使用acme、acme-dns实现自动申请ssl证书并实现自动替换
有些dns没有dnsapi,所以用这种方式申请只需要添加一条dns解析即可完成
以下为linux系统操作
1. 安装acme.sh
官方源自动安装
curl https://get.acme.sh | sh -m my@example.com #邮箱可随意填入
手动安装(用于无法访问github的设备)
官网链接https://github.com/acmesh-official/acme.sh
上传到服务器并解压
unzip acme.sh-master.zip
cd acme.sh-master
./acme.sh install -m my@example.com #邮箱可随意填入
安装完成后会自动创建计划任务,图为手动安装的例子,
2. acme-dns注册用户
acme-dns是acme.sh验证域名所属的一种方式,可自建服务器,本文以官方服务器为例
export ACMEDNS_BASE_URL="https://auth.acme-dns.io" #使用acme-dns官网地址
curl -s -X POST ${ACMEDNS_BASE_URL}/register | python3 -m json.tool > acme-dns.challenges;cat acme-dns.challenges #服务器有python3就用python3,没有就用python
申请成功如图
3. 添加dns解析
前往域名管理控制台,添加一行dns解析用于验证dns
如:我的域名是 abc.com,我想申请abc.com或者*.abc.com的证书解析如 例1
如:我的域名是 abc.com 我想申请www.abc.com的证书解析如例2
例 | 主机记录 | 记录类型 | 记录值为2中申请的fulldomain |
---|---|---|---|
例1 | _acme-challenge | CNAME | 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io |
例2 | _acme-challenge.www | CNAME | 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io |
4. 申请证书
以双证书 abc.com及*.abc.com为例
先将acme-dns信息导入环境变量
export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')"
export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')"
export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')"
echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')"
申请证书
cd ~/.acme.sh
./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
申请成功执行如下:
root@debian:~/.acme.sh# ./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
[Thu Jan 18 02:18:27 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jan 18 02:18:27 UTC 2024] Creating domain key
[Thu Jan 18 02:18:27 UTC 2024] The domain key is here: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:18:27 UTC 2024] Multi domain='DNS:abc.com,DNS:*.abc.com'
[Thu Jan 18 02:18:27 UTC 2024] Getting domain auth token for each domain
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='abc.com'
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='*.abc.com'
[Thu Jan 18 02:18:53 UTC 2024] Adding txt value: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:18:53 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:54 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:54 UTC 2024] Adding txt value: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:18:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:56 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:56 UTC 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jan 18 02:19:17 UTC 2024] You can use '--dnssleep' to disable public dns checks.
[Thu Jan 18 02:19:17 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jan 18 02:19:17 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:19 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:19 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:20 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:20 UTC 2024] All success, let's return
[Thu Jan 18 02:19:20 UTC 2024] Verifying: abc.com
[Thu Jan 18 02:19:25 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:37 UTC 2024] Success
[Thu Jan 18 02:19:37 UTC 2024] Verifying: *.abc.com
[Thu Jan 18 02:19:49 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:54 UTC 2024] Success
[Thu Jan 18 02:19:54 UTC 2024] Removing DNS records.
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Verify finished, start to sign.
[Thu Jan 18 02:19:54 UTC 2024] Lets finalize the order.
[Thu Jan 18 02:19:54 UTC 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw/finalize'
[Thu Jan 18 02:20:08 UTC 2024] Order status is processing, lets sleep and retry.
[Thu Jan 18 02:20:08 UTC 2024] Retry after: 15
[Thu Jan 18 02:20:24 UTC 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw
[Thu Jan 18 02:20:26 UTC 2024] Downloading cert.
[Thu Jan 18 02:20:26 UTC 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/YTqK1_OGtKouAdSsVVGbng'
[Thu Jan 18 02:20:41 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIECDCCA4+gAwIBAgIQKXY8d414sHWkuKt8PkO8uzAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDExODAwMDAwMFoXDTI0MDQx
NzIzNTk1OVowFzEVMBMGA1UEAxMMb25seWxpZmUudG9wMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEqeUW6hGO9gNju2DPLmhGZaN9Qv6SHWjzX08sKGYNeweKOLCw
GeQCuzxUdRkq1zeA4gecyM5Jgci+5vEenXQSqqOCAocwggKDMB8GA1UdIwQYMBaA
FA9r5kvOOUeu9n6QHnawMJGSyF+jMB0GA1UdDgQWBBQHa43rFiRx2MlexSB9e0zP
P/r3cjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgG
CCsGAQUFBwEBBHwwejBLBggrBgEFB*****Y/aHR0cDovL3plcm9zc2wuY3J0LnNl
Y3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsG
AQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYB
BAHWeQIEAgSB9ASB8QDvAHUAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xa
OnQAAAGNGl5aYQAABAMARjBEAiAS1LfalOV7QbaT03kEKKyrKne/3u5Cz5rSSNMk
rE3IOwIgJEAFhHnWqSqmTSzQB0nYOY9lCVovcdR9tSfOesvtEqgAdgA7U3d1Pi25
gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAY0aXlrrAAAEAwBHMEUCIFYUa/5R
2L2YBHbnhe0XRghe3rvitpIWyUOfwY0pX17BAiEA7pT+2+VoGQ1LsYpZJfTafBK4
aev0m7F9TjEIfKg2XlcwJwYDVR0RBCAwHoIMb25seWxpZmUudG9wgg4qLm9ubHls
aWZlLnRvcDAKBggqhkjOPQQDAwNnADBkAjBIC4kz6XiJv6OBkfE4dht1yTrKnaxh
drZeejnTPNq72LfX6+rsyuWMcMaVEN1cQZsCMDfGuDoH3ktNNq9uT1UD7aT6hIst
tag/roZWR+GPzHXkdIOZFbMM3EJxRCli5lKImA==
-----END CERTIFICATE-----
[Thu Jan 18 02:20:41 UTC 2024] Your cert is in: /root/.acme.sh/abc.com_ecc/abc.com.cer
[Thu Jan 18 02:20:41 UTC 2024] Your cert key is in: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:20:41 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/abc.com_ecc/ca.cer
[Thu Jan 18 02:20:41 UTC 2024] And the full chain certs is there: /root/.acme.sh/abc.com_ecc/fullchain.cer
root@debian:~/.acme.sh#
5. 安装证书
Nginx
./acme.sh --install-cert -d abc.com -d *.abc.com \ #指定要安装的证书域名
--key-file /path/to/keyfile/in/nginx/key.pem \ #指定私钥路径
--fullchain-file /path/to/fullchain/nginx/cert.pem \ #指定证书路径
--reloadcmd "service nginx force-reload" #替换替换完成后重载nginx使证书生效
Apche
acme.sh --install-cert -d example.com \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"
其它服务同理
6. 卸载acme.sh
rm -rf ~/.acme.sh #删除acme.sh安装目录
crontab -e #删除acme.sh计划任务
vim ~/.bashrc #删除其中acme.sh的环境变量