acme.sh(免费的Let’s Encrypt)申请工具的使用cloudflare

2020年4月24日

Let’s Encrypt的证书有效期是3个月,可以通过certbot renew来更新证书,但是只会更新还有30天才会过期的证书。

为了避免新添加域名,或是给证书更新时敲一堆命令,可以尝试使用Acme来申请、维护从letsencrypt生成的免费的证书.
项目地址 Neilpang/acme.sh

安装acme.sh

curl https://get.acme.sh | sh


参照项目说明,普通用户和root用户都可以安装使用,它会把acme.sh安装到你的home目录下,并创建一个bash的alias, 方便你的使用。

我自己安装时发现并没有创建,如果没有创建的话,可以执行alias acme.sh=~/.acme.sh/acme.sh手动创建。

需要注意acme使用计划任务来自动更新证书,需要预先安装cron。

生成证书

acme.sh实现了acme协议支持的所有验证协议。一般有两种方式验证: http和dns验证。

各种方式参照项目的README.md即可,我使用的是dns的方式(cloudflare),acme.sh目前支持数十种解析商的自动集成。

 

  1. export CF_Key="cloudflare中查看你的key"
  2. export CF_Email="你的邮箱"
  3. #将 CF_Key CF_Email 加入 .bashrc 示例:export CF_Email='email';export CF_Key='api key'
  4. #申请证书
  5. acme.sh --issue --dns dns_cf -d domain.com -d www.domain.com
  6. acme.sh --issue --dns dns_ali -d domain.com -d www.domain.com
  7. acme.sh --issue --dns dns_ali -d domain.com -d www.domain.com --key-file /etc/nginx/ssl/www.domain.com/www.domain.com.key  --fullchain-file /etc/nginx/ssl/www.domain.com/www.domain.com.pem
  8. # Let's Encrypt目前支持了通配符证书 所以也可以直接申请通配符证书
  9. acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com 

