使用acme.sh、acme-dns自动申请ssl证书

使用acme、acme-dns实现自动申请ssl证书并实现自动替换

有些dns没有dnsapi，所以用这种方式申请只需要添加一条dns解析即可完成

以下为linux系统操作

1. 安装acme.sh

官方源自动安装

复制代码

curl https://get.acme.sh | sh -m my@example.com              #邮箱可随意填入

手动安装（用于无法访问github的设备）

官网链接https://github.com/acmesh-official/acme.sh

上传到服务器并解压

复制代码

unzip acme.sh-master.zip
cd acme.sh-master
./acme.sh install -m my@example.com                        #邮箱可随意填入

安装完成后会自动创建计划任务，图为手动安装的例子，

2. acme-dns注册用户

acme-dns是acme.sh验证域名所属的一种方式，可自建服务器，本文以官方服务器为例

复制代码

export ACMEDNS_BASE_URL="https://auth.acme-dns.io"  #使用acme-dns官网地址
curl -s -X POST ${ACMEDNS_BASE_URL}/register | python3 -m json.tool > acme-dns.challenges;cat acme-dns.challenges           #服务器有python3就用python3，没有就用python

申请成功如图

3. 添加dns解析

前往域名管理控制台，添加一行dns解析用于验证dns

如：我的域名是 abc.com，我想申请abc.com或者*.abc.com的证书解析如例1

如：我的域名是 abc.com 我想申请www.abc.com的证书解析如例2

例	主机记录	记录类型	记录值为2中申请的fulldomain
例1	_acme-challenge	CNAME	96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io
例2	_acme-challenge.www	CNAME	96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io

4. 申请证书

以双证书 abc.com及*.abc.com为例

先将acme-dns信息导入环境变量

复制代码

export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')"
export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')"
export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')"
echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')"

申请证书

复制代码

cd ~/.acme.sh
./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com

申请成功执行如下：

复制代码

root@debian:~/.acme.sh# ./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
[Thu Jan 18 02:18:27 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jan 18 02:18:27 UTC 2024] Creating domain key
[Thu Jan 18 02:18:27 UTC 2024] The domain key is here: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:18:27 UTC 2024] Multi domain='DNS:abc.com,DNS:*.abc.com'
[Thu Jan 18 02:18:27 UTC 2024] Getting domain auth token for each domain
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='abc.com'
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='*.abc.com'
[Thu Jan 18 02:18:53 UTC 2024] Adding txt value: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain:  _acme-challenge.abc.com
[Thu Jan 18 02:18:53 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:54 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:54 UTC 2024] Adding txt value: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain:  _acme-challenge.abc.com
[Thu Jan 18 02:18:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:56 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:56 UTC 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jan 18 02:19:17 UTC 2024] You can use '--dnssleep' to disable public dns checks.
[Thu Jan 18 02:19:17 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jan 18 02:19:17 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:19 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:19 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:20 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:20 UTC 2024] All success, let's return
[Thu Jan 18 02:19:20 UTC 2024] Verifying: abc.com
[Thu Jan 18 02:19:25 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:37 UTC 2024] Success
[Thu Jan 18 02:19:37 UTC 2024] Verifying: *.abc.com
[Thu Jan 18 02:19:49 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:54 UTC 2024] Success
[Thu Jan 18 02:19:54 UTC 2024] Removing DNS records.
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Verify finished, start to sign.
[Thu Jan 18 02:19:54 UTC 2024] Lets finalize the order.
[Thu Jan 18 02:19:54 UTC 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw/finalize'
[Thu Jan 18 02:20:08 UTC 2024] Order status is processing, lets sleep and retry.
[Thu Jan 18 02:20:08 UTC 2024] Retry after: 15
[Thu Jan 18 02:20:24 UTC 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw
[Thu Jan 18 02:20:26 UTC 2024] Downloading cert.
[Thu Jan 18 02:20:26 UTC 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/YTqK1_OGtKouAdSsVVGbng'
[Thu Jan 18 02:20:41 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIECDCCA4+gAwIBAgIQKXY8d414sHWkuKt8PkO8uzAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDExODAwMDAwMFoXDTI0MDQx
NzIzNTk1OVowFzEVMBMGA1UEAxMMb25seWxpZmUudG9wMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEqeUW6hGO9gNju2DPLmhGZaN9Qv6SHWjzX08sKGYNeweKOLCw
GeQCuzxUdRkq1zeA4gecyM5Jgci+5vEenXQSqqOCAocwggKDMB8GA1UdIwQYMBaA
FA9r5kvOOUeu9n6QHnawMJGSyF+jMB0GA1UdDgQWBBQHa43rFiRx2MlexSB9e0zP
P/r3cjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgG
CCsGAQUFBwEBBHwwejBLBggrBgEFB*****Y/aHR0cDovL3plcm9zc2wuY3J0LnNl
Y3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsG
AQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYB
BAHWeQIEAgSB9ASB8QDvAHUAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xa
OnQAAAGNGl5aYQAABAMARjBEAiAS1LfalOV7QbaT03kEKKyrKne/3u5Cz5rSSNMk
rE3IOwIgJEAFhHnWqSqmTSzQB0nYOY9lCVovcdR9tSfOesvtEqgAdgA7U3d1Pi25
gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAY0aXlrrAAAEAwBHMEUCIFYUa/5R
2L2YBHbnhe0XRghe3rvitpIWyUOfwY0pX17BAiEA7pT+2+VoGQ1LsYpZJfTafBK4
aev0m7F9TjEIfKg2XlcwJwYDVR0RBCAwHoIMb25seWxpZmUudG9wgg4qLm9ubHls
aWZlLnRvcDAKBggqhkjOPQQDAwNnADBkAjBIC4kz6XiJv6OBkfE4dht1yTrKnaxh
drZeejnTPNq72LfX6+rsyuWMcMaVEN1cQZsCMDfGuDoH3ktNNq9uT1UD7aT6hIst
tag/roZWR+GPzHXkdIOZFbMM3EJxRCli5lKImA==
-----END CERTIFICATE-----
[Thu Jan 18 02:20:41 UTC 2024] Your cert is in: /root/.acme.sh/abc.com_ecc/abc.com.cer
[Thu Jan 18 02:20:41 UTC 2024] Your cert key is in: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:20:41 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/abc.com_ecc/ca.cer
[Thu Jan 18 02:20:41 UTC 2024] And the full chain certs is there: /root/.acme.sh/abc.com_ecc/fullchain.cer
root@debian:~/.acme.sh#

5. 安装证书

Nginx

复制代码

./acme.sh --install-cert -d abc.com -d *.abc.com \           #指定要安装的证书域名
--key-file       /path/to/keyfile/in/nginx/key.pem  \        #指定私钥路径
--fullchain-file /path/to/fullchain/nginx/cert.pem \         #指定证书路径
--reloadcmd     "service nginx force-reload"                 #替换替换完成后重载nginx使证书生效

Apche

复制代码

acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"

其它服务同理

6. 卸载acme.sh

复制代码

rm -rf ~/.acme.sh    #删除acme.sh安装目录
crontab -e           #删除acme.sh计划任务
vim ~/.bashrc        #删除其中acme.sh的环境变量