使⽤acme.sh⾃动申请、续期、部署免费的SSL证书
参考⽂档:
⼀个使⽤纯shell操作的免费SSL证书申请部署⼯具。
免费的SSL证书由以下CA机构提供:
ZeroSSL CA(default)
< CA
BuyPass CA
SSL CA
Pebble strict Mode
Any other RFC8555-compliant CA
安装与初次使⽤
1、从Git安装
安装时需要指定要创建账号的邮箱,初次运⾏需要⽤邮箱在CA上创建⼀个账户!
root@localhost:~# mkdir /usr/local/acme
root@localhost:~# cd /usr/local/acme/
root@localhost:/usr/local/acme# git clone github/acmesh-official/acme.sh.git
root@localhost:/usr/local/acme# cd acme.sh/
root@localhost:/usr/local/acme/acme.sh# ./acme.sh --install -m xxx@xxx
[Wed Jan 19 09:53:09 CST 2022] It is recommended to install socat first.
[Wed Jan 19 09:53:09 CST 2022] We use socat for standalone server if you use standalone mode.
[Wed Jan 19 09:53:09 CST 2022] If you don't use standalone mode, just ignore this warning.
[Wed Jan 19 09:53:09 CST 2022] Installing to /root/.acme.sh
[Wed Jan 19 09:53:09 CST 2022] Installed to /root/.acme.sh/acme.sh
[Wed Jan 19 09:53:09 CST 2022] Installing alias to '/root/.bashrc'
[Wed Jan 19 09:53:09 CST 2022] OK, Close and reopen your terminal to start using acme.sh
[Wed Jan 19 09:53:09 CST 2022] Installing cron job
41 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Wed Jan 19 09:53:09 CST 2022] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Jan 19 09:53:10 CST 2022] OK
root@localhost:/usr/local/acme/acme.sh# vim /etc/profile
### acme ###
export PATH=/usr/local/acme/acme.sh:$PATH
root@localhost:/usr/local/acme/acme.sh# source /etc/profile
root@localhost:/usr/local/acme/acme.sh# crontab -l
41 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
2、申请颁发单个域名证书(Nginx类型)
⾸次使⽤的时候,会在对应的⽹站注册⼀个账号!
申请证书需要等待⼀段时间,等待CA处理订单,等待30次后超时!
-d表⽰申请的指定域名,
-w表⽰⽹站根⽬录,⽤于校验,这将会指定的⽬录下⽣成相关DNS校验⽂件
颁发的证书通常为3个⽉!
root@localhost:~# acme.sh --issue -d example -w /var/www/html/v3html
[Wed Jan 19 11:45:38 CST 2022] Using CA: ssl/v2/DV90
[Wed Jan 19 11:45:38 CST 2022] Create account key ok.
nginx ssl证书配置
[Wed Jan 19 11:45:38 CST 2022] No EAB credentials found for ZeroSSL, let's get one
[Wed Jan 19 11:45:40 CST 2022] Registering account: ssl/v2/DV90
[Wed Jan 19 11:46:00 CST 2022] Registered
[Wed Jan 19 11:46:00 CST 2022] ACCOUNT_THUMBPRINT='pDK-DHSyN3bTcjqa_Bkr9zvXv4cFA4mVbOMNvLxePdU'
[Wed Jan 19 11:46:00 CST 2022] Creating domain key
[Wed Jan 19 11:46:00 CST 2022] The domain key is here: /root/.acme.sh/example/example.key
[Wed Jan 19 11:46:00 CST 2022] Single domain='example'
[Wed Jan 19 11:46:00 CST 2022] Getting domain auth token for each domain
[Wed Jan 19 11:46:08 CST 2022] Getting webroot for domain='example'
[Wed Jan 19 11:46:08 CST 2022] Verifying: example
[Wed Jan 19 11:46:14 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Wed Jan 19 11:46:27 CST 2022] Success
[Wed Jan 19 11:46:27 CST 2022] Verify finished, start to sign.
[Wed Jan 19 11:46:27 CST 2022] Lets finalize the order.
[Wed Jan 19 11:46:27 CST 2022] Le_OrderFinalize='ssl/v2/DV90/order/moQ9G2k4tjnsw-nB7J356A/finalize'
[Wed Jan 19 11:46:38 CST 2022] Order status is processing, lets sleep and retry.
[Wed Jan 19 11:46:38 CST 2022] Retry after: 15
[Wed Jan 19 11:46:54 CST 2022] Polling order status: ssl/v2/DV90/order/moQ9G2k4tjnsw-nB7J356A
[Wed Jan 19 11:46:57 CST 2022] Downloading cert.