成功反馈如下

root@186103:~/.acme.sh# acme.sh  --issue  --dns dns_cf -d magmituy.com -d *.magmituy.com
[Fri Apr 24 17:26:58 CST 2020] Multi domain='DNS:magmituy.com,DNS:*.magmituy.com'
[Fri Apr 24 17:26:59 CST 2020] Getting domain auth token for each domain
[Fri Apr 24 17:27:00 CST 2020] Getting webroot for domain='magmituy.com'
[Fri Apr 24 17:27:00 CST 2020] Getting webroot for domain='*.magmituy.com'
[Fri Apr 24 17:27:00 CST 2020] Adding txt value: wsBPVcXF0xIYkIRZsroRhz93L0qsP5qnRItACH6880E for domain:  _acme-challenge.magmituy.com
[Fri Apr 24 17:27:02 CST 2020] Adding record
[Fri Apr 24 17:27:02 CST 2020] Added, OK
[Fri Apr 24 17:27:02 CST 2020] The txt record is added: Success.
[Fri Apr 24 17:27:02 CST 2020] Adding txt value: wGgOZ8QZDEt0uKQhapDqk4WsKozUZs0dFf4b3c3qZBY for domain:  _acme-challenge.magmituy.com
[Fri Apr 24 17:27:03 CST 2020] Adding record
[Fri Apr 24 17:27:03 CST 2020] Added, OK
[Fri Apr 24 17:27:03 CST 2020] The txt record is added: Success.
[Fri Apr 24 17:27:03 CST 2020] Let's check each dns records now. Sleep 20 seconds first.
[Fri Apr 24 17:27:24 CST 2020] Checking magmituy.com for _acme-challenge.magmituy.com
[Fri Apr 24 17:27:25 CST 2020] Domain magmituy.com '_acme-challenge.magmituy.com' success.
[Fri Apr 24 17:27:25 CST 2020] Checking magmituy.com for _acme-challenge.magmituy.com
[Fri Apr 24 17:27:25 CST 2020] Domain magmituy.com '_acme-challenge.magmituy.com' success.
[Fri Apr 24 17:27:25 CST 2020] All success, let's return
[Fri Apr 24 17:27:25 CST 2020] Verifying: magmituy.com
[Fri Apr 24 17:27:28 CST 2020] Success
[Fri Apr 24 17:27:28 CST 2020] Verifying: *.magmituy.com
[Fri Apr 24 17:27:31 CST 2020] Success
[Fri Apr 24 17:27:31 CST 2020] Removing DNS records.
[Fri Apr 24 17:27:31 CST 2020] Removing txt: wsBPVcXF0xIYkIRZsroRhz93L0qsP5qnRItACH6880E for domain: _acme-challenge.magmituy.com
[Fri Apr 24 17:27:32 CST 2020] Error removing txt for domain:_acme-challenge.magmituy.com
[Fri Apr 24 17:27:32 CST 2020] Removing txt: wGgOZ8QZDEt0uKQhapDqk4WsKozUZs0dFf4b3c3qZBY for domain: _acme-challenge.magmituy.com
[Fri Apr 24 17:27:34 CST 2020] Error removing txt for domain:_acme-challenge.magmituy.com
[Fri Apr 24 17:27:34 CST 2020] Verify finished, start to sign.
[Fri Apr 24 17:27:34 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/84321605/3113656758
[Fri Apr 24 17:27:34 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03e642634b2ecd90949144e830ab9d6b2d10
[Fri Apr 24 17:27:35 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISA+ZCY0suzZCUkUToMKuday0QMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA0MjQwODI3MzRaFw0y
MDA3MjMwODI3MzRaMBcxFTATBgNVBAMTDG1hZ21pdHV5LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJv4FOGFumcUPiwPlj8ZMGeA3+K4xi1iepGD
nGVoUTWBLi5uk8j1M3zl6IghpcxXiOaYgG7V2Ks8+y1Tj6UZ/43pFiRMQJ0s0I6a
viASxFB8EvqplHgrXi/MCN/zE+fATo8feZFjAM3pYdBg2jfbjEZ9yXtf8FK1y4wK
07VEgj/KMl1jDNTIN9mRcrLpMPsJ45+J/MhIKdGqdS76pDg790Uuy6gcvRD6PRbN
gJsfAwaVfEeMSHsP5aRxvDP6r2FokAM7hmh+WV0Xs+/p7dge54Ps8I1f3xgNTeZV
Rzb1Jk7D5I2yUccCC+H38M0Y+6//xBpQfn5ILcV9Rdhp4bdWnKkCAwEAAaOCAnAw
ggJsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUSfa8WoJ/TiLKdKZUI+5DQ8UgjQQw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAnBgNVHREEIDAegg4qLm1hZ21pdHV5LmNvbYIMbWFnbWl0dXkuY29tMEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDv
AHYAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFxq4OBxgAABAMA
RzBFAiEA7D3IYDtnS3m+h5UrZmuFBXGhakSfgG2LL5wGJO39+MICIAZ7OlBO8eyw
LjixqqzkJx3tXknvn6TjvkQy9yQavQ6zAHUAb1N2rDHwMRnYmQCkURX/dxUcEdkC
wQApBo2yCJo32RMAAAFxq4OB8wAABAMARjBEAiBpGhTQTP+OcnfT28i7/GGhG4S2
bg1+BnAnrUqbQIKIdQIgGe0Pl5wbrz08Jswci8MTuzXmScN4rpy6CXBbxltZlZIw
DQYJKoZIhvcNAQELBQADggEBAFIB+/jo6sXHLN7lduOVD1uqjwVPFUr2H3Dh/da2
kI6SYWeBZIldvLSIbYNZKA44L9EayMHegDNs48oWUynzaYn6szCVC/WwronYtMZH
j8AbtTvd05xApMJLfCCho5ORMo5rurK4p0P04D7/+QYXl+fDiR4W0M51YB4GjB32
Bizr6YksSJ2pxqE+R0KKKmZHrzFD4CquUQa1knfYxpr7De2Fdg20a+8VV4n23lo9
pCeqi6Lz4hJGX7rd+1NqnFrLpOF3hQh8jpEesYWJCDqD7WBl2VJpyJPn8FTiBIKI
WZe0+4/0m8YmdDArFRH3eMMXdhurLOGBbCeUeCRFw1dxibU=
-----END CERTIFICATE-----
[Fri Apr 24 17:27:35 CST 2020] Your cert is in  /root/.acme.sh/magmituy.com/magmituy.com.cer
[Fri Apr 24 17:27:35 CST 2020] Your cert key is in  /root/.acme.sh/magmituy.com/magmituy.com.key
[Fri Apr 24 17:27:35 CST 2020] The intermediate CA cert is in  /root/.acme.sh/magmituy.com/ca.cer
[Fri Apr 24 17:27:35 CST 2020] And the full chain certs is there:  /root/.acme.sh/magmituy.com/fullchain.cer

安装证书

前面证书生成以后,接下来需要把证书copy到真正需要用它的地方。

注意,默认生成的证书都放在安装目录下~/.acme.sh/, 请不要直接使用此目录下的文件,例如: 不要直接让nginx/apache的配置文件使用这下面的文件。这里面的文件都是内部使用,而且目录结构可能会变化。

正确的使用方法是使用--installcert命令,并指定目标位置,然后证书文件会被copy到相应的位置。

# 例如位置是 /etc/nginx/ssl/magmituy.com/

  1. mkdir -p /etc/nginx/ssl/magmituy.com/
  2. acme.sh --install-cert -d magmituy.com \
  3. --cert-file /etc/nginx/ssl/magmituy.com/magmituy.com.cer \
  4. --key-file /etc/nginx/ssl/magmituy.com/magmituy.com.key \
  5. --fullchain-file /etc/nginx/ssl/magmituy.com/fullchain.cer
  6. ##或者也不用这么麻烦 ,直接copy
  7. mkdir /etc/nginx/ssl/
  8. cp -rp /root/.acme.sh/*.com/ /etc/nginx/ssl/

