Let’s Encrypt免费泛域名证书安装步骤如下:
一、首先下载ACME.SH,以下四条命令任选一条即可,醒醒用的是第四条。
- curl https://get.acme.sh | sh
- wget -O - https://get.acme.sh | sh
- curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh | INSTALLONLINE=1 sh
- wget -O - https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh | INSTALLONLINE=1 sh
这里选择第四种方法
- wget -O - https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh | INSTALLONLINE=1 sh
--2019-06-05 11:46:32-- https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 188066 (184K) [text/plain]
Saving to: ‘STDOUT’
- 100%[========================================================================================================================================>] 183.66K --.-KB/s in 0.1s
2019-06-05 11:46:32 (1.67 MB/s) - written to stdout [188066/188066]
[Wed Jun 5 11:46:33 CST 2019] Installing from online archive.
[Wed Jun 5 11:46:33 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Wed Jun 5 11:46:34 CST 2019] Extracting master.tar.gz
[Wed Jun 5 11:46:34 CST 2019] It is recommended to install socat first.
[Wed Jun 5 11:46:34 CST 2019] We use socat for standalone server if you use standalone mode.
[Wed Jun 5 11:46:34 CST 2019] If you don't use standalone mode, just ignore this warning.
[Wed Jun 5 11:46:34 CST 2019] Installing to /root/.acme.sh
[Wed Jun 5 11:46:34 CST 2019] Installed to /root/.acme.sh/acme.sh
[Wed Jun 5 11:46:34 CST 2019] Installing alias to '/root/.bashrc'
[Wed Jun 5 11:46:34 CST 2019] OK, Close and reopen your terminal to start using acme.sh
[Wed Jun 5 11:46:34 CST 2019] Installing cron job
no crontab for root
no crontab for root
[Wed Jun 5 11:46:34 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Jun 5 11:46:35 CST 2019] OK
[Wed Jun 5 11:46:35 CST 2019] Install success!
- cd /root/.acme.sh
生成 TXT 记录
- ./acme.sh --issue -d *.world-alive.win --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Jun 5 11:48:16 CST 2019] Create account key ok.
[Wed Jun 5 11:48:16 CST 2019] Registering account
[Wed Jun 5 11:48:18 CST 2019] Registered
[Wed Jun 5 11:48:18 CST 2019] ACCOUNT_THUMBPRINT='bA3LRvaapGJd_emkCspnkpvCz-FPAb1SNTNAikbclPE'
[Wed Jun 5 11:48:18 CST 2019] Creating domain key
[Wed Jun 5 11:48:18 CST 2019] The domain key is here: /root/.acme.sh/*.world-alive.win/*.world-alive.win.key
[Wed Jun 5 11:48:18 CST 2019] Multi domain='DNS:*.world-alive.win,DNS:world-alive.win'
[Wed Jun 5 11:48:18 CST 2019] Getting domain auth token for each domain
[Wed Jun 5 11:48:19 CST 2019] Getting webroot for domain='*.world-alive.win'
[Wed Jun 5 11:48:19 CST 2019] Getting webroot for domain='world-alive.win'
[Wed Jun 5 11:48:19 CST 2019] Add the following TXT record:
[Wed Jun 5 11:48:19 CST 2019] Domain: '_acme-challenge.world-alive.win'
[Wed Jun 5 11:48:19 CST 2019] TXT value: 'lS7Yf96IKzuyzgvh4CkangYC9BVmmU8VBPrN4VeAylw'
[Wed Jun 5 11:48:19 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 5 11:48:19 CST 2019] so the resulting subdomain will be: _acme-challenge.world-alive.win
[Wed Jun 5 11:48:19 CST 2019] Add the following TXT record:
[Wed Jun 5 11:48:19 CST 2019] Domain: '_acme-challenge.world-alive.win'
[Wed Jun 5 11:48:19 CST 2019] TXT value: 'rl5YHaDw5BsxTD8liEwqx1G_mCyvwO-7pLdR_mGTOx8'
[Wed Jun 5 11:48:19 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jun 5 11:48:19 CST 2019] so the resulting subdomain will be: _acme-challenge.world-alive.win
[Wed Jun 5 11:48:19 CST 2019] Please add the TXT records to the domains, and re-run with --renew.
[Wed Jun 5 11:48:19 CST 2019] Please add '--debug' or '--log' to check more details.
[Wed Jun 5 11:48:19 CST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
添加TXT 解析 稍等几分钟后 执行
-
./acme.sh --renew -d *.world-alive.win --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Jun 5 13:39:05 CST 2019] Renew: '*.world-alive.win'
[Wed Jun 5 13:39:08 CST 2019] Single domain='*.world-alive.win'
[Wed Jun 5 13:39:08 CST 2019] Getting domain auth token for each domain
[Wed Jun 5 13:39:08 CST 2019] Verifying: *.world-alive.win
[Wed Jun 5 13:39:11 CST 2019] Success
[Wed Jun 5 13:39:11 CST 2019] Verify finished, start to sign.