[Wed Jan 19 11:46:57 CST 2022] Le_LinkCert='ssl/v2/DV90/cert/aWSl8r_uVs8r69U0z0BI5A'
[Wed Jan 19 11:47:03 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGfjCCBGagAwIBAgIQd0i5RwdkytvFacUjqhElyDANBgkqhkiG9w0BAQwFADBL
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIyMDExOTAwMDAwMFoXDTIy
MDQxOTIzNTk1OVowIzEhMB8GA1UEAxMYdGVzdC13d3cudGlhbmhhbmdib3gubmV0 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOCw6PSzDjZeFmsRvODb
JxRqHp4H5FkWr6Y8cS5ak2UByWxItyaPK4Awj/PUc2SYLNnUcK01gAdHH8mDnHiS
0LBdFdY2JAt1ahLXPubouqBHSmxwo7u9z6NyD1EY9kN/I+ysLNoPGJvszhVX8JgU
jlg3TzbJbdpwmZjV0XNdLIClY5iHnlVVPbzusRz59eGbK7xhoeMnJMwq+MPZQFtD
UNbMHhlQIE97DcaJmvQRuzFju51yX2pP0JJaSY18CSBwUxRocHDOs1TGg0JcW/pb
7rfdYH+56kA51fLHeYJ1skhqAYj+nu9PHO0KC8tikTyIi18ozH1UlIVs4utLKwqe
WQIDAQABo4IChDCCAoAwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYw
HQYDVR0OBBYEFIHyg3ZEjeQ662K0aVmZA6M03E1TMA4GA1UdDwEB/wQEAwIFoDAM BgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNV HSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj
dGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUF
BzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURv
bWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3Ns
Lm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBGpVXr
dfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX5wdiITAAAEAwBHMEUCIHYe
HeZAZwh3b05LhrBYo+alvjcZlqzOLD8xwBGahimCAiEAplJKol6LIMtMMzzEGboG
VjyyQuTc4reBN0A4sgAI+pcAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQ
YpYG9gAAAX5wdiHMAAAEAwBHMEUCIHXEIovXPw5onEzWPCrUaq2WdpTfrxAhwB3k
JjjY12O6AiEAk+94sjZbNF6jwPGMupMZeLmRs7YsRCF/2W9Ndpqa0hAwIwYDVR0R BBwwGoIYdGVzdC13d3cudGlhbmhhbmdib3gubmV0MA0GCSqGSIb3DQEBDAUAA4IC
AQBGfyKQYUu/Sx4U/HpcB54+rCM9/BnrpPWhY4D0nYVqxhAZi/At+fK5vLg/PC8M
ehLGnBsGFXVbT0v+opDmgjQyeHAU/0JC+APmRHsNsOiMTzO1B/X8VxxAaXq/aTA9
PN3i5BjBIm2AkYX6SCZwEa3WBX0E8wkXqAbLRP/7/A93OOBKTcSHWQV4utuwky71
R+ENXvshoEKLmY74EP9slJdxeABwq5XSPyZsKzMtA3p5g+RhiZATc2AcqgXcf+7p VryCiynsmDAnRdIPtqCNziJecB9DFk2Are8+xdnzSR9JMB+NZUKrSpgBl2PMn/n2
Q4OoEmEKwD4thrPRIVz2c9dPlc4EjjI5sRYB7GhyxNBTvREIxikTRdimteIfTldb
yFLX4VjcQ7ClMuevBlwSjQdW52j6CyH5y+fPxptidrXHvuu1GQvIETSK1kNxrKZ3
wppnKR31SeGlyu7UdgeOytQz21XMWx3ievMg77vN5WLjQkh1Tlhgic+rmctAvz4D
KiEoerQQm/J1e8a6+5FJ+cfSd4A9UnFv/Cni7UltGrryHFaMfkrcvmvDhwkaBiJw
V9a4A4AU6DQqGQIdw20CEGC2Wvm4qIz1j9WlQeX+w0MASPX7wh815bXUWqrcgWhf
3NkPEztbWUm1okeSO81nLNUQ0vWUUf4WlwZ5Nz1mc424FQ==
-----END CERTIFICATE-----
[Wed Jan 19 11:47:03 CST 2022] Your cert is in: /root/.acme.sh/
[Wed Jan 19 11:47:03 CST 2022] Your cert key is in: /root/.acme.sh/example/example.key [Wed Jan 19 11:47:03 CST 2022] The intermediate CA cert is in: /root/.acme.sh/ [Wed Jan 19 11:47:03 CST 2022] And the full chain certs is there: /root/.acme.sh/
3、配置Nginx
root@localhost:~# vim /etc/nginx/f
server {
listen 443 ssl;
server_name example;
root html;
