使用acme.sh自動申請免費SSL證書

官方文檔: https://github.com/acmesh-official/acme.sh#1-how-to-install

使用環境爲 ubuntu 20

安裝 acme.sh

cd /home
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh

#切換到root, 這是推薦的, 以免cron任務執行權限遇到問題
sudo su

#安裝, 指定證書全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理
./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]

安裝命令執行過程:

root@xxxdev:/home/ubuntu/acme.sh# ./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]
[Wed 20 Apr 2022 01:39:18 PM CST] It is recommended to install socat first.
[Wed 20 Apr 2022 01:39:18 PM CST] We use socat for standalone server if you use standalone mode.
[Wed 20 Apr 2022 01:39:18 PM CST] If you don't use standalone mode, just ignore this warning.
[Wed 20 Apr 2022 01:39:18 PM CST] Installing to /root/.acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installed to /root/.acme.sh/acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing alias to '/root/.bashrc'
[Wed 20 Apr 2022 01:39:18 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing cron job
[Wed 20 Apr 2022 01:39:18 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Wed 20 Apr 2022 01:39:19 PM CST] OK

1. 安裝目錄是 /root/.acme.sh, 完整路徑爲/root/.acme.sh/acme.sh

2. 創建了一個別名到 /root/.bashrc

   .bashrc是存儲每個用戶的臨時變量用的, 比如命令行的別名等.

3. 創建了一個定時任務, 可以用crontab -l查看.

root@xxxdev:/home/ubuntu/acme.sh# crontab -l
18 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

注意: 程序自動添加的cron計劃的"分鐘", 不是一個固定值.

生成的證書有效期是90天, 會在第60天時請求更新. 可以使用acme.sh --list查看所有證書及renew時間, 使用acme.sh --cron手動執行更新計劃, 但是未到更新時間的不會操作.

4. 參數--cert-home指定證書全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理

5. 參數--email, 填寫自己的email即可

卸載程序

./acme.sh --uninstall

會刪除cron任務, 移除安裝程序目錄下的acme.sh腳本(不包括其他文件和安裝源); 保留已申請的證書

配置軟件包的自動升級

./acme.sh --upgrade --auto-upgrade`

命令執行過程如下:

root@xxxdev:/root/.acme.sh# ./acme.sh --upgrade --auto-upgrade
[Sun 24 Apr 2022 05:55:01 PM CST] Installing from online archive.
[Sun 24 Apr 2022 05:55:01 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sun 24 Apr 2022 05:55:03 PM CST] Extracting master.tar.gz
[Sun 24 Apr 2022 05:55:03 PM CST] It is recommended to install socat first.
[Sun 24 Apr 2022 05:55:03 PM CST] We use socat for standalone server if you use standalone mode.
[Sun 24 Apr 2022 05:55:03 PM CST] If you don't use standalone mode, just ignore this warning.
[Sun 24 Apr 2022 05:55:03 PM CST] Installing to /root/.acme.sh
[Sun 24 Apr 2022 05:55:03 PM CST] Installed to /root/.acme.sh/acme.sh
[Sun 24 Apr 2022 05:55:03 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Sun 24 Apr 2022 05:55:03 PM CST] OK
[Sun 24 Apr 2022 05:55:03 PM CST] Install success!
[Sun 24 Apr 2022 05:55:03 PM CST] Upgrade success!

使用acme.sh生成證書

使用 HTTP 方式

使用api方式進行域名解析的方式, 這裏不做研究

需要先確保http方式可以訪問(域名解析, nginx下綁定)

給域名a.pipiho.com申請證書, 網站根目錄爲/www/webroot/pipiho.com/, 腳本如下:

./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
#完整路徑
/root/.acme.sh/acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/

如果要申請 www.pipiho.com 的證書, 務必要填寫兩個域名: -d pipiho.com -d www.pipiho.com. 且文件夾&文件名是以第一個域名爲準的.

