官方文档: https://github.com/acmesh-official/acme.sh#1-how-to-install
使用环境为 ubuntu 20
安装 acme.sh
cd /home
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
#切换到root, 这是推荐的, 以免cron任务执行权限遇到问题
sudo su
#安装, 指定证书全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理
./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]
安装命令执行过程:
root@xxxdev:/home/ubuntu/acme.sh# ./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]
[Wed 20 Apr 2022 01:39:18 PM CST] It is recommended to install socat first.
[Wed 20 Apr 2022 01:39:18 PM CST] We use socat for standalone server if you use standalone mode.
[Wed 20 Apr 2022 01:39:18 PM CST] If you don't use standalone mode, just ignore this warning.
[Wed 20 Apr 2022 01:39:18 PM CST] Installing to /root/.acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installed to /root/.acme.sh/acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing alias to '/root/.bashrc'
[Wed 20 Apr 2022 01:39:18 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing cron job
[Wed 20 Apr 2022 01:39:18 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Wed 20 Apr 2022 01:39:19 PM CST] OK
-
安装目录是
/root/.acme.sh
, 完整路径为/root/.acme.sh/acme.sh
-
创建了一个别名到
/root/.bashrc
.bashrc
是存储每个用户的临时变量用的, 比如命令行的别名等. -
创建了一个定时任务, 可以用
crontab -l
查看.
root@xxxdev:/home/ubuntu/acme.sh# crontab -l
18 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
注意: 程序自动添加的cron计划的"分钟", 不是一个固定值.
生成的证书有效期是90天, 会在第60天时请求更新. 可以使用acme.sh --list
查看所有证书及renew时间, 使用acme.sh --cron
手动执行更新计划, 但是未到更新时间的不会操作.
-
参数
--cert-home
指定证书全部放到/etc/nginx/conf.d.my/ssl_cert
下, 方便管理 -
参数
--email
, 填写自己的email即可
卸载程序
./acme.sh --uninstall
会删除cron任务, 移除安装程序目录下的acme.sh
脚本(不包括其他文件和安装源); 保留已申请的证书
配置软件包的自动升级
./acme.sh --upgrade --auto-upgrade`
命令执行过程如下:
root@xxxdev:/root/.acme.sh# ./acme.sh --upgrade --auto-upgrade
[Sun 24 Apr 2022 05:55:01 PM CST] Installing from online archive.
[Sun 24 Apr 2022 05:55:01 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sun 24 Apr 2022 05:55:03 PM CST] Extracting master.tar.gz
[Sun 24 Apr 2022 05:55:03 PM CST] It is recommended to install socat first.
[Sun 24 Apr 2022 05:55:03 PM CST] We use socat for standalone server if you use standalone mode.
[Sun 24 Apr 2022 05:55:03 PM CST] If you don't use standalone mode, just ignore this warning.
[Sun 24 Apr 2022 05:55:03 PM CST] Installing to /root/.acme.sh
[Sun 24 Apr 2022 05:55:03 PM CST] Installed to /root/.acme.sh/acme.sh
[Sun 24 Apr 2022 05:55:03 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Sun 24 Apr 2022 05:55:03 PM CST] OK
[Sun 24 Apr 2022 05:55:03 PM CST] Install success!
[Sun 24 Apr 2022 05:55:03 PM CST] Upgrade success!
使用acme.sh生成证书
使用 HTTP 方式
使用api方式进行域名解析的方式, 这里不做研究
需要先确保http方式可以访问(域名解析, nginx下绑定)
给域名a.pipiho.com
申请证书, 网站根目录为/www/webroot/pipiho.com/
, 脚本如下:
./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
#完整路径
/root/.acme.sh/acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
如果要申请 www.pipiho.com 的证书, 务必要填写两个域名:
-d pipiho.com -d www.pipiho.com
. 且文件夹&文件名是以第一个域名为准的.
执行过程:
root@xxxdev:/root/.acme.sh# ./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
[Wed 20 Apr 2022 02:01:10 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Wed 20 Apr 2022 02:01:10 PM CST] Creating domain key
[Wed 20 Apr 2022 02:01:10 PM CST] The domain key is here: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:01:10 PM CST] Single domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:10 PM CST] Getting domain auth token for each domain
[Wed 20 Apr 2022 02:01:26 PM CST] Getting webroot for domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:26 PM CST] Verifying: a.pipiho.com
[Wed 20 Apr 2022 02:01:33 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Wed 20 Apr 2022 02:01:42 PM CST] Success
[Wed 20 Apr 2022 02:01:42 PM CST] Verify finished, start to sign.
