acme申请ssl免费证书

工具
字数统计: 1.5k   |   阅读时长≈ 8 分钟

安装

安装工具

1
2
3
wget https://gitee.com/neilpang/acme.sh/raw/master/acme.sh
chmod +x acme.sh
./acme.sh --install -m my@example.com

更新 acme.sh

1
2
3
4
5
6
7
8
# 手动更新
acme.sh --upgrade

# 如果你不想手动升级,可以开启自动升级
acme.sh --upgrade --auto-upgrade

# 你也可以随时关闭自动更新:
acme.sh --upgrade --auto-upgrade  0

切换默认证书

1
2
3
4
5
6
7
8
9
10
#切换 Let's Encrypt
acme.sh --set-default-ca --server letsencrypt
#切换 Buypass
acme.sh --set-default-ca --server buypass
#切换 ZeroSSL
acme.sh --set-default-ca --server zerossl
#切换 SSL.com
acme.sh --set-default-ca --server ssl.com
#切换 Google Public CA
acme.sh --set-default-ca --server google

签发证书

请求签发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@hcss-ecs-d197 ~]# acme.sh --issue -d *.outsrkem.top --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri Dec 13 15:08:24 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Dec 13 15:08:24 CST 2024] No EAB credentials found for ZeroSSL, let's get one
[Fri Dec 13 15:08:31 CST 2024] Registering account: https://acme.zerossl.com/v2/DV90
[Fri Dec 13 15:08:39 CST 2024] Registered
[Fri Dec 13 15:08:39 CST 2024] ACCOUNT_THUMBPRINT='1wTu39ph_TLmRnGAGT0cCbKWx9Fc0K7XR33i3l04m9Y'
[Fri Dec 13 15:08:39 CST 2024] Creating domain key
[Fri Dec 13 15:08:40 CST 2024] The domain key is here: /root/.acme.sh/example.com/example.com.key
[Fri Dec 13 15:08:40 CST 2024] Single domain='example.com'
[Fri Dec 13 15:08:40 CST 2024] Getting domain auth token for each domain
[Fri Dec 13 15:08:46 CST 2024] Getting webroot for domain='example.com'
[Fri Dec 13 15:08:46 CST 2024] Add the following TXT record:
[Fri Dec 13 15:08:46 CST 2024] Domain: '_acme-challenge.example.com'
[Fri Dec 13 15:08:46 CST 2024] TXT value: 'cG_WtYAM-CK0oMtBdzl6th1nmwMITWAXZGhvJ3zI31s'
[Fri Dec 13 15:08:46 CST 2024] Please be aware that you prepend _acme-challenge. before your domain
[Fri Dec 13 15:08:46 CST 2024] so the resulting subdomain will be: _acme-challenge.example.com
[Fri Dec 13 15:08:46 CST 2024] Please add the TXT records to the domains, and re-run with --renew.
[Fri Dec 13 15:08:46 CST 2024] Please add '--debug' or '--log' to check more details.
[Fri Dec 13 15:08:46 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

