使用acme.sh、acme-dns自动申请ssl证书

使用acme、acme-dns实现自动申请ssl证书并实现自动替换

有些dns没有dnsapi,所以用这种方式申请只需要添加一条dns解析即可完成

以下为linux系统操作

1. 安装acme.sh

官方源自动安装

复制代码
curl https://get.acme.sh | sh -m my@example.com              #邮箱可随意填入

手动安装(用于无法访问github的设备)

官网链接https://github.com/acmesh-official/acme.sh

上传到服务器并解压

复制代码
unzip acme.sh-master.zip
cd acme.sh-master
./acme.sh install -m my@example.com                        #邮箱可随意填入

安装完成后会自动创建计划任务,图为手动安装的例子,

2. acme-dns注册用户

acme-dns是acme.sh验证域名所属的一种方式,可自建服务器,本文以官方服务器为例

复制代码
export ACMEDNS_BASE_URL="https://auth.acme-dns.io"  #使用acme-dns官网地址
curl -s -X POST ${ACMEDNS_BASE_URL}/register | python3 -m json.tool > acme-dns.challenges;cat acme-dns.challenges           #服务器有python3就用python3,没有就用python

申请成功如图

3. 添加dns解析

前往域名管理控制台,添加一行dns解析用于验证dns

如:我的域名是 abc.com,我想申请abc.com或者*.abc.com的证书解析如 例1

如:我的域名是 abc.com 我想申请www.abc.com的证书解析如例2

主机记录 记录类型 记录值为2中申请的fulldomain
例1 _acme-challenge CNAME 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io
例2 _acme-challenge.www CNAME 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io

4. 申请证书

以双证书 abc.com及*.abc.com为例

先将acme-dns信息导入环境变量

复制代码
export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')"
export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')"
export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')"
echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')"

申请证书

复制代码
cd ~/.acme.sh
./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com

申请成功执行如下:

复制代码
root@debian:~/.acme.sh# ./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
[Thu Jan 18 02:18:27 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jan 18 02:18:27 UTC 2024] Creating domain key
[Thu Jan 18 02:18:27 UTC 2024] The domain key is here: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:18:27 UTC 2024] Multi domain='DNS:abc.com,DNS:*.abc.com'
[Thu Jan 18 02:18:27 UTC 2024] Getting domain auth token for each domain
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='abc.com'
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='*.abc.com'
[Thu Jan 18 02:18:53 UTC 2024] Adding txt value: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain:  _acme-challenge.abc.com
[Thu Jan 18 02:18:53 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:54 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:54 UTC 2024] Adding txt value: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain:  _acme-challenge.abc.com
[Thu Jan 18 02:18:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:56 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:56 UTC 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jan 18 02:19:17 UTC 2024] You can use '--dnssleep' to disable public dns checks.
[Thu Jan 18 02:19:17 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jan 18 02:19:17 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:19 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:19 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:20 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:20 UTC 2024] All success, let's return
[Thu Jan 18 02:19:20 UTC 2024] Verifying: abc.com
[Thu Jan 18 02:19:25 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:37 UTC 2024] Success
[Thu Jan 18 02:19:37 UTC 2024] Verifying: *.abc.com
[Thu Jan 18 02:19:49 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:54 UTC 2024] Success
[Thu Jan 18 02:19:54 UTC 2024] Removing DNS records.
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Verify finished, start to sign.
[Thu Jan 18 02:19:54 UTC 2024] Lets finalize the order.
[Thu Jan 18 02:19:54 UTC 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw/finalize'
[Thu Jan 18 02:20:08 UTC 2024] Order status is processing, lets sleep and retry.
[Thu Jan 18 02:20:08 UTC 2024] Retry after: 15
[Thu Jan 18 02:20:24 UTC 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw
[Thu Jan 18 02:20:26 UTC 2024] Downloading cert.
[Thu Jan 18 02:20:26 UTC 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/YTqK1_OGtKouAdSsVVGbng'
[Thu Jan 18 02:20:41 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIECDCCA4+gAwIBAgIQKXY8d414sHWkuKt8PkO8uzAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDExODAwMDAwMFoXDTI0MDQx
NzIzNTk1OVowFzEVMBMGA1UEAxMMb25seWxpZmUudG9wMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEqeUW6hGO9gNju2DPLmhGZaN9Qv6SHWjzX08sKGYNeweKOLCw
GeQCuzxUdRkq1zeA4gecyM5Jgci+5vEenXQSqqOCAocwggKDMB8GA1UdIwQYMBaA
FA9r5kvOOUeu9n6QHnawMJGSyF+jMB0GA1UdDgQWBBQHa43rFiRx2MlexSB9e0zP
P/r3cjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgG
CCsGAQUFBwEBBHwwejBLBggrBgEFB*****Y/aHR0cDovL3plcm9zc2wuY3J0LnNl
Y3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsG
AQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYB
BAHWeQIEAgSB9ASB8QDvAHUAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xa
OnQAAAGNGl5aYQAABAMARjBEAiAS1LfalOV7QbaT03kEKKyrKne/3u5Cz5rSSNMk
rE3IOwIgJEAFhHnWqSqmTSzQB0nYOY9lCVovcdR9tSfOesvtEqgAdgA7U3d1Pi25
gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAY0aXlrrAAAEAwBHMEUCIFYUa/5R
2L2YBHbnhe0XRghe3rvitpIWyUOfwY0pX17BAiEA7pT+2+VoGQ1LsYpZJfTafBK4
aev0m7F9TjEIfKg2XlcwJwYDVR0RBCAwHoIMb25seWxpZmUudG9wgg4qLm9ubHls
aWZlLnRvcDAKBggqhkjOPQQDAwNnADBkAjBIC4kz6XiJv6OBkfE4dht1yTrKnaxh
drZeejnTPNq72LfX6+rsyuWMcMaVEN1cQZsCMDfGuDoH3ktNNq9uT1UD7aT6hIst
tag/roZWR+GPzHXkdIOZFbMM3EJxRCli5lKImA==
-----END CERTIFICATE-----
[Thu Jan 18 02:20:41 UTC 2024] Your cert is in: /root/.acme.sh/abc.com_ecc/abc.com.cer
[Thu Jan 18 02:20:41 UTC 2024] Your cert key is in: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:20:41 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/abc.com_ecc/ca.cer
[Thu Jan 18 02:20:41 UTC 2024] And the full chain certs is there: /root/.acme.sh/abc.com_ecc/fullchain.cer
root@debian:~/.acme.sh# 

