acme.sh_install_ubuntu_自動申請域名ssl證書
- Linux 下基於 acme.sh 腳本實現域名證書的自動簽注與續簽部署
0.前言
- 目前的網站如果不使用 https 進行加密的網站大多會被瀏覽器標注個大大的“不安全”,看着 low,實際上也不安全
- 本文旨在解決上面這個問題,為你提供一個舒爽的上網站點,嘿嘿嘿
- 基於 acme.sh 腳本工具實現域名證書的自動申請,簽發,部署,自動續簽並部署證書
1. 安裝 acme.sh
- 普通用戶和 root 用戶都可以安裝使用,但是建議 root 安裝
- 使用說明:
https://github.com/acmesh-official/acme.sh/wiki/How-to-install
1.1.腳本安裝
curl https://get.acme.sh | sh
# or
wget -O - https://get.acme.sh | sh
2.git 倉庫安裝
# 簡單安裝
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install
# 或者自定義安裝
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install \
--home ~/myacme \
--config-home ~/myacme/data \
--cert-home ~/mycerts \
--accountemail "my@example.com" \
--accountkey ~/myaccount.key \
--accountconf ~/myaccount.conf \
--useragent "this is my client."
----------------------
--home is a customized dir to install acme.sh in. By default, it installs into ~/.acme.sh
--config-home is a writable folder, acme.sh will write all the files(including cert/keys, configs) there. By default, it's in --home
--cert-home is a customized dir to save the certs you issue. By default, it's saved in --config-home.
--accountemail is the email used to register account to Let's Encrypt, you will receive renewal notice email here. Default is empty.
--accountkey is the file saving your account private key. By default it's saved in --config-home.
--useragent is the user-agent header value used to send to Let's Encrypt.
----------------------
-
注意:安裝完成,需要重新登陸控制台以便腳本命令生效
-
實例演示:
--------------------------------------
root@zuiyoujie:/opt/scripts# curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 775 0 775 0 0 612 0 --:--:-- 0:00:01 --:--:-- 612
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 201k 100 201k 0 0 27932 0 0:00:07 0:00:07 --:--:-- 15894
[Tue Aug 25 17:53:16 CST 2020] Installing from online archive.
[Tue Aug 25 17:53:16 CST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Tue Aug 25 17:53:27 CST 2020] Extracting master.tar.gz
[Tue Aug 25 17:53:27 CST 2020] It is recommended to install socat first.
[Tue Aug 25 17:53:27 CST 2020] We use socat for standalone server if you use standalone mode.
[Tue Aug 25 17:53:27 CST 2020] If you don't use standalone mode, just ignore this warning.
[Tue Aug 25 17:53:27 CST 2020] Installing to /root/.acme.sh
[Tue Aug 25 17:53:27 CST 2020] Installed to /root/.acme.sh/acme.sh
[Tue Aug 25 17:53:27 CST 2020] Installing alias to '/root/.bashrc'
[Tue Aug 25 17:53:27 CST 2020] OK, Close and reopen your terminal to start using acme.sh
[Tue Aug 25 17:53:27 CST 2020] Installing cron job
[Tue Aug 25 17:53:27 CST 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Aug 25 17:53:28 CST 2020] OK
[Tue Aug 25 17:53:28 CST 2020] Install success!