[Wed 20 Apr 2022 02:01:42 PM CST] Lets finalize the order.
[Wed 20 Apr 2022 02:01:42 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxx/finalize'
[Wed 20 Apr 2022 02:01:43 PM CST] Order status is processing, lets sleep and retry.
[Wed 20 Apr 2022 02:01:43 PM CST] Retry after: 15
[Wed 20 Apr 2022 02:01:59 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxxxxxx
[Wed 20 Apr 2022 02:02:06 PM CST] Downloading cert.
[Wed 20 Apr 2022 02:02:06 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/xxxxxxxxxxxxxx'
[Wed 20 Apr 2022 02:02:18 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
证书内容, 省略
-----END CERTIFICATE-----
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.cer
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert key is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:02:18 PM CST] The intermediate CA cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/ca.cer
[Wed 20 Apr 2022 02:02:18 PM CST] And the full chain certs is there: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/fullchain.cer
申请证书的过程中, 会在网站根目录下生成.well-known
文件夹及文件, 验证通过后就会删除.
申请证书的过程中, CA服务器可能因为忙碌而无法及时响应导致retry失败, 手动重复执行申请的命令即可
好了, 证书生成了, 现在绑定到nginx即可
切换CA
目前acme.sh申请的证书, 默认不再是 let's encrypt 的, 改成了 zerossl 了, zerossl不限制申请的频率, 但是因此可能会导致服务没有前者那么稳定
如果我们要继续使用 let's encrypt的证书, 可以这样:
#切换CA, 当前默认zerossl, 切换到 letsencrypt
./acme.sh --issue -d l.pipiho.com --server letsencrypt --webroot /www/webroot/pipiho.com/
参数--server
可用的值参考 acme.sh 中的 "CA_NAMES".
执行./acme.sh --list
看一下本地所有的证书:
root@xxxdev:/root/.acme.sh# ./acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
a.pipiho.com "" no ZeroSSL.com Wed 20 Apr 2022 06:02:18 AM UTC 2022-06-19T06:02:18Z
b.pipiho.com "" no ZeroSSL.com Wed 20 Apr 2022 10:00:04 AM UTC 2022-06-19T10:00:04Z
c.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:45:01 AM UTC 2022-06-20T00:45:01Z
d.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:47:25 AM UTC 2022-06-20T00:47:25Z
e.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:49:48 AM UTC 2022-06-20T00:49:48Z
f.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:51:09 AM UTC 2022-06-20T00:51:09Z
g.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:52:59 AM UTC 2022-06-20T00:52:59Z
h.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:55:19 AM UTC 2022-06-20T00:55:19Z
i.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:57:26 AM UTC 2022-06-20T00:57:26Z
j.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 12:59:36 AM UTC 2022-06-20T00:59:36Z
k.pipiho.com "" no ZeroSSL.com Thu 21 Apr 2022 01:15:39 AM UTC 2022-06-20T01:15:39Z
l.pipiho.com "" no LetsEncrypt.org Fri 22 Apr 2022 07:01:19 AM UTC 2022-06-21T07:01:19Z
www.pipiho.com "" pipiho.com ZeroSSL.com Wed 20 Apr 2022 08:14:32 AM UTC 2022-06-19T08:14:32Z
列出的是我们在安装时配置的参数--cert-home
目录下的所有证书.
修改默认的CA
使用命令--set-default-ca
:
root@xxxdev:/root/.acme.sh# ./acme.sh --set-default-ca --server letsencrypt
[Fri 22 Apr 2022 03:11:16 PM CST] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
设置后, 我们可以使用命令--info
来查看本地配置:
root@xxxdev:/root/.acme.sh# ./acme.sh --info
LE_WORKING_DIR=/root/.acme.sh
LE_CONFIG_HOME=/root/.acme.sh
#LOG_FILE="/root/.acme.sh/acme.sh.log"
#LOG_LEVEL=1
#AUTO_UPGRADE="1"
#NO_TIMESTAMP=1
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
CERT_HOME='/etc/nginx/conf.d.my/ssl_cert/'
ACCOUNT_EMAIL='[email protected]'
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'