ssl_certificate /etc/nginx/;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
4、安装域名证书到指定Nginx位置
root@localhost:~# acme.sh --install-cert -d example \
--key-file /etc/nginx/ssl/example.key \
--fullchain-file /etc/nginx/ \
--reloadcmd "nginx -s reload"
附录-查看已管理的域名
acme.sh --list
附录-删除托管的域名
⽰例:
acme.sh --remove -d example [--ecc]
附录-申请颁发多个域名证书
⽰例:
acme.sh --issue -d example -ample -ample -w /home/wwwroot/example
附录-将证书⾃动安装到Nginx或Apache
Apache⽰例:
acme.sh --install-cert -d example \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"
Nginx⽰例:
acme.sh --install-cert -d example \
--key-file /path/to/keyfile/in/nginx/key.key \
--fullchain-file /path/to/fullchain/ \
--reloadcmd "service nginx force-reload"
附录-强制更新证书
我们通常不需要⼿动更新证书,所有证书每60天会⾃动更新⼀次。
但是也可以⼿动强制更新证书。
⽰例:
acme.sh --renew -d example --force
附录-设置默认使⽤的CA
参考⽂档:
letsencrypt
buypass
zerossl
sslcom ,
root@localhost:~# acme.sh --set-default-ca --server letsencrypt
附录-查看证书有效期
root@localhost:/etc/nginx/ssl# openssl x509 - -noout -dates
notBefore=Jan 19 00:00:00 2022 GMT
notAfter=Apr 19 23:59:59 2022 GMT
附录-⾃动续期+钉钉报警
⾃⼰写的脚本,结合计划任务每天执⾏⼀次!
#!/bin/bash
# @author: rby
# @description: 使⽤acme.sh⾃动申请、部署并续期(提前⼀周)免费的ssl证书,并通知到钉钉告知运维⼯程师!
set -x
DOMAIN_LIST="
"
SSL_DIR="/etc/nginx/ssl"
WEBROOT="/var/nginx/html"
ACMESH="/usr/local/acme/acme.sh/acme.sh"
NOTICE_DINGDING_TOBOT="oapi.dingtalk/robot/send?access_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" noticeDingding(){
msg="{\"msgtype\": \"text\",\"text\": {\"content\": "\'"${1}"\'"},\"at\": {\"isAtAll\": true}}"
curl "$NOTICE_DINGDING_TOBOT" -H 'Content-Type: application/json' -d "$msg"
}
applyFreeSSLCertificate(){
status=0
# 1、强制申请免费ssl证书
$ACMESH --issue -d $domain -w $WEBROOT --force
[ $? -eq 0 ] && status=`expr $status + 1`
# 2、安装ssl证书到nginx
$ACMESH --install-cert -d ${domain} --key-file "${SSL_DIR}/${domain}.key" --fullchain-file "${SSL_DIR}/${domain}.cer" --reloadcmd "nginx -s reload" # ⾃动部署到nginx [ $? -eq 0 ] && status=`expr $status + 1`
if [ $status -eq 2 ];then
noticeDingding "申请并部署、续期(提前⼀周)免费ssl证书"${domain}"成功!"
else
noticeDingding "申请并部署、续期(提前⼀周)免费ssl证书"${domain}"失败!请⼿动执⾏本脚本程序再次申请、续期以观测失败原因!"
fi
}
for domain in $DOMAIN_LIST;do
echo "⾃动申请部署并续期ssl证书,域名=$domain"
# 申请部署免费SSL证书
# 如果证书⽂件不存在则⾃动申请并部署免费的SSL证书
if [ ! -e ${SSL_DIR}/${domain}.cer ];then
applyFreeSSLCertificate
fi
# ⾃动续期
# 检查ssl证书到期时间,提前⼀周⾃动续期并部署新的ssl证书
expirationTimeGMT=`openssl x509 -in ${SSL_DIR}/${domain}.cer -noout -dates|grep notAfter|awk -F '=' '{print $2}'` # 证书到期GMT时间
expirationTime=`date -d "$expirationTimeGMT" +%s` # 证书到期时间,转换为以秒为单位的时间戳
currTime=`date +%s` # 当前时间戳
echo "当前证书到期时间还有$(expr $(expr $expirationTime - $currTime) / 60 / 60 / 24)天"
if [ $(expr $(expr $expirationTime - $currTime) / 60 / 60 / 24) -lt 7 ];then
applyFreeSSLCertificate
fi
done
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论