当前位置：网站首页>使用acme.sh自动申请免费SSL证书

使用acme.sh自动申请免费SSL证书

2022-06-11 05:01:00 【aben_sky】

官方文档: https://github.com/acmesh-official/acme.sh#1-how-to-install

使用环境为 ubuntu 20

安装 acme.sh

cd /home
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh

#切换到root, 这是推荐的, 以免cron任务执行权限遇到问题
sudo su

#安装, 指定证书全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理
./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]

安装命令执行过程:

[email protected]:/home/ubuntu/acme.sh# ./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]
[Wed 20 Apr 2022 01:39:18 PM CST] It is recommended to install socat first.
[Wed 20 Apr 2022 01:39:18 PM CST] We use socat for standalone server if you use standalone mode.
[Wed 20 Apr 2022 01:39:18 PM CST] If you don't use standalone mode, just ignore this warning.
[Wed 20 Apr 2022 01:39:18 PM CST] Installing to /root/.acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installed to /root/.acme.sh/acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing alias to '/root/.bashrc'
[Wed 20 Apr 2022 01:39:18 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing cron job
[Wed 20 Apr 2022 01:39:18 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Wed 20 Apr 2022 01:39:19 PM CST] OK

安装目录是 /root/.acme.sh , 完整路径为 /root/.acme.sh/acme.sh
创建了一个别名到 /root/.bashrc
.bashrc 是存储每个用户的临时变量用的, 比如命令行的别名等.
创建了一个定时任务, 可以用 crontab -l 查看.

[email protected]:/home/ubuntu/acme.sh# crontab -l
18 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

注意: 程序自动添加的cron计划的"分钟", 不是一个固定值

指定证书全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理

使用acme.sh生成证书

使用 HTTP 方式

使用api方式进行域名解析的方式, 这里不做研究

需要先确保http方式可以访问(域名解析, nginx下绑定)

给域名 a.pipiho.com 申请证书, 网站根目录为 /www/webroot/pipiho.com/ , 脚本如下:

./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
#完整路径
/root/.acme.sh/acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/

如果要申请 www.pipiho.com 的证书, 务必要填写两个域名: -d pipiho.com -d www.pipiho.com . 且文件夹&文件名是以第一个域名为准的.

执行过程:

[email protected]:/home/ubuntu/acme.sh# ./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
[Wed 20 Apr 2022 02:01:10 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Wed 20 Apr 2022 02:01:10 PM CST] Creating domain key
[Wed 20 Apr 2022 02:01:10 PM CST] The domain key is here: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:01:10 PM CST] Single domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:10 PM CST] Getting domain auth token for each domain
[Wed 20 Apr 2022 02:01:26 PM CST] Getting webroot for domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:26 PM CST] Verifying: a.pipiho.com
[Wed 20 Apr 2022 02:01:33 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Wed 20 Apr 2022 02:01:42 PM CST] Success
[Wed 20 Apr 2022 02:01:42 PM CST] Verify finished, start to sign.
[Wed 20 Apr 2022 02:01:42 PM CST] Lets finalize the order.
[Wed 20 Apr 2022 02:01:42 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxx/finalize'
[Wed 20 Apr 2022 02:01:43 PM CST] Order status is processing, lets sleep and retry.
[Wed 20 Apr 2022 02:01:43 PM CST] Retry after: 15
[Wed 20 Apr 2022 02:01:59 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxxxxxx
[Wed 20 Apr 2022 02:02:06 PM CST] Downloading cert.
[Wed 20 Apr 2022 02:02:06 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/xxxxxxxxxxxxxx'
[Wed 20 Apr 2022 02:02:18 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
证书内容, 省略
-----END CERTIFICATE-----
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.cer
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert key is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:02:18 PM CST] The intermediate CA cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/ca.cer
[Wed 20 Apr 2022 02:02:18 PM CST] And the full chain certs is there: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/fullchain.cer

申请证书的过程中, 会在网站根目录下生成 .well-known 文件夹及文件, 验证通过后就会删除.