--------------------------------------
- 具體的安裝操作內容如下
1.把 acme.sh 安裝到你的 home 目錄下,並創建 一個 bash 的 alias 別名,方便使用:
ll ~/.acme.sh/
alias acme.sh=~/.acme.sh/acme.sh
2.創建 cronjob, 每天 0:27 點自動檢測所有的證書,如果快過期了,需要更新,則會自動更新證書
更高級的安裝選項請參考: https://github.com/Neilpang/acme.sh/wiki/How-to-install
安裝過程不會污染已有的系統任何功能和文件 , 所有的修改都限制在安裝目錄中: ~/.acme.sh/
2.證書申請
- 確認工具對指定的域名是否有操作權限(域名歸屬)
- HTTP 服務驗證方式對服務器上安裝的 web 服務有要求,需要有 web 服務器
- 如果基礎環境不合適可以選的DNS API方式生成證書,也更加方便
2.1.http 驗證方式生成證書
2.1.1.自行生成驗證文件進行驗證
acme.sh --issue -d www.zuiyoujie.com --webroot /home/wwwroot/www.zuiyoujie.com/
# 這種方式要求用戶對 http 服務器有操作權限可以上傳文件,最簡單的是在 http 服務器上部署 acme.sh 腳本
# 該命令需要指定域名,指定域名站點所在網站的根目錄,acme.sh 會在網站根目錄生成驗證文件,完成驗證,之后自動清理驗證文件
2.1.2.調用服務配置文件進行驗證
# 如果 web 服務是 apt 或者 yum 安裝的 apache,acme.sh 可以從 apache 的配置中自動完成驗證,不需要指定網站根目錄
acme.sh --issue -d www.zuiyoujie.com.com --apache
# 如果 web 服務是 apt 或者 yum 安裝的 nginx,或者反代,acme.sh 可以從 nginx 的配置中自動完成驗證,你不需要指定網站根目錄:
acme.sh --issue -d www.zuiyoujie.com.com --nginx
# 如果服務器沒有運行 web 服務,80 端口是空閑的,那么 acme.sh 還能偽裝成一個 webserver, 臨時監聽 80 端口,完成驗證:
acme.sh --issue -d www.zuiyoujie.com.com --standalone
2.2.調用 DNS 服務商的 API 進行驗證生成證書
- 特點:不需要有 web 服務器和任何公網 IP,但是如果不配置 AKSK 無法配置自動更新證書
2.2.1.手動驗證 DNS 解析生成證書
# 執行以下命令,將返回的 txt 解析記錄配置到對應的域名解析中
acme.sh --issue --dns -d www.zuiyoujie.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
# 解析完成后,使用以下命令生成證書
acme.sh --renew -d www.zuiyoujie.com
2.2.2.自動驗證 DNS 解析生成證書
- 支持主流 DNS 域名服務商(115個),具體參考以下地址:
- 更詳細的 api 用法:
https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
- 這里以阿里雲域名為例進行演示:
# 導入 AKSK,這里 api id 和 api key 會被自動記錄到 account.conf 文件中,其他文件不需要修改
# 修改 account.conf 文件可以開啟日志
# 具體的變量名稱可以到上面的文檔 或者 dnsapi 目錄中的腳本中查看
Ali_Key="AKAKAKAK"
Ali_Secret="SKSKSKSK"
export Ali_Key="AKAKAKAK"
export Ali_Secret="SKSKSKSK"
# 自動驗證 DNS,生成域名證書
acme.sh --issue --dns dns_ali -d www.zuiyoujie.com # 可以單獨申請單個域名證書
acme.sh --issue --dns dns_ali -d zuiyoujie.com -d *.zuiyoujie.com # 可以申請頂級域名證書和通配符二級域名證書
# 注意:會在工作目錄生成以第一個域名為名稱的目錄,里面存放生成的配置文件和證書文件
# 可以指定多個域名,但是域名不能有重復,例如 www.zuiyoujie.com 和 *.zuiyoujie.com,后者包含前者
# 強制重新生成證書(刷新證書有效期)
acme.sh --renew --dns dns_ali -d www.zuiyoujie.com
# 如果證書未到期可能需要加 --force 參數強制簽注
acme.sh --renew --dns dns_ali -d www.zuiyoujie.com --force
# 查看現有證書列表
acme.sh --list
# 刪除指定的證書(不會刪除證書目錄和文件)
acme.sh --remove -d www.zuiyoujie.com
# 或者直接刪除證書目錄
rm -rf www.zuiyoujie.com
- 注意:申請通配符證書需要加 -d zuiyoujie.com -d *.zuiyoujie.com ,以下是解釋部分:
# 關於泛域名需要注意的事項:
1.泛域名是帶通配符的域名,只能代表所有的二級域名
類似 "com" "cn" 是頂級域名
類似 "zuiyoujie.com" 是一級域名,
類似 "www.zuiyoujie.com" 是二級域名
類似 "blog.www.zuiyoujie.com" 是三級域名
類似 "*.zuiyoujie.com" 是一個泛域名,可以涵蓋所有二級域名
但是不包含一級域名 "zuiyoujie.com" 和三級域名 "blog.www.zuiyoujie.com"
2.申請一個泛域名證書並不能應用於所有網站,
需要同時為泛域名 "*.zuiyoujie.com" 和一級域名 "zuiyoujie.com" 申請證書
3.三級域名需要單獨申請域名證書
- 實例演示:
# 新簽注證書
-----------------------------------------------
root@zuiyoujie:~/.acme.sh# acme.sh --issue --dns dns_ali -d www.zuiyoujie.com
[Tue Aug 25 21:01:00 CST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Aug 25 21:01:00 CST 2020] Creating domain key
[Tue Aug 25 21:01:00 CST 2020] The domain key is here: /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.key
[Tue Aug 25 21:01:00 CST 2020] Single domain='www.zuiyoujie.com'
[Tue Aug 25 21:01:00 CST 2020] Getting domain auth token for each domain
[Tue Aug 25 21:01:12 CST 2020] Getting webroot for domain='www.zuiyoujie.com'
[Tue Aug 25 21:01:12 CST 2020] Adding txt value: TX4Rh-fS04vBqvfn3LwhtkbqOCTRaAb7OIaXIfgC_xU for domain: _acme-challenge.www.zuiyoujie.com
[Tue Aug 25 21:01:15 CST 2020] The txt record is added: Success.
