. 直接生成就好了:

acme.sh  --issue   -d  kubesre.com   --dns  dns_dp

更新证书

目前证书申请后有效期为60天

目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.

# 升级 acme.sh 到最新版
acme.sh --upgrade

# 如果你不想手动升级, 可以开启自动升级:
acme.sh  --upgrade  --auto-upgrade

#之后, acme.sh 就会自动保持更新了.

# 你也可以随时关闭自动更新:
acme.sh --upgrade  --auto-upgrade  0

修改 CA

默认 CA 将使用ZeroSSL,由于特殊需求需要更改CA,请通过下面的方式进行修改。

可以通过提供--server参数自由使用任何受支持的 CA :

acme.sh --issue -d kubesre.com --dns dns_cf --server letsencrypt

也可以通过 --set-default-ca 设置的默认 ca:

acme.sh --set-default-ca --server letsencrypt

基于CSR签发证书

通过openssl生成csr

openssl genrsa -out kubesre.com/kubesre.com.key 4096 
openssl req -new -key kubesre.com/kubesre.com.key -out kubesre.com/kubesre.com.csr -subj "/C=CN/L=Shanghai/O=kubesre/OU=shanghai/CN=kubesre.com"

基于csr签发证书

acme.sh --signcsr --csr ../intermediateca.csr --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please  --server zerossl
[Tue Dec 21 20:03:11 CST 2021] Copy csr to: /root/.acme.sh/kubesre.com/kubesre.com.csr
[Tue Dec 21 20:03:15 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 20:03:15 CST 2021] Single domain='kubesre.com'
[Tue Dec 21 20:03:15 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 20:03:27 CST 2021] Getting webroot for domain='kubesre.com'
[Tue Dec 21 20:03:27 CST 2021] Add the following TXT record:
[Tue Dec 21 20:03:27 CST 2021] Domain: '_acme-challenge.kubesre.com'
[Tue Dec 21 20:03:27 CST 2021] TXT value: 'JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90'
[Tue Dec 21 20:03:27 CST 2021] Please be aware that you prepend _acme-challenge. before your domain
[Tue Dec 21 20:03:27 CST 2021] so the resulting subdomain will be: _acme-challenge.kubesre.com
[Tue Dec 21 20:03:27 CST 2021] Please add the TXT records to the domains, and re-run with --renew.
[Tue Dec 21 20:03:27 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log

配置DNS域名解析TXT记录并验证

dig @223.5.5.5 _acme-challenge.kubesre.com txt +short
"JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90"

