curl https://get.acme.sh | sh
并创建 一个 bash 的 alias, 方便你的使用: alias acme.sh=~/.acme.sh/acme.sh
acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证. \
http 方式需要在你的网站根目录下放置一个文件, 来验证你的域名所有权,完成验证. 然后就可以生成证书了.
acme.sh --issue -d kubesre.com -d www.kubesre.com --webroot /application/nginx/html/
只需要指定域名, 并指定域名所在的网站根目录. acme.sh 会全自动的生成验证文件, 并放到网站的根目录, 然后自动完成验证. 最后会聪明的删除验证文件. 整个过程没有任何副作用.
如果你用的 web服务器, acme.sh 还可以智能的从 apache的配置中自动完成验证, 你不需要指定网站根目录:
acme.sh --issue -d kubesre.com --apache acme.sh --issue -d kubesre.com --nginx
手动 dns 方式, 手动在域名上添加一条 txt 解析记录, 验证域名所有权
这种方式的好处是, 你不需要任何服务器, 不需要任何公网 ip, 只需要 dns 的解析记录即可完成验证. 坏处是,如果不同时配置 Automatic DNS API,使用这种方式 acme.sh 将无法自动更新证书,每次都需要手动再次重新解析验证域名所有权。
acme.sh --issue --dns -d kubesre.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
然后, acme.sh 会生成相应的解析记录显示出来, 你只需要在你的域名管理面板中添加这条 txt 记录即可.
等待解析完成之后, 重新生成证书:
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please [Tue Dec 21 17:21:23 CST 2021] Renew: 'kubesre.com' [Tue Dec 21 17:21:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Dec 21 17:21:28 CST 2021] Multi domain='DNS:kubesre.com,DNS:www.kubesre.com' [Tue Dec 21 17:21:28 CST 2021] Getting domain auth token for each domain [Tue Dec 21 17:21:28 CST 2021] Verifying: kubesre.com [Tue Dec 21 17:21:39 CST 2021] Processing, The CA is processing your order, please just wait. (1/30) [Tue Dec 21 17:21:46 CST 2021] Success [Tue Dec 21 17:21:46 CST 2021] Verifying: www.kubesre.com [Tue Dec 21 17:21:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30) [Tue Dec 21 17:21:58 CST 2021] Success [Tue Dec 21 17:21:58 CST 2021] Verify finished, start to sign. [Tue Dec 21 17:21:58 CST 2021] Lets finalize the order. [Tue Dec 21 17:21:58 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ/finalize' [Tue Dec 21 17:22:04 CST 2021] Order status is processing, lets sleep and retry. [Tue Dec 21 17:22:04 CST 2021] Retry after: 15 [Tue Dec 21 17:22:20 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ [Tue Dec 21 17:22:28 CST 2021] Downloading cert. [Tue Dec 21 17:22:28 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/RIlS-0BCVnWMmTIzTSy69g' [Tue Dec 21 17:22:32 CST 2021] Cert success. -----BEGIN CERTIFICATE----- MIIGdjCCBF6gAwIBAgIRAOXiFOW5y1AyMNreWMhPmTAwDQYJKoZIhvcNAQEMBQAw SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTEyMjEwMDAwMDBaFw0y MjAzMjEyMzU5NTlaMBYxFDASBgNVBAMTC2t1YmVzcmUuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRZurTH3SNPklcWjSvXu/fsUfz3CQUJs310 cdlTTQ2z1AC2oNLiw2JWVVPe6XXopDXiboynyMuJcfu+Yyqft3zSzmK1jtGZGt4+ wP2o8uQ8ppg9zKivk6IVY2PAyw7KoP20tgvWLkB/OeRyFERO0k/BwHeLssYunOy8 CEEPH05c0aeWBaYFRy6W5aTQ5gI9F+TxHkJMwNQ9S46Ymts1vT9NGGA21yD3nC8/ qQ9yojtSHalj95no/en+o1Gwv8LSBuiD0OrgfL/UmwjYaV60Q6ZFrb1OrkRrgRn4 cb/RCMAofzUEqE3ItwsBbo41gmI6i0uECktC9SKxMlTVG0M84wIDAQABo4ICiDCC AoQwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFG5p QAKZzOQ/Uk6L5d3Q7utQPbrfMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysG AQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BT MAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8v emVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNp dGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGln by5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBGpVXrdfqRIDC1oolp9PN9 ESxBdL79SbiFq/L8cP5tRwAAAX3cTIkkAAAEAwBGMEQCIGaR8Z1cpbls5r76bwvW cqhAmSxXofGdCwk4CG9to/UnAiBzb3AfHwRx/K1afFew+dUha8n5r4LdKpK2/idh cTgNbQB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfdxMiOMA AAQDAEgwRgIhAKEgFnDfhKUi9a/17W6ulKwy/JWDzW1x6GSi5wdJZUDsAiEA7jnc 2pLivTiZ189eoYQwEY+fAPLiB4Lt1MB4W3PkIk4wJwYDVR0RBCAwHoILa3ViZXNy ZS5jb22CD3d3dy5rdWJlc3JlLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMU/wgqFc m2yys2T5CRdGOl/dPNM9E5t2IMBMhzMVDr1czQRUgf6Yh/h7jkWihYqGxDVJSL8T 9KknzaRvUvDx3piGJLUyqPOQPrawI9N7bSz3ncIsv2cIzNWeDN9UVw54/Pxadl3/ 2SGBay/hpV+miLcp/rr1WwoLnTU22djZRr1WjbPHxOIn3aI2CKVAzJfdYE3/N7rG B+AOQnrmegKchxlV1EQN3lUy2hys0lNaohyWQs9GTeq7zFyrL5M4EFiG1fTO/rHw YaY0doH8uv74W/vYCquaK033bvP7iOnm3JpfbDDez7QVLONemVf/SRRxVff2zgJx F5m+XVZhPRoxohWm/AytUIqfDao37XnR9vBKJ4dIWNuyxWwfkuSA5d8i0wOFi5St yvpeC0HWuuYBNJkX8yuFe3rYFh92TN6Qu3Rl19Z/QhysF9Yin1OunPia14bKxUnR 93hH827Sb5owYoC+3xx14WvzGtV6lov6siLBXhSNPbeaK9iQeWeRgxP7frLxuH3Z 0uHh1QJIoS7Gd1O6VHmqjkzOGuWuu92taDu53Bs+Xke6rXSILlPOMtI4aueTLkZL AyyqGkcjv7Qhhj/VFmG4GZpRyBGGuFA5VbJ8PQsbjmMyn+8m5zF4Wy00Rt7xA99b b4YhcvrzGJwehsPq6m0yjCbh3cCSd3vyGo0= -----END CERTIFICATE----- [Tue Dec 21 17:22:32 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer [Tue Dec 21 17:22:32 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key [Tue Dec 21 17:22:32 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer [Tue Dec 21 17:22:32 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer
注意第二次这里用的是 --renew
dns 方式的真正强大之处在于可以使用域名解析商提供的 api 自动添加 txt 记录完成验证.
acme.sh 目前支持 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.
以 dnspod 为例, 你需要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是免费的. 然后:
export DP_Id="kube123" export DP_Key="sADDsdasdgdsf" acme.sh --issue --dns dns_dp -d kubesre.com -d www.kubesre.com
证书就会自动生成了. 这里给出的 api id 和 api key 会被自动记录下来, 将来你在使用 dnspod api 的时候, 就不需要再次指定了. 直接生成就好了:
acme.sh --issue -d kubesre.com --dns dns_dp
更详细的 api 用法: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
目前证书申请后有效期为60天
目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.
