前言
因为 Google Chrome 和运营商劫持干扰访问者体验的努力推动了大型网站加速应用全站 HTTPS,而 Let’s Encrypt 这个项目通过自动化把配置和维护 HTTPS 变得更加简单,Let’s Encrypt 设计了一个 ACME 协议目前版本是 v2,并在 2018 年支持通配符证书 Wildcard Certificate Support is Live。官网主推的客户端是Certbot,任何人都可以基于 ACME 协议实现一个客户端,比如大名鼎鼎的acme.sh。本文主要记录了使用 acme.sh 基于 dns-api 协议生成证书的过程。
acme.sh 介绍
acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书.
- 一个纯粹用 Shell(Unix shell)语言编写的 ACME 协议客户端。
- 完整的 ACME 协议实施。 支持 ACME v1 和 ACME v2 支持 ACME v2 通配符证书
- 简单,功能强大且易于使用。你只需要 3 分钟就可以学习它。
- Let’s Encrypt 免费证书客户端最简单的 shell 脚本。
- 纯粹用 Shell 编写,不依赖于 python 或官方的 Let’s Encrypt 客户端。
- 只需一个脚本即可自动颁发,续订和安装证书。 不需要 root/sudoer 访问权限。
- 支持在 Docker 内使用,支持 IPv6
安装 acme.sh
curl https://get.acme.sh | sh -s email=my@example.com
或者
wget -O - https://get.acme.sh | sh -s email=my@example.com
使用 git 安装
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m my@example.com
设置别名
# ~/acme.sh/acme.sh 是acme.sh的安装目录
alias acme.sh=~/acme.sh/acme.sh
echo 'alias acme.sh=~/acme.sh/acme.sh' >>/etc/profile
测试别名是否应用成功
acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.2
申请证书
acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证。
HTTP 方式
http 方式需要在你的网站根目录下放置一个文件, 来验证你的域名所有权,完成验证. 然后就可以生成证书了.
acme.sh --issue -d html6.net --nginx
http 验证方式,我没有试过,要了解更多,可以搜索相关使用教程。
DNS 方式
这种方式的好处是, 你不需要任何服务器, 不需要任何公网 ip, 只需要 dns 的解析记录即可完成验证。
dns 方式的真正强大之处在于可以使用域名解析商提供的 api 自动添加 txt 记录完成验证.
acme.sh 目前支持 aliyun, cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.
以 aliyun 为例, 你需要先登录 aliyun 账号, 查看你的 AccessKey ID 和 AccessKey Secret, 然后:
export Ali_Key="你的AccessKey ID"
export Ali_Secret="你的AccessKey Secret"
acme.sh --issue --dns dns_ali -d xiangqin.html6.net
如果一切顺利,会看到如下执行结果
[Sun Jan 9 17:05:24 CST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jan 9 17:05:24 CST 2022] Single domain='xiangqin.html6.net'
[Sun Jan 9 17:05:24 CST 2022] Getting domain auth token for each domain
[Sun Jan 9 17:05:49 CST 2022] Getting webroot for domain='xiangqin.html6.net'
[Sun Jan 9 17:05:49 CST 2022] Adding txt value: jEix90F1IzCZBAnnz4VGdITDlMcJfbiNqBdJ1NRlUlk for domain: _acme-challenge.xiangqin.html6.net
[Sun Jan 9 17:05:51 CST 2022] The txt record is added: Success.
[Sun Jan 9 17:05:51 CST 2022] Let's check each DNS record now. Sleep 20 seconds first.
[Sun Jan 9 17:06:12 CST 2022] You can use '--dnssleep' to disable public dns checks.
[Sun Jan 9 17:06:12 CST 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Sun Jan 9 17:06:12 CST 2022] Checking xiangqin.html6.net for _acme-challenge.xiangqin.html6.net
[Sun Jan 9 17:06:13 CST 2022] Domain xiangqin.html6.net '_acme-challenge.xiangqin.html6.net' success.
[Sun Jan 9 17:06:13 CST 2022] All success, let's return
[Sun Jan 9 17:06:13 CST 2022] Verifying: xiangqin.html6.net
[Sun Jan 9 17:06:20 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan 9 17:06:29 CST 2022] Success
[Sun Jan 9 17:06:29 CST 2022] Removing DNS records.
