使用acme.sh自动申请免费SSL证书

官方文档: https://github.com/acmesh-official/acme.sh#1-how-to-install

使用环境为 ubuntu 20

安装 acme.sh

cd /home
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh

#切换到root, 这是推荐的, 以免cron任务执行权限遇到问题
sudo su

#安装, 指定证书全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理
./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]

安装命令执行过程:

root@xxxdev:/home/ubuntu/acme.sh# ./acme.sh --install --cert-home /etc/nginx/conf.d.my/ssl_cert --email [email protected]
[Wed 20 Apr 2022 01:39:18 PM CST] It is recommended to install socat first.
[Wed 20 Apr 2022 01:39:18 PM CST] We use socat for standalone server if you use standalone mode.
[Wed 20 Apr 2022 01:39:18 PM CST] If you don't use standalone mode, just ignore this warning.
[Wed 20 Apr 2022 01:39:18 PM CST] Installing to /root/.acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installed to /root/.acme.sh/acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing alias to '/root/.bashrc'
[Wed 20 Apr 2022 01:39:18 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Wed 20 Apr 2022 01:39:18 PM CST] Installing cron job
[Wed 20 Apr 2022 01:39:18 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Wed 20 Apr 2022 01:39:19 PM CST] OK

1. 安装目录是 /root/.acme.sh, 完整路径为/root/.acme.sh/acme.sh

2. 创建了一个别名到 /root/.bashrc

   .bashrc是存储每个用户的临时变量用的, 比如命令行的别名等.

3. 创建了一个定时任务, 可以用crontab -l查看.

root@xxxdev:/home/ubuntu/acme.sh# crontab -l
18 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

注意: 程序自动添加的cron计划的"分钟", 不是一个固定值.

生成的证书有效期是90天, 会在第60天时请求更新. 可以使用acme.sh --list查看所有证书及renew时间, 使用acme.sh --cron手动执行更新计划, 但是未到更新时间的不会操作.

4. 参数--cert-home指定证书全部放到 /etc/nginx/conf.d.my/ssl_cert 下, 方便管理

5. 参数--email, 填写自己的email即可

卸载程序

./acme.sh --uninstall

会删除cron任务, 移除安装程序目录下的acme.sh脚本(不包括其他文件和安装源); 保留已申请的证书

配置软件包的自动升级

./acme.sh --upgrade --auto-upgrade`

命令执行过程如下:

root@xxxdev:/root/.acme.sh# ./acme.sh --upgrade --auto-upgrade
[Sun 24 Apr 2022 05:55:01 PM CST] Installing from online archive.
[Sun 24 Apr 2022 05:55:01 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sun 24 Apr 2022 05:55:03 PM CST] Extracting master.tar.gz
[Sun 24 Apr 2022 05:55:03 PM CST] It is recommended to install socat first.
[Sun 24 Apr 2022 05:55:03 PM CST] We use socat for standalone server if you use standalone mode.
[Sun 24 Apr 2022 05:55:03 PM CST] If you don't use standalone mode, just ignore this warning.
[Sun 24 Apr 2022 05:55:03 PM CST] Installing to /root/.acme.sh
[Sun 24 Apr 2022 05:55:03 PM CST] Installed to /root/.acme.sh/acme.sh
[Sun 24 Apr 2022 05:55:03 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Sun 24 Apr 2022 05:55:03 PM CST] OK
[Sun 24 Apr 2022 05:55:03 PM CST] Install success!
[Sun 24 Apr 2022 05:55:03 PM CST] Upgrade success!

使用acme.sh生成证书

使用 HTTP 方式

使用api方式进行域名解析的方式, 这里不做研究

需要先确保http方式可以访问(域名解析, nginx下绑定)

给域名a.pipiho.com申请证书, 网站根目录为/www/webroot/pipiho.com/, 脚本如下:

./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
#完整路径
/root/.acme.sh/acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/

如果要申请 www.pipiho.com 的证书, 务必要填写两个域名: -d pipiho.com -d www.pipiho.com. 且文件夹&文件名是以第一个域名为准的.