手工配置DNS解析后进行证书签发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
[root@hcss-ecs-d197 ~]# acme.sh --renew -d *.outsrkem.top  --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri Dec 13 15:12:55 CST 2024] Renew: '*.outsrkem.top'
[Fri Dec 13 15:12:55 CST 2024] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Fri Dec 13 15:12:56 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Dec 13 15:12:56 CST 2024] Single domain='*.outsrkem.top'
[Fri Dec 13 15:12:57 CST 2024] Getting domain auth token for each domain
[Fri Dec 13 15:12:57 CST 2024] Verifying: *.outsrkem.top
[Fri Dec 13 15:13:04 CST 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Fri Dec 13 15:13:12 CST 2024] Success
[Fri Dec 13 15:13:12 CST 2024] Verify finished, start to sign.
[Fri Dec 13 15:13:12 CST 2024] Lets finalize the order.
[Fri Dec 13 15:13:12 CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/__JvIjokBOhXbTjwVwtA5Q/finalize'
[Fri Dec 13 15:13:14 CST 2024] Order status is processing, lets sleep and retry.
[Fri Dec 13 15:13:14 CST 2024] Retry after: 15
[Fri Dec 13 15:13:30 CST 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/__JvIjokBOhXbTjwVwtA5Q
[Fri Dec 13 15:13:35 CST 2024] Downloading cert.
[Fri Dec 13 15:13:35 CST 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/2JxL4eShxMMkmntIDD4s5A'
[Fri Dec 13 15:13:38 CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIGajCCBFKgAwIBAgIRAJgnZ446EgLZTL/dXqdeu1MwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDEyMTMwMDAwMDBaFw0y
NTAzMTMyMzU5NTlaMBkxFzAVBgNVBAMMDioub3V0c3JrZW0udG9wMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoxiWm9EW5u1fu3RGxCWFLuRckVEFDI9L
KnEa9jkfVEMu+6IVtT5uP2nGBuQgIM9Iy2r9Vgs5dUXARxq37quf1dCNrzJwtCbU
a0dsHXaI2f/QCzedJaI72oTsRG/1/X99Fi5JTINzWvAjCKGPZk5mjgWO5pjKWUFj
AvSIyB6F5tltUDOmYnXjr9R4R37xSFpH0JZr2336suSgwjdhNtItO6DWJD80Gmft
j4PXU1jEalGfu5m+xByls9YuqKTIuyTFurLxyvtEZ2yp2WkvUStYOK/FzUHoE7oa
3Uz519iFJsR0UdhF37oxyLpa5XMgcFmupx2gXi1GawBem4KRk6DJUwIDAQABo4IC
eTCCAnUwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYE
FFT6h+N+cCafVr5Srbusb410zOACMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG
CysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v
Q1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRw
Oi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3Vy
ZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2Vj
dGlnby5jb20wggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDPEVbu1S58r/OHW9lp
LpvpGnFnSrAX7KwB0lt3zsw7CAAAAZO+3V8AAAAEAwBHMEUCIAKicOUBNxoXVOES
VdD2UmSFgqhzN9EiwwtYNbC9xZXWAiEAxXtAbukctGm8ZlBSo46B8JgwsVKlEcG7
lMXnUxUCbnsAdQDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwNsAAAAZO+
3V6/AAAEAwBGMEQCIDaI1EeP3h6bhvc5gVFyxs8IF6VBKLG32B6L5BQfha3gAiAY
BEHdGRHrPZPm4A9X/L7nW9g6ICTnVLdATOjTuE7n8zAZBgNVHREEEjAQgg4qLm91
dHNya2VtLnRvcDANBgkqhkiG9w0BAQwFAAOCAgEAB4jp7JqRef4f94B/Cy95IhjI
7P3/RqZa+K+gYdYr6MDLFWBEIzzzlb60zBJ0AnVSmrNqC3QP3uZ2ijuOEFcdhMIn
SefLCdilx4fUkLZuNGNx9VYySJbiP+IO/Zry0Uoz0Q3X9/PGKo+Thq3qOB2a9CQ6
0sY+cwv8s1xI/rtMw5PI8A4QjrKlwpUUmadkAsjW7vNeIb3M/pjYXwRHUfIMrKFY
5gy6XQ0YR2JLcRkNFACB64bTyn9fdKLXa5UBV0HDogpjWlO2M+rlmdgOs8BVHJOj
N2oPMtIfX8yQZLSzllYOB+AmMgeyVmpJNFfaSfghS8VEw/cFk9CCn5tiLFf9GBZC
CBoFh1MMV/QH949xcsNoTjSNvMIluia/eLDaRAY9v4Ftptn22xxKNxSEY7WazRg2
iSelFdP0mAR+PWdtmGGICODa0IyP15Gl2yhPPqhZU1R6kTuomLYh6laItIeWUORW
KfY8Uc6exEs1bWgai6S/ST/qI1UkWhgCHStO1xB/vAyHEw7BSeTJRIRsmVdQLu/q
g4LKaxJ3dr1/eSNZcrvyrRs3Qhu/mQiO1wp5840DhWx72XOO5qchXViK1OptCMzU
Gtgz6+XeyU0cEfMg3+ZMDTzoKSnz0Fbdf9K+WD8g4iuSlSWwNiFw/ULFirLcqYFU
DJzEXW0UGMvEqiizmQA=
-----END CERTIFICATE-----
[Fri Dec 13 15:13:38 CST 2024] Your cert is in: /root/.acme.sh/*.outsrkem.top/*.outsrkem.top.cer
[Fri Dec 13 15:13:38 CST 2024] Your cert key is in: /root/.acme.sh/*.outsrkem.top/*.outsrkem.top.key
[Fri Dec 13 15:13:38 CST 2024] The intermediate CA cert is in: /root/.acme.sh/*.outsrkem.top/ca.cer
[Fri Dec 13 15:13:38 CST 2024] And the full chain certs is there: /root/.acme.sh/*.outsrkem.top/fullchain.cer