[Sun Jan 9 17:06:29 CST 2022] Removing txt: jEix90F1IzCZBAnnz4VGdITDlMcJfbiNqBdJ1NRlUlk for domain: _acme-challenge.xiangqin.html6.net
[Sun Jan 9 17:06:31 CST 2022] Removed: Success
[Sun Jan 9 17:06:31 CST 2022] Verify finished, start to sign.
[Sun Jan 9 17:06:31 CST 2022] Lets finalize the order.
[Sun Jan 9 17:06:31 CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/hO3piFkVmRMJloz3bPHfuQ/finalize'
[Sun Jan 9 17:06:44 CST 2022] Order status is processing, lets sleep and retry.
[Sun Jan 9 17:06:44 CST 2022] Retry after: 15
[Sun Jan 9 17:07:00 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/hO3piFkVmRMJloz3bPHfuQ
[Sun Jan 9 17:07:07 CST 2022] Downloading cert.
[Sun Jan 9 17:07:07 CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/p5fS3SOof1JXyFnrW0AJBg'
[Sun Jan 9 17:07:13 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGcjCCBFqgAwIBAgIRAJcBGn5iTUBLq/r2VobP+jgwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMjAxMDkwMDAwMDBaFw0y
MjA0MDkyMzU5NTlaMB0xGzAZBgNVBAMTEnhpYW5ncWluLmh0bWw2Lm5ldDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/ELytk84tcAz+FQJBIOMeMilDL
gSoCinWmbg+lsUcc8D8QUJLjltOPJYxt/inyZCKqHP/DmvBwYZ73KtuWQa59sSh7
8rZrkA4bhsyvl1O8biwM/qbr8CCqtI25T34JpkV6h0op+JqtFo489Brc4tsKAZyG
6EA+xFOFGi6t1AMKMcQ6hWOfTrAO1eAxPAhICw6h/qk8+KVMD6+M4E4qyYyif1z6
cj55JCFcD4UhVMntHyklQ+ZtWWzyDJaOa7uEC9a6oUcEfLrGjgRlj31omrpCDukv
PcX3TDDaylP9F/Kh9l93Ob7KWAbUkdA+GVvuZey9C4BgXQwJWh+woAKOEjsCAwEA
AaOCAn0wggJ5MB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoamMB0GA1Ud
DgQWBBTtNhPN3tAsA3EJl3j3V6dnDRfupzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIw
QDA0BgsrBgEEAbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28u
Y29tL0NQUzAIBgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/
aHR0cDovL3plcm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FEb21haW5T
ZWN1cmVTaXRlQ0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3Nw
LnNlY3RpZ28uY29tMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUARqVV63X6kSAw
taKJafTzfREsQXS+/Um4havy/HD+bUcAAAF+PhcQhgAABAMARjBEAiArGc2N1ipS
S3Qv8x7lahOjGjmKzJ3oMPz23+UjvYXMFwIgNJwRb5tR3628t6HBn8tKDB+GBGEF
S7WZivERZBZ55EEAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAA
AX4+FxBKAAAEAwBHMEUCIHEZ3lVUYGLYXLQBpu/gO0el3W1dfP8idupUjskHWluI
AiEA+jvXlvDjFEw1cXx7GQ6fJNmNc4GBzCgKTbeNYm3vWZwwHQYDVR0RBBYwFIIS
eGlhbmdxaW4uaHRtbDYubmV0MA0GCSqGSIb3DQEBDAUAA4ICAQARcOmpKW1/8ur5
XAa8LVldOb2yeStxPq46sF7epPgt3RmfqHbo3g98nKP711ugk3xVmZn/2+WfPghi
PaNpk5tH8+jRxBFUmPk4vww+Vy0d1G8TnSuMQIZgqaQ/u4g3wDnvcFBgwmQtY9z+
h1dIu/xTohaBs38lbALrHeYsR+98CLzCBTY08NMOJYmpDv+md+K9YYZN6dGkLtR5
