acme.sh 概述
- 一个纯正用Shell(Unix shell)语言编写的ACME协定客户端。
- 残缺的ACME协定施行。 反对ACME v1和ACME v2 反对ACME v2通配符证书
- 简略,功能强大且易于应用。你只须要3分钟就能够学习它。
- Let's Encrypt收费证书客户端最简略的shell脚本。
- 纯正用Shell编写,不依赖于python或官网的Let's Encrypt客户端。
- 只需一个脚本即可主动颁发,续订和装置证书。 不须要root/sudoer拜访权限。
- 反对在Docker内应用,反对IPv6
装置 acme.sh
curl https://get.acme.sh | sh并创立 一个 bash 的 alias, 不便你的应用: alias acme.sh=~/.acme.sh/acme.sh
生成证书
acme.sh 实现了 acme 协定反对的所有验证协定. 个别有两种形式验证: http 和 dns 验证. \
http形式
http 形式须要在你的网站根目录下搁置一个文件, 来验证你的域名所有权,实现验证. 而后就能够生成证书了.
acme.sh --issue -d kubesre.com -d www.kubesre.com --webroot /application/nginx/html/只须要指定域名, 并指定域名所在的网站根目录. acme.sh 会全自动的生成验证文件, 并放到网站的根目录, 而后主动实现验证. 最初会聪慧的删除验证文件. 整个过程没有任何副作用.
如果你用的 web服务器, acme.sh 还能够智能的从 apache的配置中主动实现验证, 你不须要指定网站根目录:
acme.sh --issue -d kubesre.com --apacheacme.sh --issue -d kubesre.com --nginxdns形式
手动 dns 形式, 手动在域名上增加一条 txt 解析记录, 验证域名所有权
这种形式的益处是, 你不须要任何服务器, 不须要任何公网 ip, 只须要 dns 的解析记录即可实现验证. 害处是,如果不同时配置 Automatic DNS API,应用这种形式 acme.sh 将无奈自动更新证书,每次都须要手动再次从新解析验证域名所有权。
acme.sh --issue --dns -d kubesre.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please而后, acme.sh 会生成相应的解析记录显示进去, 你只须要在你的域名治理面板中增加这条 txt 记录即可.
期待解析实现之后, 从新生成证书:
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please[Tue Dec 21 17:21:23 CST 2021] Renew: 'kubesre.com'[Tue Dec 21 17:21:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90[Tue Dec 21 17:21:28 CST 2021] Multi domain='DNS:kubesre.com,DNS:www.kubesre.com'[Tue Dec 21 17:21:28 CST 2021] Getting domain auth token for each domain[Tue Dec 21 17:21:28 CST 2021] Verifying: kubesre.com[Tue Dec 21 17:21:39 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)[Tue Dec 21 17:21:46 CST 2021] Success[Tue Dec 21 17:21:46 CST 2021] Verifying: www.kubesre.com[Tue Dec 21 17:21:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)[Tue Dec 21 17:21:58 CST 2021] Success[Tue Dec 21 17:21:58 CST 2021] Verify finished, start to sign.[Tue Dec 21 17:21:58 CST 2021] Lets finalize the order.[Tue Dec 21 17:21:58 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ/finalize'[Tue Dec 21 17:22:04 CST 2021] Order status is processing, lets sleep and retry.[Tue Dec 21 17:22:04 CST 2021] Retry after: 15[Tue Dec 21 17:22:20 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ[Tue Dec 21 17:22:28 CST 2021] Downloading cert.[Tue Dec 21 17:22:28 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/RIlS-0BCVnWMmTIzTSy69g'[Tue Dec 21 17:22:32 CST 2021] Cert success.