執行過程:

root@xxxdev:/root/.acme.sh# ./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
[Wed 20 Apr 2022 02:01:10 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Wed 20 Apr 2022 02:01:10 PM CST] Creating domain key
[Wed 20 Apr 2022 02:01:10 PM CST] The domain key is here: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:01:10 PM CST] Single domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:10 PM CST] Getting domain auth token for each domain
[Wed 20 Apr 2022 02:01:26 PM CST] Getting webroot for domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:26 PM CST] Verifying: a.pipiho.com
[Wed 20 Apr 2022 02:01:33 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Wed 20 Apr 2022 02:01:42 PM CST] Success
[Wed 20 Apr 2022 02:01:42 PM CST] Verify finished, start to sign.
[Wed 20 Apr 2022 02:01:42 PM CST] Lets finalize the order.
[Wed 20 Apr 2022 02:01:42 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxx/finalize'
[Wed 20 Apr 2022 02:01:43 PM CST] Order status is processing, lets sleep and retry.
[Wed 20 Apr 2022 02:01:43 PM CST] Retry after: 15
[Wed 20 Apr 2022 02:01:59 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxxxxxx
[Wed 20 Apr 2022 02:02:06 PM CST] Downloading cert.
[Wed 20 Apr 2022 02:02:06 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/xxxxxxxxxxxxxx'
[Wed 20 Apr 2022 02:02:18 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
證書內容, 省略
-----END CERTIFICATE-----
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.cer
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert key is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:02:18 PM CST] The intermediate CA cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/ca.cer
[Wed 20 Apr 2022 02:02:18 PM CST] And the full chain certs is there: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/fullchain.cer

申請證書的過程中, 會在網站根目錄下生成.well-known文件夾及文件, 驗證通過後就會刪除.

申請證書的過程中, CA服務器可能因爲忙碌而無法及時響應導致retry失敗, 手動重複執行申請的命令即可

好了, 證書生成了, 現在綁定到nginx即可

切換CA

目前acme.sh申請的證書, 默認不再是 let's encrypt 的, 改成了 zerossl 了, zerossl不限制申請的頻率, 但是因此可能會導致服務沒有前者那麼穩定

如果我們要繼續使用 let's encrypt的證書, 可以這樣:

#切換CA, 當前默認zerossl, 切換到 letsencrypt
./acme.sh --issue -d l.pipiho.com --server letsencrypt --webroot /www/webroot/pipiho.com/

參數--server可用的值參考 acme.sh 中的 "CA_NAMES".

執行./acme.sh --list看一下本地所有的證書:

root@xxxdev:/root/.acme.sh# ./acme.sh --list
Main_Domain     KeyLength  SAN_Domains  CA               Created                          Renew
a.pipiho.com    ""         no           ZeroSSL.com      Wed 20 Apr 2022 06:02:18 AM UTC  2022-06-19T06:02:18Z
b.pipiho.com    ""         no           ZeroSSL.com      Wed 20 Apr 2022 10:00:04 AM UTC  2022-06-19T10:00:04Z
c.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:45:01 AM UTC  2022-06-20T00:45:01Z
d.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:47:25 AM UTC  2022-06-20T00:47:25Z
e.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:49:48 AM UTC  2022-06-20T00:49:48Z
f.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:51:09 AM UTC  2022-06-20T00:51:09Z
g.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:52:59 AM UTC  2022-06-20T00:52:59Z
h.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:55:19 AM UTC  2022-06-20T00:55:19Z
i.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:57:26 AM UTC  2022-06-20T00:57:26Z
j.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:59:36 AM UTC  2022-06-20T00:59:36Z
k.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 01:15:39 AM UTC  2022-06-20T01:15:39Z
l.pipiho.com    ""         no           LetsEncrypt.org  Fri 22 Apr 2022 07:01:19 AM UTC  2022-06-21T07:01:19Z
www.pipiho.com  ""         pipiho.com   ZeroSSL.com      Wed 20 Apr 2022 08:14:32 AM UTC  2022-06-19T08:14:32Z

列出的是我們在安裝時配置的參數--cert-home目錄下的所有證書.

修改默認的CA

使用命令--set-default-ca:

root@xxxdev:/root/.acme.sh# ./acme.sh --set-default-ca --server letsencrypt
[Fri 22 Apr 2022 03:11:16 PM CST] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

設置後, 我們可以使用命令--info來查看本地配置:

root@xxxdev:/root/.acme.sh# ./acme.sh --info
LE_WORKING_DIR=/root/.acme.sh
LE_CONFIG_HOME=/root/.acme.sh


#LOG_FILE="/root/.acme.sh/acme.sh.log"
#LOG_LEVEL=1

#AUTO_UPGRADE="1"

#NO_TIMESTAMP=1


USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
CERT_HOME='/etc/nginx/conf.d.my/ssl_cert/'
ACCOUNT_EMAIL='[email protected]'
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'