基於 acme.sh 指令碼實現域名證書的自動簽註與續簽部署
阿新 • • 發佈:2020-08-26
acme.sh_install_ubuntu_自動申請域名ssl證書
- 在當今 20200825 的技術領域,不使用 https 進行加密的網站大多會被瀏覽器標註個大大的“不安全”,看著 low,實際上也不安全
- 本文旨在解決上面這個問題,為你提供一個舒爽的上網站點,嘿嘿嘿
- 基於 acme.sh 指令碼工具實現域名證書的自動申請,簽發,部署,自動續簽並部署證書
1. 安裝 acme.sh
- 普通使用者和 root 使用者都可以安裝使用,但是建議 root 安裝
- 使用說明:
https://github.com/acmesh-official/acme.sh/wiki/How-to-install
1.1.指令碼安裝
curl https://get.acme.sh | sh
# or
wget -O - https://get.acme.sh | sh
2.git 倉庫安裝
# 建單安裝 git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install # 或者自定義安裝 git clone https://github.com/Neilpang/acme.sh.git cd acme.sh ./acme.sh --install \ --home ~/myacme \ --config-home ~/myacme/data \ --cert-home ~/mycerts \ --accountemail "[email protected]" \ --accountkey ~/myaccount.key \ --accountconf ~/myaccount.conf \ --useragent "this is my client." ---------------------- --home is a customized dir to install acme.sh in. By default, it installs into ~/.acme.sh --config-home is a writable folder, acme.sh will write all the files(including cert/keys, configs) there. By default, it's in --home --cert-home is a customized dir to save the certs you issue. By default, it's saved in --config-home. --accountemail is the email used to register account to Let's Encrypt, you will receive renewal notice email here. Default is empty. --accountkey is the file saving your account private key. By default it's saved in --config-home. --useragent is the user-agent header value used to send to Let's Encrypt. ----------------------
-
注意:安裝完成,需要重新登陸控制檯以便指令碼命令生效
-
例項演示:
-------------------------------------- root@Controller:/opt/scripts# curl https://get.acme.sh | sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 775 0 775 0 0 612 0 --:--:-- 0:00:01 --:--:-- 612 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 201k 100 201k 0 0 27932 0 0:00:07 0:00:07 --:--:-- 15894 [Tue Aug 25 17:53:16 CST 2020] Installing from online archive. [Tue Aug 25 17:53:16 CST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Tue Aug 25 17:53:27 CST 2020] Extracting master.tar.gz [Tue Aug 25 17:53:27 CST 2020] It is recommended to install socat first. [Tue Aug 25 17:53:27 CST 2020] We use socat for standalone server if you use standalone mode. [Tue Aug 25 17:53:27 CST 2020] If you don't use standalone mode, just ignore this warning. [Tue Aug 25 17:53:27 CST 2020] Installing to /root/.acme.sh [Tue Aug 25 17:53:27 CST 2020] Installed to /root/.acme.sh/acme.sh [Tue Aug 25 17:53:27 CST 2020] Installing alias to '/root/.bashrc' [Tue Aug 25 17:53:27 CST 2020] OK, Close and reopen your terminal to start using acme.sh [Tue Aug 25 17:53:27 CST 2020] Installing cron job [Tue Aug 25 17:53:27 CST 2020] Good, bash is found, so change the shebang to use bash as preferred. [Tue Aug 25 17:53:28 CST 2020] OK [Tue Aug 25 17:53:28 CST 2020] Install success! --------------------------------------
- 具體的安裝操作內容如下
1.把 acme.sh 安裝到你的 home 目錄下,並建立 一個 bash 的 alias 別名,方便使用:
ll ~/.acme.sh/
alias acme.sh=~/.acme.sh/acme.sh
2.建立 cronjob, 每天 0:27 點自動檢測所有的證書,如果快過期了,需要更新,則會自動更新證書
更高階的安裝選項請參考: https://github.com/Neilpang/acme.sh/wiki/How-to-install
安裝過程不會汙染已有的系統任何功能和檔案 , 所有的修改都限制在安裝目錄中: ~/.acme.sh/
2.證書申請
- 確認工具對指定的域名是否有操作許可權(域名歸屬)
- HTTP 服務驗證方式對伺服器上安裝的 web 服務有要求,需要有 web 伺服器
- 如果基礎環境不合適可以選的DNS API方式生成證書,也更加方便
2.1.http 驗證方式生成證書
2.1.1.自行生成驗證檔案進行驗證
acme.sh --issue -d www.zuiyoujie.com --webroot /home/wwwroot/www.zuiyoujie.com/
# 這種方式要求使用者對 http 伺服器有操作許可權可以上傳檔案,最簡單的是在 http 伺服器上部署 acme.sh 指令碼
# 該命令需要指定域名,指定域名站點所在網站的根目錄,acme.sh 會在網站根目錄生成驗證檔案,完成驗證,之後自動清理驗證檔案
2.1.2.呼叫服務配置檔案進行驗證
# 如果 web 服務是 apt 或者 yum 安裝的 apache,acme.sh 可以從 apache 的配置中自動完成驗證,不需要指定網站根目錄
acme.sh --issue -d www.zuiyoujie.com.com --apache
# 如果 web 服務是 apt 或者 yum 安裝的 nginx,或者反代,acme.sh 可以從 nginx 的配置中自動完成驗證,你不需要指定網站根目錄:
acme.sh --issue -d www.zuiyoujie.com.com --nginx
# 如果伺服器沒有執行 web 服務,80 埠是空閒的,那麼 acme.sh 還能偽裝成一個 webserver, 臨時監聽 80 埠,完成驗證:
acme.sh --issue -d www.zuiyoujie.com.com --standalone
2.2.呼叫 DNS 服務商的 API 進行驗證生成證書
- 特點:不需要有 web 伺服器和任何公網 IP,但是如果不配置 AKSK 無法配置自動更新證書
2.2.1.手動驗證 DNS 解析生成證書
# 執行以下命令,將返回的 txt 解析記錄配置到對應的域名解析中
acme.sh --issue --dns -d www.zuiyoujie.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
# 解析完成後,使用以下命令生成證書
acme.sh --renew -d www.zuiyoujie.com
2.2.2.自動驗證 DNS 解析生成證書
- 支援主流 DNS 域名服務商(115個),具體參考以下地址:
- 更詳細的 api 用法:
https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
- 這裡以阿里雲域名為例進行演示:
# 匯入 AKSK,這裡 api id 和 api key 會被自動記錄到 account.conf 檔案中,其他檔案不需要修改
# 修改 account.conf 檔案可以開啟日誌
# 具體的變數名稱可以到上面的文件 或者 dnsapi 目錄中的指令碼中檢視
Ali_Key="AKAKAKAK"
Ali_Secret="SKSKSKSK"
export Ali_Key="AKAKAKAK"
export Ali_Secret="SKSKSKSK"
# 自動驗證 DNS,生成域名證書
acme.sh --issue --dns dns_ali -d www.zuiyoujie.com # 可以單獨申請單個域名證書
acme.sh --issue --dns dns_ali -d zuiyoujie.com -d *.zuiyoujie.com # 可以申請頂級域名證書和萬用字元二級域名證書
# 注意:會在工作目錄生成以第一個域名為名稱的目錄,裡面存放生成的配置檔案和證書檔案
# 可以指定多個域名,但是域名不能有重複,例如 www.zuiyoujie.com 和 *.zuiyoujie.com,後者包含前者
# 強制重新生成證書(重新整理證書有效期)
acme.sh --renew --dns dns_ali -d www.zuiyoujie.com