[Tue Aug 25 21:01:15 CST 2020] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Aug 25 21:01:37 CST 2020] Checking www.zuiyoujie.com for _acme-challenge.www.zuiyoujie.com
[Tue Aug 25 21:01:39 CST 2020] Domain www.zuiyoujie.com '_acme-challenge.www.zuiyoujie.com' success.
[Tue Aug 25 21:01:39 CST 2020] All success, let's return
[Tue Aug 25 21:01:39 CST 2020] Verifying: www.zuiyoujie.com
[Tue Aug 25 21:01:46 CST 2020] Success
[Tue Aug 25 21:01:46 CST 2020] Removing DNS records.
[Tue Aug 25 21:01:46 CST 2020] Removing txt: TX4Rh-fS04vBqvfn3LwhtkbqOCTRaAb7OIaXIfgC_xU for domain: _acme-challenge.www.zuiyoujie.com
[Tue Aug 25 21:01:51 CST 2020] Removed: Success
[Tue Aug 25 21:01:51 CST 2020] Verify finished, start to sign.
[Tue Aug 25 21:01:51 CST 2020] Lets finalize the order.
[Tue Aug 25 21:01:51 CST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/94832153/4856970603'
[Tue Aug 25 21:01:54 CST 2020] Downloading cert.
[Tue Aug 25 21:01:54 CST 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/037e802113f60dd7f59c52ec4d303b680e5e'
[Tue Aug 25 21:01:56 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgISA36AIRP2Ddf1nFLsTTA7aA5eMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
Ohpp06IcAAABdCW176gAAAQDAEYwRAIgJ1g0FuPEfiqdHF8MlnwWYP/CeQXq9bIy
8+DpsvczlWgCIGbReYrEhU5dyLReyfCdPe0Ik9KR2MvLCTP8j5w871IOMA0GCSqG
SIb3DQEBCwUAA4IBAQAnv5n1PTakyAlzbkKLY7AmTjcbmOHSN++q2c9Ph6ycIsz1
LWphNznuYk4Onhi3WhusaKSGckQsvLp/u1l3r/HefQqEe8yL7ZdnYcCF5cAgGZDK
dtWPMqRm4oNRxQJGvJcsLgdHmoukaplkgvTnYA9BhgVd0zpeFTz1ZpY1ulGS8+Nk
ZnFzz3SBXPNnF5gJUyxDivQB5SdgGLBbIcqYrPmekHSgs0xBBQ3ts1vK98oahVYG
pWo815t1FkY9kkxzFDu8ed8vMSl+inRi4rNh7+r1+3ODPLcweLtWBeAHFlygo8Hr
88UeigRbLvfJVvlpX33u0gHVnCsb2qMa1VZ2upJj
-----END CERTIFICATE-----
[Tue Aug 25 21:01:56 CST 2020] Your cert is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.cer
[Tue Aug 25 21:01:56 CST 2020] Your cert key is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.key
[Tue Aug 25 21:01:56 CST 2020] The intermediate CA cert is in /root/.acme.sh/www.zuiyoujie.com/ca.cer
[Tue Aug 25 21:01:56 CST 2020] And the full chain certs is there: /root/.acme.sh/www.zuiyoujie.com/fullchain.cer
root@zuiyoujie:~/.acme.sh#
-----------------------------------------------
# 重新簽注證書
-----------------------------------------------
root@zuiyoujie:~/.acme.sh# acme.sh --renew --dns dns_ali -d www.zuiyoujie.com
[Tue Aug 25 21:05:50 CST 2020] Renew: 'www.zuiyoujie.com'
[Tue Aug 25 21:05:50 CST 2020] Skip, Next renewal time is: Sat Oct 24 13:01:56 UTC 2020
[Tue Aug 25 21:05:50 CST 2020] Add '--force' to force to renew.
