acme.sh 概述
- 一个纯正用 Shell(Unix shell)语言编写的 ACME 协定客户端。
- 残缺的 ACME 协定施行。反对 ACME v1 和 ACME v2 反对 ACME v2 通配符证书
- 简略,功能强大且易于应用。你只须要 3 分钟就能够学习它。
- Let’s Encrypt 收费证书客户端最简略的 shell 脚本。
- 纯正用 Shell 编写,不依赖于 python 或官网的 Let’s Encrypt 客户端。
- 只需一个脚本即可主动颁发,续订和装置证书。不须要 root/sudoer 拜访权限。
- 反对在 Docker 内应用,反对 IPv6
装置 acme.sh
curl https://get.acme.sh | sh
并创立 一个 bash 的 alias, 不便你的应用: alias acme.sh=~/.acme.sh/acme.sh
生成证书
acme.sh 实现了 acme 协定反对的所有验证协定. 个别有两种形式验证: http 和 dns 验证. \
http 形式
http 形式须要在你的网站根目录下搁置一个文件, 来验证你的域名所有权, 实现验证. 而后就能够生成证书了.
acme.sh --issue -d kubesre.com -d www.kubesre.com --webroot /application/nginx/html/
只须要指定域名, 并指定域名所在的网站根目录. acme.sh 会全自动的生成验证文件, 并放到网站的根目录, 而后主动实现验证. 最初会聪慧的删除验证文件. 整个过程没有任何副作用.
如果你用的 web 服务器, acme.sh 还能够智能的从 apache的配置中主动实现验证, 你不须要指定网站根目录:
acme.sh --issue -d kubesre.com --apache
acme.sh --issue -d kubesre.com --nginx
dns 形式
手动 dns 形式, 手动在域名上增加一条 txt 解析记录, 验证域名所有权
这种形式的益处是, 你不须要任何服务器, 不须要任何公网 ip, 只须要 dns 的解析记录即可实现验证. 害处是,如果不同时配置 Automatic DNS API,应用这种形式 acme.sh 将无奈自动更新证书,每次都须要手动再次从新解析验证域名所有权。
acme.sh --issue --dns -d kubesre.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
而后, acme.sh 会生成相应的解析记录显示进去, 你只须要在你的域名治理面板中增加这条 txt 记录即可.
期待解析实现之后, 从新生成证书:
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Dec 21 17:21:23 CST 2021] Renew: 'kubesre.com'
[Tue Dec 21 17:21:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 17:21:28 CST 2021] Multi domain='DNS:kubesre.com,DNS:www.kubesre.com'
[Tue Dec 21 17:21:28 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 17:21:28 CST 2021] Verifying: kubesre.com
[Tue Dec 21 17:21:39 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 17:21:46 CST 2021] Success
[Tue Dec 21 17:21:46 CST 2021] Verifying: www.kubesre.com
[Tue Dec 21 17:21:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 17:21:58 CST 2021] Success
[Tue Dec 21 17:21:58 CST 2021] Verify finished, start to sign.
[Tue Dec 21 17:21:58 CST 2021] Lets finalize the order.
[Tue Dec 21 17:21:58 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ/finalize'
[Tue Dec 21 17:22:04 CST 2021] Order status is processing, lets sleep and retry.
[Tue Dec 21 17:22:04 CST 2021] Retry after: 15
[Tue Dec 21 17:22:20 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ
[Tue Dec 21 17:22:28 CST 2021] Downloading cert.