# 如果證書未到期可能需要加 --force 引數強制簽註
acme.sh --renew --dns dns_ali -d www.zuiyoujie.com --force
# 檢視現有證書列表
acme.sh --list
# 刪除指定的證書(不會刪除證書目錄和檔案)
acme.sh --remove -d www.zuiyoujie.com
# 或者直接刪除證書目錄
rm -rf www.zuiyoujie.com
- 注意:申請萬用字元證書需要加 -d zuiyoujie.com -d *.zuiyoujie.com ,以下是解釋部分:
# 關於泛域名需要注意的事項:
1.泛域名是帶萬用字元的域名,只能代表所有的二級域名
類似 "com" "cn" 是頂級域名
類似 "zuiyoujie.com" 是一級域名,
類似 "www.zuiyoujie.com" 是二級域名
類似 "blog.www.zuiyoujie.com" 是三級域名
類似 "*.zuiyoujie.com" 是一個泛域名,可以涵蓋所有二級域名
但是不包含一級域名 "zuiyoujie.com" 和三級域名 "blog.www.zuiyoujie.com"
2.申請一個泛域名證書並不能應用於所有網站,
需要同時為泛域名 "*.zuiyoujie.com" 和一級域名 "zuiyoujie.com" 申請證書
3.三級域名需要單獨申請域名證書
- 例項演示:
# 新簽註證書
-----------------------------------------------
root@Controller:~/.acme.sh# acme.sh --issue --dns dns_ali -d www.zuiyoujie.com
[Tue Aug 25 21:01:00 CST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Aug 25 21:01:00 CST 2020] Creating domain key
[Tue Aug 25 21:01:00 CST 2020] The domain key is here: /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.key
[Tue Aug 25 21:01:00 CST 2020] Single domain='www.zuiyoujie.com'
[Tue Aug 25 21:01:00 CST 2020] Getting domain auth token for each domain
[Tue Aug 25 21:01:12 CST 2020] Getting webroot for domain='www.zuiyoujie.com'
[Tue Aug 25 21:01:12 CST 2020] Adding txt value: TX4Rh-fS04vBqvfn3LwhtkbqOCTRaAb7OIaXIfgC_xU for domain: _acme-challenge.www.zuiyoujie.com
[Tue Aug 25 21:01:15 CST 2020] The txt record is added: Success.
[Tue Aug 25 21:01:15 CST 2020] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Aug 25 21:01:37 CST 2020] Checking www.zuiyoujie.com for _acme-challenge.www.zuiyoujie.com
[Tue Aug 25 21:01:39 CST 2020] Domain www.zuiyoujie.com '_acme-challenge.www.zuiyoujie.com' success.
[Tue Aug 25 21:01:39 CST 2020] All success, let's return
[Tue Aug 25 21:01:39 CST 2020] Verifying: www.zuiyoujie.com
[Tue Aug 25 21:01:46 CST 2020] Success
[Tue Aug 25 21:01:46 CST 2020] Removing DNS records.
[Tue Aug 25 21:01:46 CST 2020] Removing txt: TX4Rh-fS04vBqvfn3LwhtkbqOCTRaAb7OIaXIfgC_xU for domain: _acme-challenge.www.zuiyoujie.com
[Tue Aug 25 21:01:51 CST 2020] Removed: Success
[Tue Aug 25 21:01:51 CST 2020] Verify finished, start to sign.
[Tue Aug 25 21:01:51 CST 2020] Lets finalize the order.
[Tue Aug 25 21:01:51 CST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/94832153/4856970603'
[Tue Aug 25 21:01:54 CST 2020] Downloading cert.