-----BEGIN CERTIFICATE-----MIIGdjCCBF6gAwIBAgIRAOXiFOW5y1AyMNreWMhPmTAwDQYJKoZIhvcNAQEMBQAwSzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTEyMjEwMDAwMDBaFw0yMjAzMjEyMzU5NTlaMBYxFDASBgNVBAMTC2t1YmVzcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRZurTH3SNPklcWjSvXu/fsUfz3CQUJs310cdlTTQ2z1AC2oNLiw2JWVVPe6XXopDXiboynyMuJcfu+Yyqft3zSzmK1jtGZGt4+wP2o8uQ8ppg9zKivk6IVY2PAyw7KoP20tgvWLkB/OeRyFERO0k/BwHeLssYunOy8CEEPH05c0aeWBaYFRy6W5aTQ5gI9F+TxHkJMwNQ9S46Ymts1vT9NGGA21yD3nC8/qQ9yojtSHalj95no/en+o1Gwv8LSBuiD0OrgfL/UmwjYaV60Q6ZFrb1OrkRrgRn4cb/RCMAofzUEqE3ItwsBbo41gmI6i0uECktC9SKxMlTVG0M84wIDAQABo4ICiDCCAoQwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFG5pQAKZzOQ/Uk6L5d3Q7utQPbrfMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3cTIkkAAAEAwBGMEQCIGaR8Z1cpbls5r76bwvWcqhAmSxXofGdCwk4CG9to/UnAiBzb3AfHwRx/K1afFew+dUha8n5r4LdKpK2/idhcTgNbQB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfdxMiOMAAAQDAEgwRgIhAKEgFnDfhKUi9a/17W6ulKwy/JWDzW1x6GSi5wdJZUDsAiEA7jnc2pLivTiZ189eoYQwEY+fAPLiB4Lt1MB4W3PkIk4wJwYDVR0RBCAwHoILa3ViZXNyZS5jb22CD3d3dy5rdWJlc3JlLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMU/wgqFcm2yys2T5CRdGOl/dPNM9E5t2IMBMhzMVDr1czQRUgf6Yh/h7jkWihYqGxDVJSL8T9KknzaRvUvDx3piGJLUyqPOQPrawI9N7bSz3ncIsv2cIzNWeDN9UVw54/Pxadl3/2SGBay/hpV+miLcp/rr1WwoLnTU22djZRr1WjbPHxOIn3aI2CKVAzJfdYE3/N7rGB+AOQnrmegKchxlV1EQN3lUy2hys0lNaohyWQs9GTeq7zFyrL5M4EFiG1fTO/rHwYaY0doH8uv74W/vYCquaK033bvP7iOnm3JpfbDDez7QVLONemVf/SRRxVff2zgJxF5m+XVZhPRoxohWm/AytUIqfDao37XnR9vBKJ4dIWNuyxWwfkuSA5d8i0wOFi5StyvpeC0HWuuYBNJkX8yuFe3rYFh92TN6Qu3Rl19Z/QhysF9Yin1OunPia14bKxUnR93hH827Sb5owYoC+3xx14WvzGtV6lov6siLBXhSNPbeaK9iQeWeRgxP7frLxuH3Z0uHh1QJIoS7Gd1O6VHmqjkzOGuWuu92taDu53Bs+Xke6rXSILlPOMtI4aueTLkZLAyyqGkcjv7Qhhj/VFmG4GZpRyBGGuFA5VbJ8PQsbjmMyn+8m5zF4Wy00Rt7xA99bb4YhcvrzGJwehsPq6m0yjCbh3cCSd3vyGo0=-----END CERTIFICATE-----[Tue Dec 21 17:22:32 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer[Tue Dec 21 17:22:32 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key[Tue Dec 21 17:22:32 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer[Tue Dec 21 17:22:32 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer留神第二次这里用的是 --renew
dns 形式的真正弱小之处在于能够应用域名解析商提供的 api 主动增加 txt 记录实现验证.
acme.sh 目前反对 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的主动集成.
以 dnspod 为例, 你须要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是收费的. 而后:
export DP_Id="kube123"export DP_Key="sADDsdasdgdsf"acme.sh --issue --dns dns_dp -d kubesre.com -d www.kubesre.com证书就会主动生成了. 这里给出的 api id 和 api key 会被自动记录下来, 未来你在应用 dnspod api 的时候, 就不须要再次指定了. 间接生成就好了:
acme.sh --issue -d kubesre.com --dns dns_dp更具体的 api 用法: https://github.com/Neilpang/a...
更新证书
目前证书申请后有效期为60天
目前因为 acme 协定和 letsencrypt CA 都在频繁的更新, 因而 acme.sh 也常常更新以放弃同步.