[Tue Dec 21 17:22:28 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/RIlS-0BCVnWMmTIzTSy69g'
[Tue Dec 21 17:22:32 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIGdjCCBF6gAwIBAgIRAOXiFOW5y1AyMNreWMhPmTAwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTEyMjEwMDAwMDBaFw0y
MjAzMjEyMzU5NTlaMBYxFDASBgNVBAMTC2t1YmVzcmUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRZurTH3SNPklcWjSvXu/fsUfz3CQUJs310
cdlTTQ2z1AC2oNLiw2JWVVPe6XXopDXiboynyMuJcfu+Yyqft3zSzmK1jtGZGt4+
wP2o8uQ8ppg9zKivk6IVY2PAyw7KoP20tgvWLkB/OeRyFERO0k/BwHeLssYunOy8
CEEPH05c0aeWBaYFRy6W5aTQ5gI9F+TxHkJMwNQ9S46Ymts1vT9NGGA21yD3nC8/
qQ9yojtSHalj95no/en+o1Gwv8LSBuiD0OrgfL/UmwjYaV60Q6ZFrb1OrkRrgRn4
cb/RCMAofzUEqE3ItwsBbo41gmI6i0uECktC9SKxMlTVG0M84wIDAQABo4ICiDCC
AoQwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFG5p
QAKZzOQ/Uk6L5d3Q7utQPbrfMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysG
AQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BT
MAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8v
emVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNp
dGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGln
by5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBGpVXrdfqRIDC1oolp9PN9
ESxBdL79SbiFq/L8cP5tRwAAAX3cTIkkAAAEAwBGMEQCIGaR8Z1cpbls5r76bwvW
cqhAmSxXofGdCwk4CG9to/UnAiBzb3AfHwRx/K1afFew+dUha8n5r4LdKpK2/idh
cTgNbQB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfdxMiOMA
AAQDAEgwRgIhAKEgFnDfhKUi9a/17W6ulKwy/JWDzW1x6GSi5wdJZUDsAiEA7jnc
2pLivTiZ189eoYQwEY+fAPLiB4Lt1MB4W3PkIk4wJwYDVR0RBCAwHoILa3ViZXNy
ZS5jb22CD3d3dy5rdWJlc3JlLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMU/wgqFc
m2yys2T5CRdGOl/dPNM9E5t2IMBMhzMVDr1czQRUgf6Yh/h7jkWihYqGxDVJSL8T
9KknzaRvUvDx3piGJLUyqPOQPrawI9N7bSz3ncIsv2cIzNWeDN9UVw54/Pxadl3/
2SGBay/hpV+miLcp/rr1WwoLnTU22djZRr1WjbPHxOIn3aI2CKVAzJfdYE3/N7rG
B+AOQnrmegKchxlV1EQN3lUy2hys0lNaohyWQs9GTeq7zFyrL5M4EFiG1fTO/rHw
YaY0doH8uv74W/vYCquaK033bvP7iOnm3JpfbDDez7QVLONemVf/SRRxVff2zgJx
F5m+XVZhPRoxohWm/AytUIqfDao37XnR9vBKJ4dIWNuyxWwfkuSA5d8i0wOFi5St
yvpeC0HWuuYBNJkX8yuFe3rYFh92TN6Qu3Rl19Z/QhysF9Yin1OunPia14bKxUnR
93hH827Sb5owYoC+3xx14WvzGtV6lov6siLBXhSNPbeaK9iQeWeRgxP7frLxuH3Z
0uHh1QJIoS7Gd1O6VHmqjkzOGuWuu92taDu53Bs+Xke6rXSILlPOMtI4aueTLkZL
AyyqGkcjv7Qhhj/VFmG4GZpRyBGGuFA5VbJ8PQsbjmMyn+8m5zF4Wy00Rt7xA99b
b4YhcvrzGJwehsPq6m0yjCbh3cCSd3vyGo0=
-----END CERTIFICATE-----
[Tue Dec 21 17:22:32 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer
[Tue Dec 21 17:22:32 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key
[Tue Dec 21 17:22:32 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer
[Tue Dec 21 17:22:32 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer
留神第二次这里用的是 --renew
dns 形式的真正弱小之处在于能够应用域名解析商提供的 api 主动增加 txt 记录实现验证.
acme.sh 目前反对 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的主动集成.
以 dnspod 为例, 你须要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是收费的. 而后:
export DP_Id="kube123"
export DP_Key="sADDsdasdgdsf"
acme.sh --issue --dns dns_dp -d kubesre.com -d www.kubesre.com
证书就会主动生成了. 这里给出的 api id 和 api key 会被自动记录下来, 未来你在应用 dnspod api 的时候, 就不须要再次指定了. 间接生成就好了:
acme.sh --issue -d kubesre.com --dns dns_dp
更具体的 api 用法: https://github.com/Neilpang/a…
更新证书
目前证书申请后有效期为 60 天
目前因为 acme 协定和 letsencrypt CA 都在频繁的更新, 因而 acme.sh 也常常更新以放弃同步.