-----------------------------------------------
# 強制重新簽注證書
-----------------------------------------------
root@zuiyoujie:~/.acme.sh# acme.sh --renew --dns dns_ali -d www.zuiyoujie.com --force
[Tue Aug 25 21:06:54 CST 2020] Renew: 'www.zuiyoujie.com'
[Tue Aug 25 21:06:56 CST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Aug 25 21:06:56 CST 2020] Single domain='www.zuiyoujie.com'
[Tue Aug 25 21:06:56 CST 2020] Getting domain auth token for each domain
[Tue Aug 25 21:07:03 CST 2020] Getting webroot for domain='www.zuiyoujie.com'
[Tue Aug 25 21:07:03 CST 2020] www.zuiyoujie.com is already verified, skip dns-01.
[Tue Aug 25 21:07:03 CST 2020] Verify finished, start to sign.
[Tue Aug 25 21:07:03 CST 2020] Lets finalize the order.
[Tue Aug 25 21:07:03 CST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/94832153/4857032854'
[Tue Aug 25 21:07:54 CST 2020] Downloading cert.
[Tue Aug 25 21:07:54 CST 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0391b18a4ab17af2f18fa21da8d2b6234b89'
[Tue Aug 25 21:07:55 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgISA5GxikqxevLxj6IdqNK2I0uJMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MjUxMjA3NTNaFw0y
CJo32RMAAAF0JbtrQQAABAMASDBGAiEA9qhlOq74XZ9Hjm3oaV87zR/vMaeij3n4
GBYRD2m7AZICIQCaC7v3ObY9WCvizZiig8H2byHHNHu7sN+neaRRGTcl/zANBgkq
hkiG9w0BAQsFAAOCAQEAZIgx3plCibm9WIPu9LIDfFzsvntLqbUA5Q9GUv/orxiW
93KMlJpek/buMDiQurjdvchTUD7jytmVepFKTrxnpmeDDd4/YBaO59URaCF+gSYn
rNhvXpgsct7D8Is0GzAp2UDjI2N/f6s64wMuTwAVh+/+YXe8LSarr9SdesX6KJd5
JRA7JtmGIGDM/6f/b7p/JgXTNLuxySGa1Lk/dwoldfrK1Ye3grt/iper3Apq+OL3
Hw6N1pRwlUsEULNJUPK98UMMJd4is0p2stbKpSX9W/2QUFER789BVJfW379a2eE1
nMz41Epzk3ymxGiVFkYrh6owhQIqx4xTpwL2/YErMQ==
-----END CERTIFICATE-----
[Tue Aug 25 21:07:55 CST 2020] Your cert is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.cer
[Tue Aug 25 21:07:55 CST 2020] Your cert key is in /root/.acme.sh/www.zuiyoujie.com/www.zuiyoujie.com.key
[Tue Aug 25 21:07:55 CST 2020] The intermediate CA cert is in /root/.acme.sh/www.zuiyoujie.com/ca.cer
[Tue Aug 25 21:07:55 CST 2020] And the full chain certs is there: /root/.acme.sh/www.zuiyoujie.com/fullchain.cer
-----------------------------------------------
# 查看已經申請的證書
-----------------------------------------------
root@zuiyoujie:~/.acme.sh# acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
www.zuiyoujie.com "" no LetsEncrypt.org Tue Aug 25 13:07:55 UTC 2020 Sat Oct 24 13:07:55 UTC 2020
zuiyoujie.com "" *.zuiyoujie.com LetsEncrypt.org Tue Aug 25 11:34:27 UTC 2020 Sat Oct 24 11:34:27 UTC 2020
-----------------------------------------------
3.安裝證書(copy)
- 前面證書生成以后,接下來需要把證書 copy 到真正需要用它的地方.