5. 安装证书

Nginx

复制代码
./acme.sh --install-cert -d abc.com -d *.abc.com \           #指定要安装的证书域名
--key-file       /path/to/keyfile/in/nginx/key.pem  \        #指定私钥路径
--fullchain-file /path/to/fullchain/nginx/cert.pem \         #指定证书路径
--reloadcmd     "service nginx force-reload"                 #替换替换完成后重载nginx使证书生效

Apche

复制代码
acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"

其它服务同理

6. 卸载acme.sh

复制代码
rm -rf ~/.acme.sh    #删除acme.sh安装目录
crontab -e           #删除acme.sh计划任务
vim ~/.bashrc        #删除其中acme.sh的环境变量
相关推荐
小小鱼儿小小林5 小时前
免费一键自动化申请、续期、部署、监控所有 SSL/TLS 证书,ALLinSSL开源免费的 SSL 证书自动化管理平台
开源·自动化·ssl
从零开始学习人工智能6 小时前
深入解析 OPC UA:工业自动化与物联网的关键技术
运维·物联网·自动化
真智AI8 小时前
AI智能体时代来临:数据分析的变革与自动化之路
人工智能·数据分析·自动化
程序员的世界你不懂10 天前
Appium+python自动化(三十)yaml配置数据隔离
运维·appium·自动化
东窗西篱梦10 天前
LNMP一键自动化部署
运维·自动化
Deepoch11 天前
Deepoc大模型重构核工业智能基座:混合增强架构与安全增强决策技术
人工智能·科技·学习·自动化·创业创新
忘记安全带11 天前
AWS EC2使用SSM会话管理器连接
服务器·网络·自动化·云计算·aws
你的秋裤穿反了11 天前
网络/信号/电位跟踪
自动化
小猴崽11 天前
腾讯云事件总线:构建毫秒级响应的下一代事件驱动架构
架构·自动化·腾讯云
mit6.82411 天前
[project-based-learning] 开源贡献指南 | 自动化链接验证 | Issue模板规范
开源·自动化·issue