[Tue Aug 25 21:01:54 CST 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/037e802113f60dd7f59c52ec4d303b680e5e'
[Tue Aug 25 21:01:56 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgISA36AIRP2Ddf1nFLsTTA7aA5eMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MjUxMjAxNTRaFw0y
MDExMjMxMjAxNTRaMBwxGjAYBgNVBAMTEXd3dy56dWl5b3VqaWUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5yB9o/hWIACFBjdve+PI/+of2sJ4
1vjLqKkp/Q7YcvmdfsFwN/Q8eT+3sCTmBUu3jXXLCjJG32Fw4pufHCyLYoNbrOwU
1g0kaLjbQ6B2IUgIlT5iiwvT3Sp4FVHld9AvcUssZOiYPsZF/IZTqf0aYnD01URf
7xUHInQJyvubY8Ie1PK1TMek/abDktSuArewzlCwHefb7TcDPm30Jpc5gSP559YA
U0rd76i8kwZOlUi4eft0taGQx8uZyEVFDCXyuoWkDYuTlw8npNpNT/p21W2ua679
vuBbWmzeVhnPlee0M3GEAFGkGvJJERaQ1Ln3lbN9Z9Qmu+RA8wHd/jpr5wIDAQAB
o4ICZjCCAmIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRRO75L2bj9+xi/glDQrDNt
gtD8NTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBwGA1UdEQQVMBOCEXd3dy56dWl5b3VqaWUuY29tMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAb1N2
rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF0JbXvpgAABAMASDBGAiEA
qVGvRdDJeX6rYLo0e4l2qt2ba2+dXdO7Zqb+Am+vzB0CIQDX0q1vh60Ef3jTuBYA
w0kSHqzKCZ72aCnkj2Qb62QswAB1AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxh
Ohpp06IcAAABdCW176gAAAQDAEYwRAIgJ1g0FuPEfiqdHF8MlnwWYP/CeQXq9bIy
8+DpsvczlWgCIGbReYrEhU5dyLReyfCdPe0Ik9KR2MvLCTP8j5w871IOMA0GCSqG
SIb3DQEBCwUAA4IBAQAnv5n1PTakyAlzbkKLY7AmTjcbmOHSN++q2c9Ph6ycIsz1
LWphNznuYk4Onhi3WhusaKSGckQsvLp/u1l3r/HefQqEe8yL7ZdnYcCF5cAgGZDK
dtWPMqRm4oNRxQJGvJcsLgdHmoukaplkgvTnYA9BhgVd0zpeFTz1ZpY1ulGS8+Nk
ZnFzz3SBXPNnF5gJUyxDivQB5SdgGLBbIcqYrPmekHSgs0xBBQ3ts1vK98oahVYG
pWo815t1FkY9kkxzFDu8ed8vMSl+inRi4rNh7+r1+3ODPLcweLtWBeAHFlygo8Hr
88UeigRbLvfJVvlpX33u0gHVnCsb2qMa1VZ2upJj
-----END CERTIFICATE-----
[Tue Aug 25 21:01:56 CST 2020] Your cert is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.cer
[Tue Aug 25 21:01:56 CST 2020] Your cert key is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.key
[Tue Aug 25 21:01:56 CST 2020] The intermediate CA cert is in /root/.acme.sh/www.zuiyoujie.com/ca.cer
[Tue Aug 25 21:01:56 CST 2020] And the full chain certs is there: /root/.acme.sh/www.zuiyoujie.com/fullchain.cer
root@Controller:~/.acme.sh#
-----------------------------------------------
# 重新簽註證書
-----------------------------------------------
root@Controller:~/.acme.sh# acme.sh --renew --dns dns_ali -d www.zuiyoujie.com
[Tue Aug 25 21:05:50 CST 2020] Renew: 'www.zuiyoujie.com'
[Tue Aug 25 21:05:50 CST 2020] Skip, Next renewal time is: Sat Oct 24 13:01:56 UTC 2020
[Tue Aug 25 21:05:50 CST 2020] Add '--force' to force to renew.
-----------------------------------------------
# 強制重新簽註證書
-----------------------------------------------
root@Controller:~/.acme.sh# acme.sh --renew --dns dns_ali -d www.zuiyoujie.com --force
[Tue Aug 25 21:06:54 CST 2020] Renew: 'www.zuiyoujie.com'
[Tue Aug 25 21:06:56 CST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Aug 25 21:06:56 CST 2020] Single domain='www.zuiyoujie.com'
[Tue Aug 25 21:06:56 CST 2020] Getting domain auth token for each domain
[Tue Aug 25 21:07:03 CST 2020] Getting webroot for domain='www.zuiyoujie.com'
[Tue Aug 25 21:07:03 CST 2020] www.zuiyoujie.com is already verified, skip dns-01.
[Tue Aug 25 21:07:03 CST 2020] Verify finished, start to sign.
[Tue Aug 25 21:07:03 CST 2020] Lets finalize the order.