# copy之后修改你的nginx配置,添加上需要的信息,执行`nginx -t`检查配置无误后,再执行如下命令即可

  1. acme.sh --install-cert -d magmituy.com \
  2. --cert-file /etc/nginx/ssl/magmituy.com/magmituy.com.cer \
  3. --key-file /etc/nginx/ssl/magmituy.com/magmituy.com.key \
  4. --fullchain-file /etc/nginx/ssl/magmituy.com/fullchain.cer \
  5. --reloadcmd "systemctl force-reload nginx.service"

 

(一个小提醒,这里用的是service nginx force-reload,不是service nginx reload,据测试reload并不会重新加载证书,所以用的force-reload)

–installcert命令可以携带很多参数,来指定目标文件。并且可以指定reloadcmd,当证书更新以后,reloadcmd会被自动调用,让服务器生效

详细参数请参考: https://github.com/Neilpang/acme.sh#3-install-the-issued-cert-to-apachenginx-etc

值得注意的是,这里指定的所有参数都会被自动记录下来,并在将来证书自动更新以后,被再次自动调用

Nginx   配置文件非反带配置 ,如使用Nginx 反带 稍微改下即可

  1. server {
  2. listen 80; #如果硬性要求全部走https协议,这一行去除
  3. listen 443 ssl http2; #如果硬性要求全部走https协议,这里去除ssl
  4. server_name magmituy.com;
  5. access_log off;
  6. index index.html index.htm index.php;
  7. root /data/wwwroot/magmituy.com;
  8.  
  9. #ssl on; #如果硬性要求全部走https协议,这里开启ssl on
  10.  
  11. ssl_certificate /etc/nginx/ssl/magmituy.com/magmituy.com.cer;
  12. ssl_certificate_key /etc/nginx/ssl/magmituy.com/test.com/magmituy.com.key;
  13.  
  14. #ssl性能调优
  15. #nginx 1.13.0支持了TLSv1.3,TLSv1.3相比之前的TLSv1.2、TLSv1.1等性能大幅提升
  16. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  17. ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  18. ssl_prefer_server_ciphers on;
  19. ssl_session_timeout 10m;
  20. #使用ssl_session_cache优化https下Nginx的性能
  21. ssl_session_cache builtin:1000 shared:SSL:10m;
  22. #OCSP Stapling 开启。OCSP是用于在线查询证书吊销情况的服务,使用OCSP Stapling能将证书有效状态的信息缓存到服务器,提高 TLS 握手速度
  23. ssl_stapling on;
  24. #OCSP Stapling 验证开启
  25. ssl_stapling_verify on;
  26.  
  27. #error_page 404 /404.html;
  28. #error_page 502 /502.html;
  29.  
  30. location ~ [^/]\.php(/|$) {
  31. #fastcgi_pass remote_php_ip:9000;
  32. fastcgi_pass unix:/dev/shm/php-cgi.sock;
  33. fastcgi_index index.php;
  34. include fastcgi.conf;
  35. }
  36.  
  37. location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
  38. expires 30d;
  39. access_log off;
  40. }
  41. location ~ .*\.(js|css)?$ {
  42. expires 7d;
  43. access_log off;
  44. }
  45. location ~ /\.ht {
  46. deny all;
  47. }
  48. }

到期续期 

acme.sh --renew -mydomain.com

更新 acme.sh

目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.

升级 acme.sh 到最新版 :

 
1

 

 

acme.sh --upgrade

 

 

 

 

如果你不想手动升级, 可以开启自动升级:

1

 

 

acme.sh --upgrade --auto-upgrade

 

 

 

 

之后, acme.sh 就会自动保持更新了.

你也可以随时关闭自动更新:

1

 

 

acme.sh --upgrade --auto-upgrade 0

 

 

 

 

好了,到此acme.sh的使用基本就是这些了,至于是采用HTTP还是DNS方式来申请证书?就经验来看,我比较喜欢DNS的验证方式,因为这种方式的依赖性最小,更加的灵活,我建议大家都用DNS来验证申请Let’s Encrypt证书。

当然,acme.sh还有不少实用的参数可以方便我们来管理已经通过acme.sh申请过证书、域名等等,比如:

1

 

 

acme.sh --list

 

 

 

 

 

参考连接:https://blog.homurax.com/2018/10/16/acme/

https://www.cnblogs.com/xiaoyige/p/12667640.html

https://www.cnblogs.com/-mrl/p/10601817.html

标签:

没有评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注