[Wed Jun 5 13:39:11 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58572411/511310071
[Wed Jun 5 13:39:13 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03d2b6fd7d55af17fb9068cc65c3789e0388
[Wed Jun 5 13:39:18 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgISA9K2/X1Vrxf7kGjMZcN4ngOIMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA2MDUwNDM5MTJaFw0x
OTA5MDMwNDM5MTJaMBwxGjAYBgNVBAMMESoud29ybGQtYWxpdmUud2luMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA45gFX6Zq95ZwSPXAXXDi0Lg+yStf
0Tf5MuKZaXAZ3Yoj0z1gQBhDd1n2fWeVgiRdl67lWuFhcWuoscnE0w58c3YBpAAr
KQLiW2kYjxUyoWbIEgsKmyJoVm1lWemSF7zNy8vBtZPODppfQaZMs7Fjx/Yp5N6p
1S4x3rMJ7SAMpG173VRG8mrCnAMVBZdcgbRyBVW8u3x4L4H5IXDO+LX8P5CN/unO
10ri3aG6H1l0cgPYMoN5a2IuoM4gI6XxdltjbR60ylkTMQlWojQwuoeEx7jxG0Bu
AJwKFkIBDmbB8eSbRWlqrQ20hXrPBwRYouoi/gdRCelHxLkz4637+2kmZQIDAQAB
o4ICZjCCAmIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSuWwICe/8N2EhDPTTqaqIE
rRS1gDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBwGA1UdEQQVMBOCESoud29ybGQtYWxpdmUud2luMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAdH7a
gzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFrJiX/4QAABAMARzBFAiBq
e7Q3F2SLgaApqDCE2R3utwJ4nRUXqYO6ePvZvg2MSgIhALo3tjk79C3ojA/+KzxT
IvyrF8Q5E+bxaVldE+LYFP3yAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXePvXWmOLHH
aFRL2I0AAAFrJiYAAAAABAMARzBFAiBRT5MWjuvwUSJsAtChWQREvvL1H3g3uvhX
NYVluXmiogIhAMBgkA/tx5712GBqaMNdmgtlNuBZzrXJEjLMzAYqcWhFMA0GCSqG
SIb3DQEBCwUAA4IBAQCPWg24ADx0y6avmKaly/yI+RX+V+f84NZbqAaQnjJat+R9
9SNAhz6U7zTlbV7r2IlQ3MpXHh/n3ZP3TeSHrBfFQ6RZ7k0HByLU0qQD8i/uI83k
ZxpnzuLddNWHyd/WpSc9tY0LLz6w339MSzBtUHEyEkTSMZsLl8ej3EKbCuvB2HLF
VLfBzpWEoe9UzYmka6oFaUzeNgpp4cJYQvfZK8medwKMm/ffZdIXuhio37IVLogg
MRlbkin246bWVXzM0tjnKuITvkohY+1MdzM+iX7ismbi5GP9r3k8Chfd9p9k9K5a
lBgH/S5f8hxBGMTi5JbsyVdYzYzaS/1LnsiKrR7x
-----END CERTIFICATE-----
[Wed Jun 5 13:39:18 CST 2019] Your cert is in /root/.acme.sh/*.world-alive.win/*.world-alive.win.cer
[Wed Jun 5 13:39:18 CST 2019] Your cert key is in /root/.acme.sh/*.world-alive.win/*.world-alive.win.key
[Wed Jun 5 13:39:18 CST 2019] The intermediate CA cert is in /root/.acme.sh/*.world-alive.win/ca.cer
[Wed Jun 5 13:39:18 CST 2019] And the full chain certs is there: /root/.acme.sh/*.world-alive.win/fullchain.cer
[Wed Jun 5 13:39:18 CST 2019] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Wed Jun 5 13:39:18 CST 2019] Call hook error.
将会生成 对应域名的文件夹
[root@debian .acme.sh]# ll
total 216
drwxr-xr-x 2 root root 4096 Jun 5 13:39 *.world-alive.win
-rw-r--r-- 1 root root 269 Jun 5 13:39 account.conf
-rwxr-xr-x 1 root root 188060 Jun 5 11:46 acme.sh
-rw-r--r-- 1 root root 78 Jun 5 11:46 acme.sh.env
drwxr-xr-x 3 root root 4096 Jun 5 11:48 ca
drwxr-xr-x 2 root root 4096 Jun 5 11:46 deploy
drwxr-xr-x 2 root root 4096 Jun 5 11:46 dnsapi
-rw-r--r-- 1 root root 463 Jun 5 13:39 http.header
drwxr-xr-x 2 root root 4096 Jun 5 11:46 notify
Nginx 配置如下
- ssl_certificate /root/.acme.sh/*.world-alive.win/fullchain.cer;
- ssl_certificate_key /root/.acme.sh/*.world-alive.win/*.world-alive.win.key;
- ssl_protocols TLSv1.2;
参考:
https://www.xxorg.com/archives/4870
https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
没有评论