[Tue Aug 25 21:07:03 CST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/94832153/4857032854'
[Tue Aug 25 21:07:54 CST 2020] Downloading cert.
[Tue Aug 25 21:07:54 CST 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0391b18a4ab17af2f18fa21da8d2b6234b89'
[Tue Aug 25 21:07:55 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgISA5GxikqxevLxj6IdqNK2I0uJMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MjUxMjA3NTNaFw0y
MDExMjMxMjA3NTNaMBwxGjAYBgNVBAMTEXd3dy56dWl5b3VqaWUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5yB9o/hWIACFBjdve+PI/+of2sJ4
1vjLqKkp/Q7YcvmdfsFwN/Q8eT+3sCTmBUu3jXXLCjJG32Fw4pufHCyLYoNbrOwU
1g0kaLjbQ6B2IUgIlT5iiwvT3Sp4FVHld9AvcUssZOiYPsZF/IZTqf0aYnD01URf
7xUHInQJyvubY8Ie1PK1TMek/abDktSuArewzlCwHefb7TcDPm30Jpc5gSP559YA
U0rd76i8kwZOlUi4eft0taGQx8uZyEVFDCXyuoWkDYuTlw8npNpNT/p21W2ua679
vuBbWmzeVhnPlee0M3GEAFGkGvJJERaQ1Ln3lbN9Z9Qmu+RA8wHd/jpr5wIDAQAB
o4ICZzCCAmMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRRO75L2bj9+xi/glDQrDNt
gtD8NTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBwGA1UdEQQVMBOCEXd3dy56dWl5b3VqaWUuY29tMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAsh4F
zIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAF0JbtrCwAABAMARzBFAiAt
2eRoSwAoz+5UxwOKrWXGPs+FvfYaSL4Jwp4Y6SSwuwIhAPPsPj1DJHwGcpT9tjI2
Nw+JJEyt8bpZ5x8sUIRYSeADAHcAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2y
CJo32RMAAAF0JbtrQQAABAMASDBGAiEA9qhlOq74XZ9Hjm3oaV87zR/vMaeij3n4
GBYRD2m7AZICIQCaC7v3ObY9WCvizZiig8H2byHHNHu7sN+neaRRGTcl/zANBgkq
hkiG9w0BAQsFAAOCAQEAZIgx3plCibm9WIPu9LIDfFzsvntLqbUA5Q9GUv/orxiW
93KMlJpek/buMDiQurjdvchTUD7jytmVepFKTrxnpmeDDd4/YBaO59URaCF+gSYn
rNhvXpgsct7D8Is0GzAp2UDjI2N/f6s64wMuTwAVh+/+YXe8LSarr9SdesX6KJd5
JRA7JtmGIGDM/6f/b7p/JgXTNLuxySGa1Lk/dwoldfrK1Ye3grt/iper3Apq+OL3
Hw6N1pRwlUsEULNJUPK98UMMJd4is0p2stbKpSX9W/2QUFER789BVJfW379a2eE1
nMz41Epzk3ymxGiVFkYrh6owhQIqx4xTpwL2/YErMQ==
-----END CERTIFICATE-----
[Tue Aug 25 21:07:55 CST 2020] Your cert is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.cer
[Tue Aug 25 21:07:55 CST 2020] Your cert key is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.key
[Tue Aug 25 21:07:55 CST 2020] The intermediate CA cert is in /root/.acme.sh/www.zuiyoujie.com/ca.cer
[Tue Aug 25 21:07:55 CST 2020] And the full chain certs is there: /root/.acme.sh/www.zuiyoujie.com/fullchain.cer
-----------------------------------------------
# 檢視已經申請的證書
-----------------------------------------------
root@Controller:~/.acme.sh# acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
www.zuiyoujie.com "" no LetsEncrypt.org Tue Aug 25 13:07:55 UTC 2020 Sat Oct 24 13:07:55 UTC 2020
zuiyoujie.com "" *.zuiyoujie.com LetsEncrypt.org Tue Aug 25 11:34:27 UTC 2020 Sat Oct 24 11:34:27 UTC 2020
-----------------------------------------------
3.安裝證書(copy)
- 前面證書生成以後,接下來需要把證書 copy 到真正需要用它的地方.
