HTTPS:超文本传输安全协议(英语:Hypertext Transfer Protocol Secure,缩写:HTTPS,常称为HTTP over TLS,HTTP over SSL或HTTP Secure)是一种网络安全传输协议。这个协议是加密的,而SSL证书就是用于加密HTTP协议,也就是HTTPS。通常情况下SSl证书不是免费的,需要付费申请,但是也有办法获取到免费证书.而acme.sh就可以从 let‘s encrypt 生成免费的证书。
1,首先,安装一键acme.sh:
curl https://get.acme.sh | sh
执行完成后,当前目录下便多了个.acme.sh的目录;
2,然后进去个.acme.sh目录,使用DNS方式获取TXT记录:
./acme.sh --issue -d test.com -d *.test.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
执行完成后,会返回以下信息:
[Thu May 27 09:44:51 CST 2019] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu May 27 09:44:51 CST 2019] Multi domain='DNS:test.com,DNS:*.test.com' [Thu May 27 09:44:52 CST 2019] Getting domain auth token for each domain [Thu May 27 09:44:55 CST 2019] Getting webroot for domain='test.com' [Thu May 27 09:44:55 CST 2019] Getting webroot for domain='*.test.com' [Thu May 27 09:44:55 CST 2019] Add the following TXT record: [Thu May 27 09:44:55 CST 2019] Domain: '_acme-challenge.test.com' [Thu May 27 09:44:55 CST 2019] TXT value: 'lWoD8oroiSEDDA5FWoNUSHVdSfpUeevOZDkxasccm2k' [Thu May 27 09:44:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain [Thu May 27 09:44:55 CST 2019] so the resulting subdomain will be: _acme-challenge.test.com [Thu May 27 09:44:55 CST 2019] Add the following TXT record: [Thu May 27 09:44:55 CST 2019] Domain: '_acme-challenge.test.com' [Thu May 27 09:44:55 CST 2019] TXT value: 'ULimML8Arfdo_ufjOfHaI-kEQgg46kshsWwaKxJ_Am14' [Thu May 27 09:44:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain [Thu May 27 09:44:55 CST 2019] so the resulting subdomain will be: _acme-challenge.test.com [Thu May 27 09:44:55 CST 2019] Please add the TXT records to the domains, and re-run with --renew. [Thu May 27 09:44:55 CST 2019] Please add '--debug' or '--log' to check more details. [Thu May 27 09:44:55 CST 2019] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
然后在域名管理平台,添加对应的两条TXT记录;
3,等待解析生效后,验证TXT记录:
./acme.sh --renew -d test.com -d *.test.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
执行完成后,成功会返回:
[Thu May 27 09:47:16 CST 2019] Renew: 'test.com' [Thu May 27 09:47:17 CST 2019] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu May 27 09:47:17 CST 2019] Multi domain='DNS:test.com,DNS:*.test.com' [Thu May 27 09:47:17 CST 2019] Getting domain auth token for each domain [Thu May 27 09:47:17 CST 2019] Verifying: test.com [Thu May 27 09:47:22 CST 2019] Success [Thu May 27 09:47:22 CST 2019] Verifying: *.test.com [Thu May 27 09:47:25 CST 2019] Success [Thu May 27 09:47:25 CST 2019] Verify finished, start to sign. [Thu May 27 09:47:25 CST 2019] Lets finalize the order. [Thu May 27 09:47:25 CST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1089154/99777388' [Thu May 27 09:47:26 CST 2019] Downloading cert. [Thu May 27 09:47:26 CST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04ce6e59d582736b9' [Thu May 27 09:47:27 CST 2019] Cert success. -----BEGIN CERTIFICATE----- MIIFKzCCBBOgAwIBAgISBM5wblnVgnNrm/htk6DMcB6XMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTA1MjcwMDQ3MjZaFw0yMTA4MjUwMDQ3MjZaMBYxFDASBgNVBAMT C2dhbWVidWZmLmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbv1 bJj0th7z3PnDHmM7KLjHRfJTHbirpHZRvZTzu7hqrg2a7SV5j/vzhQAIB/Em3o5Z 1gQipxlRp8VLgCG3TC+/kefd3fezOOVqtqy8h1MdJM1bSqVvLYRS7QRAtPaBbgi 465EYMbGU1ok/dCiyW2y1Dha0qBmi0dCGVPjOVIxWQjAFhdSTB20v4p5cWWekRR1 KVFI9VzuOYTwm87aQhL91QY6ILPuUJ0BdBkkYUyFxDti10Izgbx0xQf5payzAeNJ sAGlRW0Ad8d4Qw0fRxHuwi9ovIQWDCeD2oUP3VxInMaSv8GoWPQkYU04vYxUaJPh 7bNOBjzFq6yNbtFM8wIDAQABo4ICVTCCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW BBSi5UdLVd9XHWL9ZXOPOi1O5R6btzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl BgNVHREEHjAcgg0qLmdhbWVidWZmLmNuggtnYW1lYnVmZi5jbjBMBgNVHSAERTBD MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AFzc Q5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABeauBRjwAAAQDAEcwRQIh AJMR37IoH2OPeY+ioOFeKl7VVJk76VBo7BVLsdhjkHSUHSJG722ashjGHSFbUCpC lIhKv8724OgVAiBW/WY/wzruFvMTkAsKifI5PUFFCyL+PkO82kCrwLVglzANBgkq hkiG9w0BAQsFAAOCAQEAr70OXpozYcR+IWx9q6Ed/Rm9h7exvmVtDQScu8/BVqJi fO+s9B08Nnzak66ImMSe2Y9F8NeCS5NgA/aLVMDlc0G7NnPTivLOO+xeSqd9c8Pq LaWIK2L31hNmBiGoHnRD2rtyTFyb2Zd5P9JK2YZva+QjVZ8YuglbU7wzgSGLJ/uM EDS7bRa8ftkuRwCSLrvQjDgrLPc09E32DGObiMfCgE3SOpLeR+iN8APMR3jGbQLx f8AmfM1fXJLcBnR4t3qY8k9UBReYOcqEmk165GdECnY2uLHl9V0nztp9OIX74Nf+ tfm98SFB04Nm5g/aIglb7GqC4n+gkJJI1HVWsc7J5w== -----END CERTIFICATE----- [Thu May 27 09:47:27 CST 2019] Your cert is in /root/.acme.sh/test.com/test.com.cer [Thu May 27 09:47:27 CST 2019] Your cert key is in /root/.acme.sh/test.com/test.com.key [Thu May 27 09:47:27 CST 2019] The intermediate CA cert is in /root/.acme.sh/test.com/ca.cer [Thu May 27 09:47:27 CST 2019] And the full chain certs is there: /root/.acme.sh/test.com/fullchain.cer [Thu May 27 09:47:27 CST 2019] Installing key to:/root/ssl_key/test.com/star.test.com.key [Thu May 27 09:47:27 CST 2019] Installing full chain to:/root/ssl_key/test.com/fullchain.cer
这样就完成了,在对应的目录下就生成证书。
另外acme还支持DNS api,可以自动添加解析TXT记录,支持多个域名解析商,参考链接:https://github.com/acmesh-official/acme.sh/wiki/dnsapi