# 降级 acme.sh 到最新版
acme.sh --upgrade
# 如果你不想手动降级, 能够开启主动降级:
acme.sh --upgrade --auto-upgrade
#之后, acme.sh 就会主动放弃更新了.
# 你也能够随时敞开自动更新:
acme.sh --upgrade --auto-upgrade 0
批改 CA
默认 CA 将应用 ZeroSSL,因为非凡需要须要更改 CA,请通过上面的形式进行批改。
能够通过提供 --server
参数自在应用任何受反对的 CA:
acme.sh --issue -d kubesre.com --dns dns_cf --server letsencrypt
也能够通过 –set-default-ca 设置的默认 ca:
acme.sh --set-default-ca --server letsencrypt
基于 CSR 签发证书
通过 openssl 生成 csr
openssl genrsa -out kubesre.com/kubesre.com.key 4096
openssl req -new -key kubesre.com/kubesre.com.key -out kubesre.com/kubesre.com.csr -subj "/C=CN/L=Shanghai/O=kubesre/OU=shanghai/CN=kubesre.com"
基于 csr 签发证书
acme.sh --signcsr --csr ../intermediateca.csr --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --server zerossl
[Tue Dec 21 20:03:11 CST 2021] Copy csr to: /root/.acme.sh/kubesre.com/kubesre.com.csr
[Tue Dec 21 20:03:15 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 20:03:15 CST 2021] Single domain='kubesre.com'
[Tue Dec 21 20:03:15 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 20:03:27 CST 2021] Getting webroot for domain='kubesre.com'
[Tue Dec 21 20:03:27 CST 2021] Add the following TXT record:
[Tue Dec 21 20:03:27 CST 2021] Domain: '_acme-challenge.kubesre.com'
[Tue Dec 21 20:03:27 CST 2021] TXT value: 'JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90'
[Tue Dec 21 20:03:27 CST 2021] Please be aware that you prepend _acme-challenge. before your domain
[Tue Dec 21 20:03:27 CST 2021] so the resulting subdomain will be: _acme-challenge.kubesre.com
[Tue Dec 21 20:03:27 CST 2021] Please add the TXT records to the domains, and re-run with --renew.
[Tue Dec 21 20:03:27 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
配置 DNS 域名解析 TXT 记录并验证
dig @223.5.5.5 _acme-challenge.kubesre.com txt +short
"JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90"
重试签发证书
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Dec 21 20:16:28 CST 2021] Renew: 'kubesre.com'
[Tue Dec 21 20:16:36 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 20:16:36 CST 2021] Single domain='kubesre.com'
[Tue Dec 21 20:16:36 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 20:16:36 CST 2021] Verifying: kubesre.com
[Tue Dec 21 20:16:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 20:17:02 CST 2021] Success
[Tue Dec 21 20:17:02 CST 2021] Verify finished, start to sign.
[Tue Dec 21 20:17:02 CST 2021] Lets finalize the order.
[Tue Dec 21 20:17:02 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ/finalize'
[Tue Dec 21 20:17:11 CST 2021] Order status is processing, lets sleep and retry.
[Tue Dec 21 20:17:11 CST 2021] Retry after: 15
[Tue Dec 21 20:17:27 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ
[Tue Dec 21 20:17:33 CST 2021] Downloading cert.
