acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书.
使用它的原因是 acme.sh 支持DNS API方式签发证书,这可方便太多了
支持的DNS服务商有: cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.
[root@ROOT ~]# ls .acme.sh/dnsapi/ dns_ad.sh dns_cf.sh dns_do.sh dns_gd.sh dns_linode.sh dns_myapi.sh dns_pdns.sh dns_ali.sh dns_cx.sh dns_dp.sh dns_ispconfig.sh dns_lua.sh dns_nsupdate.sh README.md dns_aws.sh dns_cyon.sh dns_freedns.sh dns_lexicon.sh dns_me.sh dns_ovh.sh
- 获取acme.sh
curl https://get.acme.sh | sh
将安装acme.sh至你当前账户根目录下的 .acme.sh下
创建一个bash的alias, 方便直接使用acme.sh
vim ~/.bashrc
增加一行
alias acme.sh=~/.acme.sh/acme.sh
执行
source .bashrc
然后可直接执行 acme.sh 即可看到此工具的更多使用方法.
- 签发证书我的域名DNS使用的是CloudXNS, 登录官网获取相关API参数即可执行
export CX_Key="3739fb6938ea6ds398996b255f49dda" export CX_Secret="77455w9e8a4c62"
这里的 CX_Key & CX_Secret 为CloudXNS脚本变量名, 如果你是其他DNS服务商如Cloudflare,可查看 https://github.com/Neilpang/acme.sh/wiki/dnsapi 找到你的服务商
执行签发证书命令
acme.sh --issue --dns dns_cx -d xx1.ephzent.net
–issue 为签发
–dns 为使用dns验证,后面跟上域名所属DNS服务商,Cloudxns 为 dns_cx , Cloudflare 为 dns_cf 具体名称可以参考前面说的.
-d 申请签发域名, 可同时签发多个 如: -d a.ephzent.net -d b.ephzent.net -d c.ephzent.net, 也可以申请泛域名证书,无需记录指向当前服务器, 所以你可以使用任何一台计算机签发
[root@ROOT /]# acme.sh --issue --dns dns_cx -d a.ephzent.net -d b.ephzent.net -d c.ephzent.net [Tue Feb 28 15:23:36 CST 2017] Multi domain='DNS:b.ephzent.net,DNS:c.ephzent.net' [Tue Feb 28 15:23:36 CST 2017] Getting domain auth token for each domain [Tue Feb 28 15:23:36 CST 2017] Getting webroot for domain='a.ephzent.net' [Tue Feb 28 15:23:36 CST 2017] Getting new-authz for domain='a.ephzent.net' [Tue Feb 28 15:23:39 CST 2017] The new-authz request is ok. [Tue Feb 28 15:23:39 CST 2017] Getting webroot for domain='b.ephzent.net' [Tue Feb 28 15:23:39 CST 2017] Getting new-authz for domain='b.ephzent.net' [Tue Feb 28 15:23:40 CST 2017] The new-authz request is ok. [Tue Feb 28 15:23:40 CST 2017] Getting webroot for domain='c.ephzent.net' [Tue Feb 28 15:23:40 CST 2017] Getting new-authz for domain='c.ephzent.net' [Tue Feb 28 15:23:42 CST 2017] The new-authz request is ok. [Tue Feb 28 15:23:42 CST 2017] Found domain api file: /root/.acme.sh/dnsapi/dns_cx.sh [Tue Feb 28 15:23:42 CST 2017] Adding record [Tue Feb 28 15:23:43 CST 2017] Sleep 120 seconds for the txt records to take effect [Tue Feb 28 15:25:44 CST 2017] a.ephzent.net is already verified, skip dns-01. [Tue Feb 28 15:25:44 CST 2017] Verifying:b.ephzent.net [Tue Feb 28 15:25:48 CST 2017] Success [Tue Feb 28 15:25:48 CST 2017] c.ephzent.net is already verified, skip dns-01. [Tue Feb 28 15:25:50 CST 2017] Deleted record _acme-challenge.b.ephzent.net [Tue Feb 28 15:25:50 CST 2017] Verify finished, start to sign. [Tue Feb 28 15:25:52 CST 2017] Cert success. -----BEGIN CERTIFICATE----- MIIFHDCCBASgAwIBAgISA2P67Iuu/0deP//XwhZsoihcMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMjgwNjI3MDBaFw0x NzA1MjkwNjI3MDBaMBgxFjAUBgNVBAMTDWEuZXBoemVudC5uZXQwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtmZSiVu6f27C7mxDZ2EwOszAps/e4K06A I9of7gkWCgT6T2Cvze9w0d8j+o9hHft+ppcgLLywmVH2XpadQ6h/+8VCJO1ZLHCH zEkXGn9FvqfAfs2bDvJHhIhYy7579jljEr86zwO0PsO8bqaJgPEO8lDJ+KY9Tfq2 igsVZR79QtmTHimxI4t2liUnAt+pRn4z0mMWQvm247dlfI4h3TkqlSiyCo9Vn3dL ULaGBJ7zpTKsffgon79WfraE0nseMNE0vt0ASQew4TztNfswbHOF7fzTQLa2K1QT 76thTc8FdmzkXeNqahncU0fWxK5eM+/HB0sHrFcmOFcckx97dEEBAgMBAAGjggIs MIICKDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKsqhp5nOgaAkm8tIsHe3hQOUq/S MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQw r4Bc5gVW9hcTgyz8RYEGJFAuNbf6E4Iy7mMHkkTuS50E84X/CXP/cICvwA5aZszN W7RRqkwMeW9KbhNU0txCdA== -----END CERTIFICATE----- [Tue Feb 28 15:25:52 CST 2017] Your cert is in /root/.acme.sh/a.ephzent.net/a.ephzent.net.cer [Tue Feb 28 15:25:52 CST 2017] Your cert key is in /root/.acme.sh/a.ephzent.net/a.ephzent.net.key [Tue Feb 28 15:25:52 CST 2017] The intermediate CA cert is in /root/.acme.sh/a.ephzent.net/ca.cer [Tue Feb 28 15:25:52 CST 2017] And the full chain certs is there: /root/.acme.sh/a.ephzent.net/fullchain.cer
签发完成
安装证书
acme.sh --installcert -d a.ephzent.net -d b.ephzent.net -d c.ephzent.net \ --keypath /data/auth/server-key.pem \ --fullchainpath /data/auth/server-cert.pem \ --reloadcmd "service nginx restart"
上述路径&域名按需修改,也可以不执行这一步,自己手动修改nginx或者apache或其他web软件的证书路径
- 更新证书目前证书在 60 天以后会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.
- 更新 acme.sh目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.升级 acme.sh 到最新版 :
acme.sh --upgrade
如果你不想手动升级, 可以开启自动升级:
acme.sh --upgrade --auto-upgrade
之后, acme.sh 就会自动保持更新了.
你也可以随时关闭自动更新:
acme.sh --upgrade --auto-upgrade 0