# 升级 acme.sh 到最新版 acme.sh --upgrade # 如果你不想手动升级, 可以开启自动升级: acme.sh --upgrade --auto-upgrade #之后, acme.sh 就会自动保持更新了. # 你也可以随时关闭自动更新: acme.sh --upgrade --auto-upgrade 0
默认 CA 将使用ZeroSSL,由于特殊需求需要更改CA,请通过下面的方式进行修改。
可以通过提供--server
参数自由使用任何受支持的 CA :
acme.sh --issue -d kubesre.com --dns dns_cf --server letsencrypt
也可以通过 --set-default-ca 设置的默认 ca:
acme.sh --set-default-ca --server letsencrypt
通过openssl生成csr
openssl genrsa -out kubesre.com/kubesre.com.key 4096 openssl req -new -key kubesre.com/kubesre.com.key -out kubesre.com/kubesre.com.csr -subj "/C=CN/L=Shanghai/O=kubesre/OU=shanghai/CN=kubesre.com"
基于csr签发证书
acme.sh --signcsr --csr ../intermediateca.csr --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --server zerossl [Tue Dec 21 20:03:11 CST 2021] Copy csr to: /root/.acme.sh/kubesre.com/kubesre.com.csr [Tue Dec 21 20:03:15 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Dec 21 20:03:15 CST 2021] Single domain='kubesre.com' [Tue Dec 21 20:03:15 CST 2021] Getting domain auth token for each domain [Tue Dec 21 20:03:27 CST 2021] Getting webroot for domain='kubesre.com' [Tue Dec 21 20:03:27 CST 2021] Add the following TXT record: [Tue Dec 21 20:03:27 CST 2021] Domain: '_acme-challenge.kubesre.com' [Tue Dec 21 20:03:27 CST 2021] TXT value: 'JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90' [Tue Dec 21 20:03:27 CST 2021] Please be aware that you prepend _acme-challenge. before your domain [Tue Dec 21 20:03:27 CST 2021] so the resulting subdomain will be: _acme-challenge.kubesre.com [Tue Dec 21 20:03:27 CST 2021] Please add the TXT records to the domains, and re-run with --renew. [Tue Dec 21 20:03:27 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
配置DNS域名解析TXT记录并验证
dig @223.5.5.5 _acme-challenge.kubesre.com txt +short "JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90"
重试签发证书
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please [Tue Dec 21 20:16:28 CST 2021] Renew: 'kubesre.com' [Tue Dec 21 20:16:36 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Dec 21 20:16:36 CST 2021] Single domain='kubesre.com' [Tue Dec 21 20:16:36 CST 2021] Getting domain auth token for each domain [Tue Dec 21 20:16:36 CST 2021] Verifying: kubesre.com [Tue Dec 21 20:16:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30) [Tue Dec 21 20:17:02 CST 2021] Success [Tue Dec 21 20:17:02 CST 2021] Verify finished, start to sign. [Tue Dec 21 20:17:02 CST 2021] Lets finalize the order. [Tue Dec 21 20:17:02 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ/finalize' [Tue Dec 21 20:17:11 CST 2021] Order status is processing, lets sleep and retry. [Tue Dec 21 20:17:11 CST 2021] Retry after: 15 [Tue Dec 21 20:17:27 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ [Tue Dec 21 20:17:33 CST 2021] Downloading cert. [Tue Dec 21 20:17:33 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/yeadYGbm-KLNqMWlqSzShg' [Tue Dec 21 20:17:41 CST 2021] Cert