# 降级 acme.sh 到最新版acme.sh --upgrade# 如果你不想手动降级, 能够开启主动降级:acme.sh --upgrade --auto-upgrade#之后, acme.sh 就会主动放弃更新了.# 你也能够随时敞开自动更新:acme.sh --upgrade --auto-upgrade 0批改 CA
默认 CA 将应用ZeroSSL,因为非凡需要须要更改CA,请通过上面的形式进行批改。
能够通过提供--server参数自在应用任何受反对的 CA :
acme.sh --issue -d kubesre.com --dns dns_cf --server letsencrypt也能够通过 --set-default-ca 设置的默认 ca:
acme.sh --set-default-ca --server letsencrypt基于CSR签发证书
通过openssl生成csr
openssl genrsa -out kubesre.com/kubesre.com.key 4096 openssl req -new -key kubesre.com/kubesre.com.key -out kubesre.com/kubesre.com.csr -subj "/C=CN/L=Shanghai/O=kubesre/OU=shanghai/CN=kubesre.com"基于csr签发证书
acme.sh --signcsr --csr ../intermediateca.csr --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --server zerossl[Tue Dec 21 20:03:11 CST 2021] Copy csr to: /root/.acme.sh/kubesre.com/kubesre.com.csr[Tue Dec 21 20:03:15 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90[Tue Dec 21 20:03:15 CST 2021] Single domain='kubesre.com'[Tue Dec 21 20:03:15 CST 2021] Getting domain auth token for each domain[Tue Dec 21 20:03:27 CST 2021] Getting webroot for domain='kubesre.com'[Tue Dec 21 20:03:27 CST 2021] Add the following TXT record:[Tue Dec 21 20:03:27 CST 2021] Domain: '_acme-challenge.kubesre.com'[Tue Dec 21 20:03:27 CST 2021] TXT value: 'JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90'[Tue Dec 21 20:03:27 CST 2021] Please be aware that you prepend _acme-challenge. before your domain[Tue Dec 21 20:03:27 CST 2021] so the resulting subdomain will be: _acme-challenge.kubesre.com[Tue Dec 21 20:03:27 CST 2021] Please add the TXT records to the domains, and re-run with --renew.[Tue Dec 21 20:03:27 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log配置DNS域名解析TXT记录并验证
dig @223.5.5.5 _acme-challenge.kubesre.com txt +short"JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90"重试签发证书
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please[Tue Dec 21 20:16:28 CST 2021] Renew: 'kubesre.com'[Tue Dec 21 20:16:36 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90[Tue Dec 21 20:16:36 CST 2021] Single domain='kubesre.com'[Tue Dec 21 20:16:36 CST 2021] Getting domain auth token for each domain[Tue Dec 21 20:16:36 CST 2021] Verifying: kubesre.com[Tue Dec 21 20:16:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)[Tue Dec 21 20:17:02 CST 2021] Success[Tue Dec 21 20:17:02 CST 2021] Verify finished, start to sign.[Tue Dec 21 20:17:02 CST 2021] Lets finalize the order.[Tue Dec 21 20:17:02 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ/finalize'[Tue Dec 21 20:17:11 CST 2021] Order status is processing, lets sleep and retry.[Tue Dec 21 20:17:11 CST 2021] Retry after: 15[Tue Dec 21 20:17:27 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ[Tue Dec 21 20:17:33 CST 2021] Downloading cert.