[Tue Dec 21 20:17:33 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/yeadYGbm-KLNqMWlqSzShg'
[Tue Dec 21 20:17:41 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIHZDCCBUygAwIBAgIQEkvN2TAkV2mdPUF1lweQ+jANBgkqhkiG9w0BAQwFADBL
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTIyMTAwMDAwMFoXDTIy
MDMyMTIzNTk1OVowFjEUMBIGA1UEAxMLa3ViZXNyZS5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQC7gsfbCde2EVerXfzi/+1pGvePusulmh2gF+vh
IpTwdIC7tpO7cZiHVjR2BsC8XYptUqWpJtuehRLqN3PI2xdpFyGMT9EKgPcIsN3a
y619t/UlskrVbAZYqfAC4613f98WhizYL6Kb6pOuwsS2rn5XeUAXuNVDcnRJ79i4
ld8Q6H+xmOSU3XqnTNqv4Yq7F+l1nVNktpozJM0MmqI6e+saN4PlaHJZJ2Zc9dTQ
4/0tkXQizwH862c+kGHdYhEit5Kx3blgEYZ9vKPNu5mKsPdPJ0XNeXzZ7T449EcI
ONY2UwwHqxeKm13hcD0hM0OzPHS3eniHf2LX/EzIcW/uQ77ynukB45ub7xWs1ado
HKGhrY+dluxuaNUc9M8PPIYubkaeh95Ohik1ovljkUbO+AYZf28Y0c4sQYaFToqR
ogbTvl7EWdQCJQppqu4h0DZIoTHYu3yIu/KdHeqmySSE/tyyLCIyuZS7oN5ZxeEh
SojLn293qWVlj5z0ZB2Ui3vourAt7HMOy0noDusG3au6y6m69wX+jKCWYglF/b48
328GzFxPxbxWnQUD/Jf5cjUE9SN9meXivrzXS1vky0qkHJwnKTiAVNNCRGFNX5Ic
yOHAsJCteY8VUyvlngjrBnLmie4kfc5zb68qtKCnCw6fejVDzVKgwVFJK0iF2t4K
7YX3ewIDAQABo4ICdzCCAnMwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWG
hqYwHQYDVR0OBBYEFMOIZYOY9egIBZ1T6jEPeRR3dROYMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ
BgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
c2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsG
AQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJT
QURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJv
c3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBG
pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3c7NwCAAAEAwBHMEUC
IQCiJFlodU8eOmcUXypehRIVsecs1QPROZq4GXFKn1H7yAIgWK6BZtJ5IxsYw6g6
4IFZ851k7tB6iGLKjIIBUcJNBxUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vH
aPCQYpYG9gAAAX3c7NvUAAAEAwBHMEUCIQCdpdc7o2ZKGVkiQhBOCgFa1D28tbRd
8czfFGWEtW+cjAIgSfPwdIcMXQ3QgQ/e14L8+R33WTApmXq4RGNyhcj91n4wFgYD
VR0RBA8wDYILa3ViZXNyZS5jb20wDQYJKoZIhvcNAQEMBQADggIBABQ69j9PcoXy
WwNo+bLcxd5J1YWhvoty6AGfPQ4dFE9uHWASzQ0rfAGYahVCWrofb3utz2OQH+T4
nTwrX+vo6xS0PizF27WqjqWvfIkQ2badRoVATLg5TCkjjGz2ztIsrRsY62VwrKjF
BWmJocA3/dKqtMbPD5fiw10HGp2/armCr26P2smheqiih1ci4AJ+rcWMVQfHEhzA
u+Sr1BnJMddhhrPoJBQzBOctYrAM/C//CwmmLI2jcF8NdBTvW0QwP1bMIfaO7spO
bggaI7RJ35gHuxE07GR+JVfss1pYEOE2j9pWPqaAbeFdfW4gAatAiR6t9g6z6cdb
wV94JXRWa1GotoMXU5U8/Oq+6OD454tuPA/CwlaPR+zO94ppJ/9YhWyXy2hqGQqm
alhajJgMVE2P9kYoZTlZIgEZyICQ0XbKMzXyq8D2leEAroVdZCo5lKkR6v1ZhL6f
YlsGwOV68rVQU03euWqTIvaSUUTXBXI1ug9z19a8a3PJlMLBDpz+e/mcsw4qMIzi
557vQv/+9xR/ZSNsW+s/RBW6gTo8nrestWBRb53pfFd4LAse+WGHEA3Kgv+Fi3ra
GJWYcA4KvGRbLZ/flUmNPyyARNfLdaAMlaDtHjQUj1pEhtSnYtwnthj3Y/eiXY9H
eg0z2wcNGmZEPG19ngYf79+xLpmmZj0F
-----END CERTIFICATE-----
[Tue Dec 21 20:17:41 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer
[Tue Dec 21 20:17:41 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key
[Tue Dec 21 20:17:41 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer
[Tue Dec 21 20:17:41 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer
[root@ops .acme.sh]#
点击 “ 浏览原文 ” 获取更好的浏览体验!