- 注意:
預設生成的證書都放在安裝目錄下: ~/.acme.sh/, 請不要直接使用此目錄下的檔案
這裡面的檔案都是內部使用,而且目錄結構可能會變化
例如:不要直接讓 nginx/apache 的配置檔案使用這下面的檔案
正確的使用方法是使用 --install-cert 命令,並指定目標位置,然後證書檔案會被 copy 到相應的位置
- 例項演示:
# apache2 示例:
acme.sh --install-cert -d www.zuiyoujie.com \
--cert-file /data/wwwroot/www.zuiyoujie.com/ssl/www.zuiyoujie.com.crt \
--key-file /data/wwwroot/www.zuiyoujie.com/ssl/www.zuiyoujie.com.key \
--fullchain-file /data/wwwroot/www.zuiyoujie.com/ssl/fullchain.pem \
--reloadcmd "service apache2 force-reload"
# nginx 示例:
acme.sh --install-cert -d zuiyoujie.com \
--fullchain-file /usr/local/openresty/nginx/conf/ssl/all.zuiyoujie.com.crt \
--key-file /usr/local/openresty/nginx/conf/ssl/all.zuiyoujie.com.key \
--reloadcmd "nginx -s reload"
- 注意:
1.以上命令不會生成證書,而是在證書目錄查詢指定域名的目錄進行證書複製,所以需要預先建立好需要的證書
2.這裡的 -d 引數需要指定域名,但是如果是多個域名的證書,需要指定申請域名證書的第一個的域名,也就是指定域名證書資料夾的名稱
3.這裡是手動部署,部署時指定的的配置資訊會新增到域名資料夾內的配置檔案中,後續可以實現自動更新 + 自動部署
4.更新域名證書
- 配置定時任務,每日 0 點過後執行,在自動安裝指令碼時已經配好了,可以檢查下
- 執行命令會檢查現有的證書有效期,到期前一個月會自動進行簽註,90天
crontab -e
-----------------------------
27 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
-----------------------------
- 例項演示:
---------------------------------
root@Controller:~/.acme.sh# "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Tue Aug 25 19:38:43 CST 2020] ===Starting cron===
[Tue Aug 25 19:38:43 CST 2020] Already uptodate!
[Tue Aug 25 19:38:43 CST 2020] Upgrade success!
[Tue Aug 25 19:38:43 CST 2020] Auto upgraded to: 2.8.7
[Tue Aug 25 19:38:43 CST 2020] Renew: '39sky.com'
[Tue Aug 25 19:38:43 CST 2020] Skip, Next renewal time is: Sat Oct 24 11:25:42 UTC 2020
[Tue Aug 25 19:38:43 CST 2020] Add '--force' to force to renew.
[Tue Aug 25 19:38:43 CST 2020] Skipped 39sky.com
[Tue Aug 25 19:38:43 CST 2020] Renew: 'zuiyoujie.com'
[Tue Aug 25 19:38:43 CST 2020] Skip, Next renewal time is: Sat Oct 24 11:34:27 UTC 2020
[Tue Aug 25 19:38:43 CST 2020] Add '--force' to force to renew.
[Tue Aug 25 19:38:43 CST 2020] Skipped zuiyoujie.com
[Tue Aug 25 19:38:43 CST 2020] ===End cron===
------------------------------------
5.更新 acme.sh 指令碼
# 手動更新
acme.sh --upgrade
# 配置自動更新
acme.sh --upgrade --auto-upgrade
# 關閉自動更新
acme.sh --upgrade --auto-upgrade 0
6. 出錯怎麼辦:
如果出錯,請新增 debug log:
acme.sh --issue ..... --debug
或者:
acme.sh --issue ..... --debug 2
- 更多請參考:
https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
7.參考地址:
# 官方倉庫:
https://github.com/acmesh-official/acme.sh
# 中文文件:
https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E