使用acme.sh、acme-dns自动申请ssl证书

使用acme、acme-dns实现自动申请ssl证书并实现自动替换

有些dns没有dnsapi,所以用这种方式申请只需要添加一条dns解析即可完成

以下为linux系统操作

1. 安装acme.sh

官方源自动安装

curl https://get.acme.sh | sh -m my@example.com              #邮箱可随意填入

手动安装(用于无法访问github的设备)

官网链接https://github.com/acmesh-official/acme.sh

上传到服务器并解压

unzip acme.sh-master.zip
cd acme.sh-master
./acme.sh install -m my@example.com                        #邮箱可随意填入

安装完成后会自动创建计划任务,图为手动安装的例子,

2. acme-dns注册用户

acme-dns是acme.sh验证域名所属的一种方式,可自建服务器,本文以官方服务器为例

export ACMEDNS_BASE_URL="https://auth.acme-dns.io"  #使用acme-dns官网地址
curl -s -X POST ${ACMEDNS_BASE_URL}/register | python3 -m json.tool > acme-dns.challenges;cat acme-dns.challenges           #服务器有python3就用python3,没有就用python

申请成功如图

3. 添加dns解析

前往域名管理控制台,添加一行dns解析用于验证dns

如:我的域名是 abc.com,我想申请abc.com或者*.abc.com的证书解析如 例1

如:我的域名是 abc.com 我想申请www.abc.com的证书解析如例2

主机记录 记录类型 记录值为2中申请的fulldomain
例1 _acme-challenge CNAME 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io
例2 _acme-challenge.www CNAME 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io

4. 申请证书

以双证书 abc.com及*.abc.com为例

先将acme-dns信息导入环境变量

export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')"
export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')"
export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')"
echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')"

申请证书

cd ~/.acme.sh
./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com

申请成功执行如下:

root@debian:~/.acme.sh# ./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
[Thu Jan 18 02:18:27 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jan 18 02:18:27 UTC 2024] Creating domain key
[Thu Jan 18 02:18:27 UTC 2024] The domain key is here: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:18:27 UTC 2024] Multi domain='DNS:abc.com,DNS:*.abc.com'
[Thu Jan 18 02:18:27 UTC 2024] Getting domain auth token for each domain
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='abc.com'
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='*.abc.com'
[Thu Jan 18 02:18:53 UTC 2024] Adding txt value: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain:  _acme-challenge.abc.com
[Thu Jan 18 02:18:53 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:54 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:54 UTC 2024] Adding txt value: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain:  _acme-challenge.abc.com
[Thu Jan 18 02:18:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:56 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:56 UTC 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jan 18 02:19:17 UTC 2024] You can use '--dnssleep' to disable public dns checks.
[Thu Jan 18 02:19:17 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jan 18 02:19:17 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:19 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:19 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:20 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:20 UTC 2024] All success, let's return
[Thu Jan 18 02:19:20 UTC 2024] Verifying: abc.com
[Thu Jan 18 02:19:25 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:37 UTC 2024] Success
[Thu Jan 18 02:19:37 UTC 2024] Verifying: *.abc.com
[Thu Jan 18 02:19:49 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:54 UTC 2024] Success
[Thu Jan 18 02:19:54 UTC 2024] Removing DNS records.
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Verify finished, start to sign.
[Thu Jan 18 02:19:54 UTC 2024] Lets finalize the order.
[Thu Jan 18 02:19:54 UTC 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw/finalize'
[Thu Jan 18 02:20:08 UTC 2024] Order status is processing, lets sleep and retry.
[Thu Jan 18 02:20:08 UTC 2024] Retry after: 15
[Thu Jan 18 02:20:24 UTC 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw
[Thu Jan 18 02:20:26 UTC 2024] Downloading cert.
[Thu Jan 18 02:20:26 UTC 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/YTqK1_OGtKouAdSsVVGbng'
[Thu Jan 18 02:20:41 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIECDCCA4+gAwIBAgIQKXY8d414sHWkuKt8PkO8uzAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDExODAwMDAwMFoXDTI0MDQx
NzIzNTk1OVowFzEVMBMGA1UEAxMMb25seWxpZmUudG9wMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEqeUW6hGO9gNju2DPLmhGZaN9Qv6SHWjzX08sKGYNeweKOLCw
GeQCuzxUdRkq1zeA4gecyM5Jgci+5vEenXQSqqOCAocwggKDMB8GA1UdIwQYMBaA
FA9r5kvOOUeu9n6QHnawMJGSyF+jMB0GA1UdDgQWBBQHa43rFiRx2MlexSB9e0zP
P/r3cjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgG
CCsGAQUFBwEBBHwwejBLBggrBgEFB*****Y/aHR0cDovL3plcm9zc2wuY3J0LnNl
Y3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsG
AQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYB
BAHWeQIEAgSB9ASB8QDvAHUAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xa
OnQAAAGNGl5aYQAABAMARjBEAiAS1LfalOV7QbaT03kEKKyrKne/3u5Cz5rSSNMk
rE3IOwIgJEAFhHnWqSqmTSzQB0nYOY9lCVovcdR9tSfOesvtEqgAdgA7U3d1Pi25
gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAY0aXlrrAAAEAwBHMEUCIFYUa/5R
2L2YBHbnhe0XRghe3rvitpIWyUOfwY0pX17BAiEA7pT+2+VoGQ1LsYpZJfTafBK4
aev0m7F9TjEIfKg2XlcwJwYDVR0RBCAwHoIMb25seWxpZmUudG9wgg4qLm9ubHls
aWZlLnRvcDAKBggqhkjOPQQDAwNnADBkAjBIC4kz6XiJv6OBkfE4dht1yTrKnaxh
drZeejnTPNq72LfX6+rsyuWMcMaVEN1cQZsCMDfGuDoH3ktNNq9uT1UD7aT6hIst
tag/roZWR+GPzHXkdIOZFbMM3EJxRCli5lKImA==
-----END CERTIFICATE-----
[Thu Jan 18 02:20:41 UTC 2024] Your cert is in: /root/.acme.sh/abc.com_ecc/abc.com.cer
[Thu Jan 18 02:20:41 UTC 2024] Your cert key is in: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:20:41 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/abc.com_ecc/ca.cer
[Thu Jan 18 02:20:41 UTC 2024] And the full chain certs is there: /root/.acme.sh/abc.com_ecc/fullchain.cer
root@debian:~/.acme.sh# 