自动配置证书并重启Nginx

1
2
3
4
acme.sh --install-cert -d uias-devops.outsrkem.top \
--key-file       /etc/nginx/cert/uias-devops.outsrkem.top/server-key.pem  \
--fullchain-file /etc/nginx/cert/uias-devops.outsrkem.top/server.pem \
--reloadcmd     "nginx -s reload"

查看已安装证书信息

1
acme.sh --info -d uias-devops.outsrkem.top

自动DNS验证

自动DNS验证
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_ali

1
2
3
4
5
6
7
8
9
10
11
set +o history
export Ali_Key="LTAI5t9KRcUYugeY6MxW7Wnp"
export Ali_Secret="gOw*************************"
set -o history
acme.sh --issue --dns dns_ali -d uias-devops.outsrkem.top --keylength 2048

# 强制续签
acme.sh --renew -d uias-devops.outsrkem.top --force

# 查看信息
acme.sh --info -d uias-devops.outsrkem.top

查看自动续签列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@hcss-ecs-d197 .acme.sh]# acme.sh cron
[Sat Dec 14 09:28:29 CST 2024] ===Starting cron===
[Sat Dec 14 09:28:30 CST 2024] Already up to date!
[Sat Dec 14 09:28:30 CST 2024] Upgrade successful!
[Sat Dec 14 09:28:30 CST 2024] Automatically upgraded to: 3.1.0
[Sat Dec 14 09:28:30 CST 2024] Renewing: 'ats-devops.endpoint.outsrkem.top'
[Sat Dec 14 09:28:30 CST 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sat Dec 14 09:28:30 CST 2024] Skipping. Next renewal time is: 2025-02-10T13:12:22Z
[Sat Dec 14 09:28:30 CST 2024] Add '--force' to force renewal.
[Sat Dec 14 09:28:30 CST 2024] Skipped ats-devops.endpoint.outsrkem.top
[Sat Dec 14 09:28:30 CST 2024] Renewing: 'uias-devops.endpoint.outsrkem.top'
[Sat Dec 14 09:28:30 CST 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sat Dec 14 09:28:30 CST 2024] Skipping. Next renewal time is: 2025-02-10T13:06:12Z
[Sat Dec 14 09:28:30 CST 2024] Add '--force' to force renewal.
[Sat Dec 14 09:28:30 CST 2024] Skipped uias-devops.endpoint.outsrkem.top
[Sat Dec 14 09:28:30 CST 2024] Renewing: 'uias-devops.outsrkem.top'
[Sat Dec 14 09:28:30 CST 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sat Dec 14 09:28:30 CST 2024] Skipping. Next renewal time is: 2025-02-10T09:50:06Z
[Sat Dec 14 09:28:30 CST 2024] Add '--force' to force renewal.
[Sat Dec 14 09:28:30 CST 2024] Skipped uias-devops.outsrkem.top
[Sat Dec 14 09:28:30 CST 2024] ===End cron===

签发多域名证书

签发多域名证书(签发在一个证书里面),要确保域名解析不能冲突,否则自动签发会失败

1
2
3
4
5
6
7
export DOMAIN=outsrkem.top,*.outsrkem.top,*.support.outsrkem.top
for d in ${DOMAIN//,/ }
do
  domain_params="${domain_params} -d ${d}"
done
acme.sh --issue --dns dns_ali ${domain_params} --keylength 2048 --log
acme.sh --info ${domain_params}

帮助文档

帮助文档:https://github.com/acmesh-official/acme.sh/wiki/说明
大陆指南:https://github.com/acmesh-official/acme.sh/wiki/Install-in-China#安装步骤
acme实用技巧:https://blog.csdn.net/u010066597/article/details/137845246
配置多个泛域名 SSL 证书:https://hadb.me/posts/synology-letsencrypt-multiple-domain-cert-configuration?sid_for_share=99125_3

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2018-2024 Outsrkem
  • 访问人数: | 浏览次数:

      请我喝杯咖啡吧~

      支付宝
      微信