EvIelXsdD9jfCgp1k+mmfz+M1A2L5VkzGifmnME6Sj5kzxmnww4qTnMnRr5ppkQL
NJI6cRhnX04Cr6vUOBSJPw3kG1U6h209XJ3nO9brl9FIl64HLwWUN3cNZA1KKcp/
RXI5KHvLW3zsUbPBm0A44TnGnJyWfSqHmaqlcbNUyO3luxhdRfEi1KJvk/7gfVn0
qA6pu+F7rl6CpBVuJcr+XjGAz9tciWUSv7+L1ektPbiiax98hjueEwAxZQeOOUMo
XZtICFnm/850bSf4N5MX4dyvKPmXUo1FZbOrM+/eDC23E5hYJp7gkwoiUsnNkYCn
NfvQzzvPufh6jwZrlPnUMboqjAfIJGWmkVXh1WieMte35BpzBqGDAIQmsxUiQkTJ
gWahArGjAWfWqsSN4MdemgQwRJ/g3mya3OTo290LNc+d6PQnP4XC61ELTTUf2Tk7
ArI7poqNQEH+rsSP55Ad0SL3oTrGXg==
-----END CERTIFICATE-----
[Sun Jan 9 17:07:13 CST 2022] Your cert is in: /root/.acme.sh/xiangqin.html6.net/xiangqin.html6.net.cer
[Sun Jan 9 17:07:13 CST 2022] Your cert key is in: /root/.acme.sh/xiangqin.html6.net/xiangqin.html6.net.key
[Sun Jan 9 17:07:13 CST 2022] The intermediate CA cert is in: /root/.acme.sh/xiangqin.html6.net/ca.cer
[Sun Jan 9 17:07:13 CST 2022] And the full chain certs is there: /root/.acme.sh/xiangqin.html6.net/fullchain.cer
按照提示即可找到生成的证书目录,另外,证书生成成功后,上面给出的 AccessKey ID 和 AccessKey Secret 会被自动记录下来, 将来你在使用 ali api 的时候, 就不需要再次指定了. 直接生成就好了:
acme.sh --issue --dns dns_ali -d test.html6.net
使用证书
安装证书
前面证书生成以后, 接下来需要把证书 copy 到真正需要用它的地方。
注意, 默认生成的证书都放在安装目录下: ~/.acme.sh/, 请不要直接使用此目录下的文件,
例如: 不要直接让 nginx/apache 的配置文件使用这下面的文件.
这里面的文件都是内部使用, 而且目录结构可能会变化.正确的使用方法是使用 --installcert 命令,并指定目标位置, 然后证书文件会被 copy 到相应的位置, 例如:
acme.sh --installcert -d *.html6.net \
--key-file /etc/nginx/ssl/*.html6.net.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "service nginx force-reload"
修改 nginx 配置
ssl_certificate /etc/nginx/ssl/fullchain.cer; # managed by Certbot
ssl_certificate_key /etc/nginx/ssl/*.html6.net.key; # managed by Certbot
重启 nginx 服务
nginx -s reload
访问网站,查看证书信息。
证书自动更新
安装过程中会自动为你创建 cronjob, 每天 0:55 点自动检测所有的证书, 如果快过期了, 需要更新, 则会自动更新证书。
root@VM-0-2-ubuntu:~/acme.sh# ./acme.sh --install -m admin@ifront.net
[Sun Jan 9 17:51:20 CST 2022] It is recommended to install socat first.
[Sun Jan 9 17:51:20 CST 2022] We use socat for standalone server if you use standalone mode.
[Sun Jan 9 17:51:20 CST 2022] If you don't use standalone mode, just ignore this warning.
[Sun Jan 9 17:51:20 CST 2022] Installing to /root/.acme.sh
[Sun Jan 9 17:51:20 CST 2022] Installed to /root/.acme.sh/acme.sh
[Sun Jan 9 17:51:20 CST 2022] Installing alias to '/root/.bashrc'
[Sun Jan 9 17:51:20 CST 2022] OK, Close and reopen your terminal to start using acme.sh
[Sun Jan 9 17:51:20 CST 2022] Installing cron job
55 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null #这里添加了定时任务
[Sun Jan 9 17:51:20 CST 2022] Good, bash is found, so change the shebang to use bash as preferred.
[Sun Jan 9 17:51:20 CST 2022] OK