5. 安装证书

Nginx

./acme.sh --install-cert -d abc.com -d *.abc.com \           #指定要安装的证书域名
--key-file       /path/to/keyfile/in/nginx/key.pem  \        #指定私钥路径
--fullchain-file /path/to/fullchain/nginx/cert.pem \         #指定证书路径
--reloadcmd     "service nginx force-reload"                 #替换替换完成后重载nginx使证书生效

Apche

acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"

其它服务同理

6. 卸载acme.sh

rm -rf ~/.acme.sh    #删除acme.sh安装目录
crontab -e           #删除acme.sh计划任务
vim ~/.bashrc        #删除其中acme.sh的环境变量
相关推荐
坐公交也用券12 小时前
使用Python3实现Gitee码云自动化发布
运维·gitee·自动化
施努卡机器视觉14 小时前
电解车间铜业机器人剥片技术是现代铜冶炼过程中自动化和智能化的重要体现
运维·机器人·自动化
徐浪老师14 小时前
深入实践 Shell 脚本编程:高效自动化操作指南
运维·chrome·自动化
King's King14 小时前
自动化立体仓库:详解
运维·自动化
东隆科技14 小时前
晶圆测试中自动化上下料的重要性与应用
运维·自动化
懒笑翻18 小时前
Python 使用 Selenuim进行自动化点击入门,谷歌驱动,以百度为例
运维·selenium·自动化
n***859418 小时前
Github 开源 10K Stars 自动化 API、后台作业、工作流和 UI 的开发平台
运维·自动化
夜色呦18 小时前
中小企业人事管理自动化:SpringBoot实践
运维·spring boot·自动化
椰椰椰耶18 小时前
【软件测试】自动化常用函数
运维·自动化
HengCeResearch8818 小时前
中国【食品检测实验室自动化】程度相对欧美等发达国家相对落后,并且技术层面存在明显的代差,未来有比较大的发展空间
人工智能·百度·自动化