- 注意:
默認生成的證書都放在安裝目錄下: ~/.acme.sh/, 請不要直接使用此目錄下的文件
這里面的文件都是內部使用,而且目錄結構可能會變化
例如:不要直接讓 nginx/apache 的配置文件使用這下面的文件
正確的使用方法是使用 --install-cert 命令,並指定目標位置,然后證書文件會被 copy 到相應的位置
- 實例演示:
# apache2 示例:普通單域名
acme.sh --install-cert -d www.zuiyoujie.com \
--cert-file /data/wwwroot/www.zuiyoujie.com/ssl/www.zuiyoujie.com.crt \
--key-file /data/wwwroot/www.zuiyoujie.com/ssl/www.zuiyoujie.com.key \
--fullchain-file /data/wwwroot/www.zuiyoujie.com/ssl/fullchain.pem \
--reloadcmd "service apache2 force-reload"
# nginx 示例:通配符域名
acme.sh --install-cert -d zuiyoujie.com \
--fullchain-file /usr/local/openresty/nginx/conf/ssl/all.zuiyoujie.com.crt \
--key-file /usr/local/openresty/nginx/conf/ssl/all.zuiyoujie.com.key \
--reloadcmd "nginx -s reload"
- 注意:
1.以上命令不會生成證書,而是在證書目錄查找指定域名的目錄進行證書復制,所以需要預先創建好需要的證書
2.這里的 -d 參數需要指定域名,但是如果是多個域名的證書,需要指定申請域名證書的第一個的域名,也就是指定域名證書文件夾的名稱
3.這里是手動部署,部署時指定的的配置信息會添加到域名文件夾內的配置文件中,后續可以實現自動更新 + 自動部署
4.更新域名證書
- 配置定時任務,每日 0 點過后執行,在自動安裝腳本時已經配好了,可以檢查下
- 執行命令會檢查現有的證書有效期,到期前一個月會自動進行簽注,90天
crontab -e
-----------------------------
27 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
-----------------------------
- 實例演示:
---------------------------------
root@zuiyoujie:~/.acme.sh# "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Tue Aug 25 19:38:43 CST 2020] ===Starting cron===
[Tue Aug 25 19:38:43 CST 2020] Already uptodate!
[Tue Aug 25 19:38:43 CST 2020] Upgrade success!
[Tue Aug 25 19:38:43 CST 2020] Auto upgraded to: 2.8.7
[Tue Aug 25 19:38:43 CST 2020] Renew: '39sky.com'
[Tue Aug 25 19:38:43 CST 2020] Skip, Next renewal time is: Sat Oct 24 11:25:42 UTC 2020
[Tue Aug 25 19:38:43 CST 2020] Add '--force' to force to renew.
[Tue Aug 25 19:38:43 CST 2020] Skipped 39sky.com
[Tue Aug 25 19:38:43 CST 2020] Renew: 'zuiyoujie.com'
[Tue Aug 25 19:38:43 CST 2020] Skip, Next renewal time is: Sat Oct 24 11:34:27 UTC 2020
[Tue Aug 25 19:38:43 CST 2020] Add '--force' to force to renew.
[Tue Aug 25 19:38:43 CST 2020] Skipped zuiyoujie.com
[Tue Aug 25 19:38:43 CST 2020] ===End cron===
------------------------------------
5.更新 acme.sh 腳本
# 手動更新
acme.sh --upgrade
# 配置自動更新
acme.sh --upgrade --auto-upgrade
# 關閉自動更新
acme.sh --upgrade --auto-upgrade 0
6.故障處理
如果出錯,請添加 debug log:
acme.sh --issue ..... --debug
或者:
acme.sh --issue ..... --debug 2
10.參考地址:
# 官方倉庫
https://github.com/acmesh-official/acme.sh
# 官方文檔-中文
https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E
# 其他地址
https://www.ioiox.com/archives/87.html
https://developer.aliyun.com/article/758133