生命不息,学习不止

免费申请Let’s Encrypt泛域名证书教程

acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书.

使用它的原因是 acme.sh 支持DNS API方式签发证书,这可方便太多了

支持的DNS服务商有: cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.

[root@ROOT ~]# ls .acme.sh/dnsapi/
dns_ad.sh         dns_cf.sh         dns_do.sh         dns_gd.sh         dns_linode.sh     dns_myapi.sh      dns_pdns.sh
dns_ali.sh        dns_cx.sh         dns_dp.sh         dns_ispconfig.sh  dns_lua.sh        dns_nsupdate.sh   README.md
dns_aws.sh        dns_cyon.sh       dns_freedns.sh    dns_lexicon.sh    dns_me.sh         dns_ovh.sh
  1. 获取acme.sh
    curl  https://get.acme.sh | sh
    

    将安装acme.sh至你当前账户根目录下的 .acme.sh下

    创建一个bash的alias, 方便直接使用acme.sh

    vim ~/.bashrc
    

    增加一行 alias acme.sh=~/.acme.sh/acme.sh

    执行 source .bashrc

    然后可直接执行 acme.sh 即可看到此工具的更多使用方法.

  2. 签发证书我的域名DNS使用的是CloudXNS, 登录官网获取相关API参数即可执行
    export CX_Key="3739fb6938ea6ds398996b255f49dda"
    export CX_Secret="77455w9e8a4c62"
    

    这里的 CX_Key & CX_Secret 为CloudXNS脚本变量名, 如果你是其他DNS服务商如Cloudflare,可查看 https://github.com/Neilpang/acme.sh/wiki/dnsapi 找到你的服务商

    执行签发证书命令

    acme.sh --issue --dns dns_cx -d xx1.ephzent.net
    

    –issue 为签发

    –dns 为使用dns验证,后面跟上域名所属DNS服务商,Cloudxns 为 dns_cx , Cloudflare 为 dns_cf 具体名称可以参考前面说的.

    -d 申请签发域名, 可同时签发多个 如: -d a.ephzent.net -d b.ephzent.net -d c.ephzent.net, 也可以申请泛域名证书,无需记录指向当前服务器, 所以你可以使用任何一台计算机签发

    [root@ROOT /]# acme.sh --issue --dns dns_cx -d a.ephzent.net -d b.ephzent.net -d c.ephzent.net
    [Tue Feb 28 15:23:36 CST 2017] Multi domain='DNS:b.ephzent.net,DNS:c.ephzent.net'
    [Tue Feb 28 15:23:36 CST 2017] Getting domain auth token for each domain
    [Tue Feb 28 15:23:36 CST 2017] Getting webroot for domain='a.ephzent.net'
    [Tue Feb 28 15:23:36 CST 2017] Getting new-authz for domain='a.ephzent.net'
    [Tue Feb 28 15:23:39 CST 2017] The new-authz request is ok.
    [Tue Feb 28 15:23:39 CST 2017] Getting webroot for domain='b.ephzent.net'
    [Tue Feb 28 15:23:39 CST 2017] Getting new-authz for domain='b.ephzent.net'
    [Tue Feb 28 15:23:40 CST 2017] The new-authz request is ok.
    [Tue Feb 28 15:23:40 CST 2017] Getting webroot for domain='c.ephzent.net'
    [Tue Feb 28 15:23:40 CST 2017] Getting new-authz for domain='c.ephzent.net'
    [Tue Feb 28 15:23:42 CST 2017] The new-authz request is ok.
    [Tue Feb 28 15:23:42 CST 2017] Found domain api file: /root/.acme.sh/dnsapi/dns_cx.sh
    [Tue Feb 28 15:23:42 CST 2017] Adding record
    [Tue Feb 28 15:23:43 CST 2017] Sleep 120 seconds for the txt records to take effect
    [Tue Feb 28 15:25:44 CST 2017] a.ephzent.net is already verified, skip dns-01.
    [Tue Feb 28 15:25:44 CST 2017] Verifying:b.ephzent.net
    [Tue Feb 28 15:25:48 CST 2017] Success
    [Tue Feb 28 15:25:48 CST 2017] c.ephzent.net is already verified, skip dns-01.
    [Tue Feb 28 15:25:50 CST 2017] Deleted record _acme-challenge.b.ephzent.net
    [Tue Feb 28 15:25:50 CST 2017] Verify finished, start to sign.
    [Tue Feb 28 15:25:52 CST 2017] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIFHDCCBASgAwIBAgISA2P67Iuu/0deP//XwhZsoihcMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMjgwNjI3MDBaFw0x
    NzA1MjkwNjI3MDBaMBgxFjAUBgNVBAMTDWEuZXBoemVudC5uZXQwggEiMA0GCSqG
    SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtmZSiVu6f27C7mxDZ2EwOszAps/e4K06A
    I9of7gkWCgT6T2Cvze9w0d8j+o9hHft+ppcgLLywmVH2XpadQ6h/+8VCJO1ZLHCH
    zEkXGn9FvqfAfs2bDvJHhIhYy7579jljEr86zwO0PsO8bqaJgPEO8lDJ+KY9Tfq2
    igsVZR79QtmTHimxI4t2liUnAt+pRn4z0mMWQvm247dlfI4h3TkqlSiyCo9Vn3dL
    ULaGBJ7zpTKsffgon79WfraE0nseMNE0vt0ASQew4TztNfswbHOF7fzTQLa2K1QT
    76thTc8FdmzkXeNqahncU0fWxK5eM+/HB0sHrFcmOFcckx97dEEBAgMBAAGjggIs
    MIICKDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
    BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKsqhp5nOgaAkm8tIsHe3hQOUq/S
    MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQw
    r4Bc5gVW9hcTgyz8RYEGJFAuNbf6E4Iy7mMHkkTuS50E84X/CXP/cICvwA5aZszN
    W7RRqkwMeW9KbhNU0txCdA==
    -----END CERTIFICATE-----
    [Tue Feb 28 15:25:52 CST 2017] Your cert is in  /root/.acme.sh/a.ephzent.net/a.ephzent.net.cer 
    [Tue Feb 28 15:25:52 CST 2017] Your cert key is in  /root/.acme.sh/a.ephzent.net/a.ephzent.net.key 
    [Tue Feb 28 15:25:52 CST 2017] The intermediate CA cert is in  /root/.acme.sh/a.ephzent.net/ca.cer 
    [Tue Feb 28 15:25:52 CST 2017] And the full chain certs is there:  /root/.acme.sh/a.ephzent.net/fullchain.cer
    

    签发完成

    安装证书

    acme.sh  --installcert  -d a.ephzent.net -d b.ephzent.net -d c.ephzent.net \
    --keypath   /data/auth/server-key.pem \
    --fullchainpath /data/auth/server-cert.pem \
    --reloadcmd  "service nginx restart"
    

    上述路径&域名按需修改,也可以不执行这一步,自己手动修改nginx或者apache或其他web软件的证书路径

  3. 更新证书目前证书在 60 天以后会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.
  4. 更新 acme.sh目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.升级 acme.sh 到最新版 :
    acme.sh --upgrade
    

    如果你不想手动升级, 可以开启自动升级:

    acme.sh  --upgrade  --auto-upgrade
    

    之后, acme.sh 就会自动保持更新了.

    你也可以随时关闭自动更新:

    acme.sh --upgrade  --auto-upgrade  0
    

原文地址:https://painso.com/2017/02/28/acme-lets-encrypt-issue/

赞(1)
未经允许不得转载:Mxue note » 免费申请Let’s Encrypt泛域名证书教程