使用acme.sh免签SSL证书

  • 2021年5月27日
  • 技术

HTTPS:超文本传输安全协议(英语:Hypertext Transfer Protocol Secure,缩写:HTTPS,常称为HTTP over TLS,HTTP over SSL或HTTP Secure)是一种网络安全传输协议。这个协议是加密的,而SSL证书就是用于加密HTTP协议,也就是HTTPS。通常情况下SSl证书不是免费的,需要付费申请,但是也有办法获取到免费证书.而acme.sh就可以从 let‘s encrypt 生成免费的证书。

1,首先,安装一键acme.sh:
curl  https://get.acme.sh | sh

执行完成后,当前目录下便多了个.acme.sh的目录;

2,然后进去个.acme.sh目录,使用DNS方式获取TXT记录:
./acme.sh --issue -d test.com -d *.test.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

执行完成后,会返回以下信息:

[Thu May 27 09:44:51 CST 2019] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu May 27 09:44:51 CST 2019] Multi domain='DNS:test.com,DNS:*.test.com'
[Thu May 27 09:44:52 CST 2019] Getting domain auth token for each domain
[Thu May 27 09:44:55 CST 2019] Getting webroot for domain='test.com'
[Thu May 27 09:44:55 CST 2019] Getting webroot for domain='*.test.com'
[Thu May 27 09:44:55 CST 2019] Add the following TXT record:
[Thu May 27 09:44:55 CST 2019] Domain: '_acme-challenge.test.com'
[Thu May 27 09:44:55 CST 2019] TXT value: 'lWoD8oroiSEDDA5FWoNUSHVdSfpUeevOZDkxasccm2k'
[Thu May 27 09:44:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Thu May 27 09:44:55 CST 2019] so the resulting subdomain will be: _acme-challenge.test.com
[Thu May 27 09:44:55 CST 2019] Add the following TXT record:
[Thu May 27 09:44:55 CST 2019] Domain: '_acme-challenge.test.com'
[Thu May 27 09:44:55 CST 2019] TXT value: 'ULimML8Arfdo_ufjOfHaI-kEQgg46kshsWwaKxJ_Am14'
[Thu May 27 09:44:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Thu May 27 09:44:55 CST 2019] so the resulting subdomain will be: _acme-challenge.test.com
[Thu May 27 09:44:55 CST 2019] Please add the TXT records to the domains, and re-run with --renew.
[Thu May 27 09:44:55 CST 2019] Please add '--debug' or '--log' to check more details.
[Thu May 27 09:44:55 CST 2019] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

然后在域名管理平台,添加对应的两条TXT记录;

3,等待解析生效后,验证TXT记录:
./acme.sh --renew -d test.com -d *.test.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

执行完成后,成功会返回:

[Thu May 27 09:47:16 CST 2019] Renew: 'test.com'
[Thu May 27 09:47:17 CST 2019] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu May 27 09:47:17 CST 2019] Multi domain='DNS:test.com,DNS:*.test.com'
[Thu May 27 09:47:17 CST 2019] Getting domain auth token for each domain
[Thu May 27 09:47:17 CST 2019] Verifying: test.com
[Thu May 27 09:47:22 CST 2019] Success
[Thu May 27 09:47:22 CST 2019] Verifying: *.test.com
[Thu May 27 09:47:25 CST 2019] Success
[Thu May 27 09:47:25 CST 2019] Verify finished, start to sign.
[Thu May 27 09:47:25 CST 2019] Lets finalize the order.
[Thu May 27 09:47:25 CST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1089154/99777388'
[Thu May 27 09:47:26 CST 2019] Downloading cert.
[Thu May 27 09:47:26 CST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04ce6e59d582736b9'
[Thu May 27 09:47:27 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgISBM5wblnVgnNrm/htk6DMcB6XMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA1MjcwMDQ3MjZaFw0yMTA4MjUwMDQ3MjZaMBYxFDASBgNVBAMT
C2dhbWVidWZmLmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbv1
bJj0th7z3PnDHmM7KLjHRfJTHbirpHZRvZTzu7hqrg2a7SV5j/vzhQAIB/Em3o5Z
1gQipxlRp8VLgCG3TC+/kefd3fezOOVqtqy8h1MdJM1bSqVvLYRS7QRAtPaBbgi
465EYMbGU1ok/dCiyW2y1Dha0qBmi0dCGVPjOVIxWQjAFhdSTB20v4p5cWWekRR1
KVFI9VzuOYTwm87aQhL91QY6ILPuUJ0BdBkkYUyFxDti10Izgbx0xQf5payzAeNJ
sAGlRW0Ad8d4Qw0fRxHuwi9ovIQWDCeD2oUP3VxInMaSv8GoWPQkYU04vYxUaJPh
7bNOBjzFq6yNbtFM8wIDAQABo4ICVTCCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBSi5UdLVd9XHWL9ZXOPOi1O5R6btzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl
BgNVHREEHjAcgg0qLmdhbWVidWZmLmNuggtnYW1lYnVmZi5jbjBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AFzc
Q5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABeauBRjwAAAQDAEcwRQIh
AJMR37IoH2OPeY+ioOFeKl7VVJk76VBo7BVLsdhjkHSUHSJG722ashjGHSFbUCpC
lIhKv8724OgVAiBW/WY/wzruFvMTkAsKifI5PUFFCyL+PkO82kCrwLVglzANBgkq
hkiG9w0BAQsFAAOCAQEAr70OXpozYcR+IWx9q6Ed/Rm9h7exvmVtDQScu8/BVqJi
fO+s9B08Nnzak66ImMSe2Y9F8NeCS5NgA/aLVMDlc0G7NnPTivLOO+xeSqd9c8Pq
LaWIK2L31hNmBiGoHnRD2rtyTFyb2Zd5P9JK2YZva+QjVZ8YuglbU7wzgSGLJ/uM
EDS7bRa8ftkuRwCSLrvQjDgrLPc09E32DGObiMfCgE3SOpLeR+iN8APMR3jGbQLx
f8AmfM1fXJLcBnR4t3qY8k9UBReYOcqEmk165GdECnY2uLHl9V0nztp9OIX74Nf+
tfm98SFB04Nm5g/aIglb7GqC4n+gkJJI1HVWsc7J5w==
-----END CERTIFICATE-----
[Thu May 27 09:47:27 CST 2019] Your cert is in  /root/.acme.sh/test.com/test.com.cer 
[Thu May 27 09:47:27 CST 2019] Your cert key is in  /root/.acme.sh/test.com/test.com.key 
[Thu May 27 09:47:27 CST 2019] The intermediate CA cert is in  /root/.acme.sh/test.com/ca.cer 
[Thu May 27 09:47:27 CST 2019] And the full chain certs is there:  /root/.acme.sh/test.com/fullchain.cer 
[Thu May 27 09:47:27 CST 2019] Installing key to:/root/ssl_key/test.com/star.test.com.key
[Thu May 27 09:47:27 CST 2019] Installing full chain to:/root/ssl_key/test.com/fullchain.cer

这样就完成了,在对应的目录下就生成证书。

另外acme还支持DNS api,可以自动添加解析TXT记录,支持多个域名解析商,参考链接:https://github.com/acmesh-official/acme.sh/wiki/dnsapi

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注