[Tue Dec 21 20:17:33 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/yeadYGbm-KLNqMWlqSzShg'[Tue Dec 21 20:17:41 CST 2021] Cert success.-----BEGIN CERTIFICATE-----MIIHZDCCBUygAwIBAgIQEkvN2TAkV2mdPUF1lweQ+jANBgkqhkiG9w0BAQwFADBLMQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTIyMTAwMDAwMFoXDTIyMDMyMTIzNTk1OVowFjEUMBIGA1UEAxMLa3ViZXNyZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7gsfbCde2EVerXfzi/+1pGvePusulmh2gF+vhIpTwdIC7tpO7cZiHVjR2BsC8XYptUqWpJtuehRLqN3PI2xdpFyGMT9EKgPcIsN3ay619t/UlskrVbAZYqfAC4613f98WhizYL6Kb6pOuwsS2rn5XeUAXuNVDcnRJ79i4ld8Q6H+xmOSU3XqnTNqv4Yq7F+l1nVNktpozJM0MmqI6e+saN4PlaHJZJ2Zc9dTQ4/0tkXQizwH862c+kGHdYhEit5Kx3blgEYZ9vKPNu5mKsPdPJ0XNeXzZ7T449EcIONY2UwwHqxeKm13hcD0hM0OzPHS3eniHf2LX/EzIcW/uQ77ynukB45ub7xWs1adoHKGhrY+dluxuaNUc9M8PPIYubkaeh95Ohik1ovljkUbO+AYZf28Y0c4sQYaFToqRogbTvl7EWdQCJQppqu4h0DZIoTHYu3yIu/KdHeqmySSE/tyyLCIyuZS7oN5ZxeEhSojLn293qWVlj5z0ZB2Ui3vourAt7HMOy0noDusG3au6y6m69wX+jKCWYglF/b48328GzFxPxbxWnQUD/Jf5cjUE9SN9meXivrzXS1vky0qkHJwnKTiAVNNCRGFNX5IcyOHAsJCteY8VUyvlngjrBnLmie4kfc5zb68qtKCnCw6fejVDzVKgwVFJK0iF2t4K7YX3ewIDAQABo4ICdzCCAnMwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFMOIZYOY9egIBZ1T6jEPeRR3dROYMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3c7NwCAAAEAwBHMEUCIQCiJFlodU8eOmcUXypehRIVsecs1QPROZq4GXFKn1H7yAIgWK6BZtJ5IxsYw6g64IFZ851k7tB6iGLKjIIBUcJNBxUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAX3c7NvUAAAEAwBHMEUCIQCdpdc7o2ZKGVkiQhBOCgFa1D28tbRd8czfFGWEtW+cjAIgSfPwdIcMXQ3QgQ/e14L8+R33WTApmXq4RGNyhcj91n4wFgYDVR0RBA8wDYILa3ViZXNyZS5jb20wDQYJKoZIhvcNAQEMBQADggIBABQ69j9PcoXyWwNo+bLcxd5J1YWhvoty6AGfPQ4dFE9uHWASzQ0rfAGYahVCWrofb3utz2OQH+T4nTwrX+vo6xS0PizF27WqjqWvfIkQ2badRoVATLg5TCkjjGz2ztIsrRsY62VwrKjFBWmJocA3/dKqtMbPD5fiw10HGp2/armCr26P2smheqiih1ci4AJ+rcWMVQfHEhzAu+Sr1BnJMddhhrPoJBQzBOctYrAM/C//CwmmLI2jcF8NdBTvW0QwP1bMIfaO7spObggaI7RJ35gHuxE07GR+JVfss1pYEOE2j9pWPqaAbeFdfW4gAatAiR6t9g6z6cdbwV94JXRWa1GotoMXU5U8/Oq+6OD454tuPA/CwlaPR+zO94ppJ/9YhWyXy2hqGQqmalhajJgMVE2P9kYoZTlZIgEZyICQ0XbKMzXyq8D2leEAroVdZCo5lKkR6v1ZhL6fYlsGwOV68rVQU03euWqTIvaSUUTXBXI1ug9z19a8a3PJlMLBDpz+e/mcsw4qMIzi557vQv/+9xR/ZSNsW+s/RBW6gTo8nrestWBRb53pfFd4LAse+WGHEA3Kgv+Fi3raGJWYcA4KvGRbLZ/flUmNPyyARNfLdaAMlaDtHjQUj1pEhtSnYtwnthj3Y/eiXY9Heg0z2wcNGmZEPG19ngYf79+xLpmmZj0F-----END CERTIFICATE-----[Tue Dec 21 20:17:41 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer[Tue Dec 21 20:17:41 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key[Tue Dec 21 20:17:41 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer[Tue Dec 21 20:17:41 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer[root@ops .acme.sh]# 点击 "浏览原文" 获取更好的浏览体验!