执行过程:

root@xxxdev:/root/.acme.sh# ./acme.sh --issue -d a.pipiho.com --webroot /www/webroot/pipiho.com/
[Wed 20 Apr 2022 02:01:10 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Wed 20 Apr 2022 02:01:10 PM CST] Creating domain key
[Wed 20 Apr 2022 02:01:10 PM CST] The domain key is here: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:01:10 PM CST] Single domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:10 PM CST] Getting domain auth token for each domain
[Wed 20 Apr 2022 02:01:26 PM CST] Getting webroot for domain='a.pipiho.com'
[Wed 20 Apr 2022 02:01:26 PM CST] Verifying: a.pipiho.com
[Wed 20 Apr 2022 02:01:33 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Wed 20 Apr 2022 02:01:42 PM CST] Success
[Wed 20 Apr 2022 02:01:42 PM CST] Verify finished, start to sign.
[Wed 20 Apr 2022 02:01:42 PM CST] Lets finalize the order.
[Wed 20 Apr 2022 02:01:42 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxx/finalize'
[Wed 20 Apr 2022 02:01:43 PM CST] Order status is processing, lets sleep and retry.
[Wed 20 Apr 2022 02:01:43 PM CST] Retry after: 15
[Wed 20 Apr 2022 02:01:59 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/NT-xxxxxxxxxxxxxx
[Wed 20 Apr 2022 02:02:06 PM CST] Downloading cert.
[Wed 20 Apr 2022 02:02:06 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/xxxxxxxxxxxxxx'
[Wed 20 Apr 2022 02:02:18 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
证书内容, 省略
-----END CERTIFICATE-----
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.cer
[Wed 20 Apr 2022 02:02:18 PM CST] Your cert key is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/a.pipiho.com.key
[Wed 20 Apr 2022 02:02:18 PM CST] The intermediate CA cert is in: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/ca.cer
[Wed 20 Apr 2022 02:02:18 PM CST] And the full chain certs is there: /etc/nginx/conf.d.my/ssl_cert//a.pipiho.com/fullchain.cer

申请证书的过程中, 会在网站根目录下生成.well-known文件夹及文件, 验证通过后就会删除.

申请证书的过程中, CA服务器可能因为忙碌而无法及时响应导致retry失败, 手动重复执行申请的命令即可

好了, 证书生成了, 现在绑定到nginx即可

切换CA

目前acme.sh申请的证书, 默认不再是 let's encrypt 的, 改成了 zerossl 了, zerossl不限制申请的频率, 但是因此可能会导致服务没有前者那么稳定

如果我们要继续使用 let's encrypt的证书, 可以这样:

#切换CA, 当前默认zerossl, 切换到 letsencrypt
./acme.sh --issue -d l.pipiho.com --server letsencrypt --webroot /www/webroot/pipiho.com/

参数--server可用的值参考 acme.sh 中的 "CA_NAMES".

执行./acme.sh --list看一下本地所有的证书:

root@xxxdev:/root/.acme.sh# ./acme.sh --list
Main_Domain     KeyLength  SAN_Domains  CA               Created                          Renew
a.pipiho.com    ""         no           ZeroSSL.com      Wed 20 Apr 2022 06:02:18 AM UTC  2022-06-19T06:02:18Z
b.pipiho.com    ""         no           ZeroSSL.com      Wed 20 Apr 2022 10:00:04 AM UTC  2022-06-19T10:00:04Z
c.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:45:01 AM UTC  2022-06-20T00:45:01Z
d.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:47:25 AM UTC  2022-06-20T00:47:25Z
e.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:49:48 AM UTC  2022-06-20T00:49:48Z
f.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:51:09 AM UTC  2022-06-20T00:51:09Z
g.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:52:59 AM UTC  2022-06-20T00:52:59Z
h.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:55:19 AM UTC  2022-06-20T00:55:19Z
i.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:57:26 AM UTC  2022-06-20T00:57:26Z
j.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 12:59:36 AM UTC  2022-06-20T00:59:36Z
k.pipiho.com    ""         no           ZeroSSL.com      Thu 21 Apr 2022 01:15:39 AM UTC  2022-06-20T01:15:39Z
l.pipiho.com    ""         no           LetsEncrypt.org  Fri 22 Apr 2022 07:01:19 AM UTC  2022-06-21T07:01:19Z
www.pipiho.com  ""         pipiho.com   ZeroSSL.com      Wed 20 Apr 2022 08:14:32 AM UTC  2022-06-19T08:14:32Z

列出的是我们在安装时配置的参数--cert-home目录下的所有证书.

修改默认的CA

使用命令--set-default-ca:

root@xxxdev:/root/.acme.sh# ./acme.sh --set-default-ca --server letsencrypt
[Fri 22 Apr 2022 03:11:16 PM CST] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

设置后, 我们可以使用命令--info来查看本地配置:

root@xxxdev:/root/.acme.sh# ./acme.sh --info
LE_WORKING_DIR=/root/.acme.sh
LE_CONFIG_HOME=/root/.acme.sh


#LOG_FILE="/root/.acme.sh/acme.sh.log"
#LOG_LEVEL=1

#AUTO_UPGRADE="1"

#NO_TIMESTAMP=1


USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
CERT_HOME='/etc/nginx/conf.d.my/ssl_cert/'
ACCOUNT_EMAIL='[email protected]'
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'