success. -----BEGIN CERTIFICATE----- MIIHZDCCBUygAwIBAgIQEkvN2TAkV2mdPUF1lweQ+jANBgkqhkiG9w0BAQwFADBL MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTIyMTAwMDAwMFoXDTIy MDMyMTIzNTk1OVowFjEUMBIGA1UEAxMLa3ViZXNyZS5jb20wggIiMA0GCSqGSIb3 DQEBAQUAA4ICDwAwggIKAoICAQC7gsfbCde2EVerXfzi/+1pGvePusulmh2gF+vh IpTwdIC7tpO7cZiHVjR2BsC8XYptUqWpJtuehRLqN3PI2xdpFyGMT9EKgPcIsN3a y619t/UlskrVbAZYqfAC4613f98WhizYL6Kb6pOuwsS2rn5XeUAXuNVDcnRJ79i4 ld8Q6H+xmOSU3XqnTNqv4Yq7F+l1nVNktpozJM0MmqI6e+saN4PlaHJZJ2Zc9dTQ 4/0tkXQizwH862c+kGHdYhEit5Kx3blgEYZ9vKPNu5mKsPdPJ0XNeXzZ7T449EcI ONY2UwwHqxeKm13hcD0hM0OzPHS3eniHf2LX/EzIcW/uQ77ynukB45ub7xWs1ado HKGhrY+dluxuaNUc9M8PPIYubkaeh95Ohik1ovljkUbO+AYZf28Y0c4sQYaFToqR ogbTvl7EWdQCJQppqu4h0DZIoTHYu3yIu/KdHeqmySSE/tyyLCIyuZS7oN5ZxeEh SojLn293qWVlj5z0ZB2Ui3vourAt7HMOy0noDusG3au6y6m69wX+jKCWYglF/b48 328GzFxPxbxWnQUD/Jf5cjUE9SN9meXivrzXS1vky0qkHJwnKTiAVNNCRGFNX5Ic yOHAsJCteY8VUyvlngjrBnLmie4kfc5zb68qtKCnCw6fejVDzVKgwVFJK0iF2t4K 7YX3ewIDAQABo4ICdzCCAnMwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWG hqYwHQYDVR0OBBYEFMOIZYOY9egIBZ1T6jEPeRR3dROYMA4GA1UdDwEB/wQEAwIF oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ BgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v c2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsG AQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJT QURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJv c3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBG pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3c7NwCAAAEAwBHMEUC IQCiJFlodU8eOmcUXypehRIVsecs1QPROZq4GXFKn1H7yAIgWK6BZtJ5IxsYw6g6 4IFZ851k7tB6iGLKjIIBUcJNBxUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vH aPCQYpYG9gAAAX3c7NvUAAAEAwBHMEUCIQCdpdc7o2ZKGVkiQhBOCgFa1D28tbRd 8czfFGWEtW+cjAIgSfPwdIcMXQ3QgQ/e14L8+R33WTApmXq4RGNyhcj91n4wFgYD VR0RBA8wDYILa3ViZXNyZS5jb20wDQYJKoZIhvcNAQEMBQADggIBABQ69j9PcoXy WwNo+bLcxd5J1YWhvoty6AGfPQ4dFE9uHWASzQ0rfAGYahVCWrofb3utz2OQH+T4 nTwrX+vo6xS0PizF27WqjqWvfIkQ2badRoVATLg5TCkjjGz2ztIsrRsY62VwrKjF BWmJocA3/dKqtMbPD5fiw10HGp2/armCr26P2smheqiih1ci4AJ+rcWMVQfHEhzA u+Sr1BnJMddhhrPoJBQzBOctYrAM/C//CwmmLI2jcF8NdBTvW0QwP1bMIfaO7spO bggaI7RJ35gHuxE07GR+JVfss1pYEOE2j9pWPqaAbeFdfW4gAatAiR6t9g6z6cdb wV94JXRWa1GotoMXU5U8/Oq+6OD454tuPA/CwlaPR+zO94ppJ/9YhWyXy2hqGQqm alhajJgMVE2P9kYoZTlZIgEZyICQ0XbKMzXyq8D2leEAroVdZCo5lKkR6v1ZhL6f YlsGwOV68rVQU03euWqTIvaSUUTXBXI1ug9z19a8a3PJlMLBDpz+e/mcsw4qMIzi 557vQv/+9xR/ZSNsW+s/RBW6gTo8nrestWBRb53pfFd4LAse+WGHEA3Kgv+Fi3ra GJWYcA4KvGRbLZ/flUmNPyyARNfLdaAMlaDtHjQUj1pEhtSnYtwnthj3Y/eiXY9H eg0z2wcNGmZEPG19ngYf79+xLpmmZj0F -----END CERTIFICATE----- [Tue Dec 21 20:17:41 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer [Tue Dec 21 20:17:41 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key [Tue Dec 21 20:17:41 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer [Tue Dec 21 20:17:41 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer [root@ops .acme.sh]#