重试签发证书

 acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Dec 21 20:16:28 CST 2021] Renew: 'kubesre.com'
[Tue Dec 21 20:16:36 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 20:16:36 CST 2021] Single domain='kubesre.com'
[Tue Dec 21 20:16:36 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 20:16:36 CST 2021] Verifying: kubesre.com
[Tue Dec 21 20:16:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 20:17:02 CST 2021] Success
[Tue Dec 21 20:17:02 CST 2021] Verify finished, start to sign.
[Tue Dec 21 20:17:02 CST 2021] Lets finalize the order.
[Tue Dec 21 20:17:02 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ/finalize'
[Tue Dec 21 20:17:11 CST 2021] Order status is processing, lets sleep and retry.
[Tue Dec 21 20:17:11 CST 2021] Retry after: 15
[Tue Dec 21 20:17:27 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ
[Tue Dec 21 20:17:33 CST 2021] Downloading cert.
[Tue Dec 21 20:17:33 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/yeadYGbm-KLNqMWlqSzShg'
[Tue Dec 21 20:17:41 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIHZDCCBUygAwIBAgIQEkvN2TAkV2mdPUF1lweQ+jANBgkqhkiG9w0BAQwFADBL
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTIyMTAwMDAwMFoXDTIy
MDMyMTIzNTk1OVowFjEUMBIGA1UEAxMLa3ViZXNyZS5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQC7gsfbCde2EVerXfzi/+1pGvePusulmh2gF+vh
IpTwdIC7tpO7cZiHVjR2BsC8XYptUqWpJtuehRLqN3PI2xdpFyGMT9EKgPcIsN3a
y619t/UlskrVbAZYqfAC4613f98WhizYL6Kb6pOuwsS2rn5XeUAXuNVDcnRJ79i4
ld8Q6H+xmOSU3XqnTNqv4Yq7F+l1nVNktpozJM0MmqI6e+saN4PlaHJZJ2Zc9dTQ
4/0tkXQizwH862c+kGHdYhEit5Kx3blgEYZ9vKPNu5mKsPdPJ0XNeXzZ7T449EcI
ONY2UwwHqxeKm13hcD0hM0OzPHS3eniHf2LX/EzIcW/uQ77ynukB45ub7xWs1ado
HKGhrY+dluxuaNUc9M8PPIYubkaeh95Ohik1ovljkUbO+AYZf28Y0c4sQYaFToqR
ogbTvl7EWdQCJQppqu4h0DZIoTHYu3yIu/KdHeqmySSE/tyyLCIyuZS7oN5ZxeEh
SojLn293qWVlj5z0ZB2Ui3vourAt7HMOy0noDusG3au6y6m69wX+jKCWYglF/b48
328GzFxPxbxWnQUD/Jf5cjUE9SN9meXivrzXS1vky0qkHJwnKTiAVNNCRGFNX5Ic
yOHAsJCteY8VUyvlngjrBnLmie4kfc5zb68qtKCnCw6fejVDzVKgwVFJK0iF2t4K
7YX3ewIDAQABo4ICdzCCAnMwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWG
hqYwHQYDVR0OBBYEFMOIZYOY9egIBZ1T6jEPeRR3dROYMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ
BgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
c2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsG
AQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJT
QURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJv
c3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBG
pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3c7NwCAAAEAwBHMEUC
IQCiJFlodU8eOmcUXypehRIVsecs1QPROZq4GXFKn1H7yAIgWK6BZtJ5IxsYw6g6
4IFZ851k7tB6iGLKjIIBUcJNBxUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vH
aPCQYpYG9gAAAX3c7NvUAAAEAwBHMEUCIQCdpdc7o2ZKGVkiQhBOCgFa1D28tbRd
8czfFGWEtW+cjAIgSfPwdIcMXQ3QgQ/e14L8+R33WTApmXq4RGNyhcj91n4wFgYD
VR0RBA8wDYILa3ViZXNyZS5jb20wDQYJKoZIhvcNAQEMBQADggIBABQ69j9PcoXy
WwNo+bLcxd5J1YWhvoty6AGfPQ4dFE9uHWASzQ0rfAGYahVCWrofb3utz2OQH+T4
nTwrX+vo6xS0PizF27WqjqWvfIkQ2badRoVATLg5TCkjjGz2ztIsrRsY62VwrKjF
BWmJocA3/dKqtMbPD5fiw10HGp2/armCr26P2smheqiih1ci4AJ+rcWMVQfHEhzA
u+Sr1BnJMddhhrPoJBQzBOctYrAM/C//CwmmLI2jcF8NdBTvW0QwP1bMIfaO7spO
bggaI7RJ35gHuxE07GR+JVfss1pYEOE2j9pWPqaAbeFdfW4gAatAiR6t9g6z6cdb
wV94JXRWa1GotoMXU5U8/Oq+6OD454tuPA/CwlaPR+zO94ppJ/9YhWyXy2hqGQqm
alhajJgMVE2P9kYoZTlZIgEZyICQ0XbKMzXyq8D2leEAroVdZCo5lKkR6v1ZhL6f
YlsGwOV68rVQU03euWqTIvaSUUTXBXI1ug9z19a8a3PJlMLBDpz+e/mcsw4qMIzi
557vQv/+9xR/ZSNsW+s/RBW6gTo8nrestWBRb53pfFd4LAse+WGHEA3Kgv+Fi3ra
GJWYcA4KvGRbLZ/flUmNPyyARNfLdaAMlaDtHjQUj1pEhtSnYtwnthj3Y/eiXY9H
eg0z2wcNGmZEPG19ngYf79+xLpmmZj0F
-----END CERTIFICATE-----
[Tue Dec 21 20:17:41 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer
[Tue Dec 21 20:17:41 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key
[Tue Dec 21 20:17:41 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer
[Tue Dec 21 20:17:41 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer
[root@ops .acme.sh]# 
0人推荐
随时随地看视频
慕课网APP