使用acme.sh生成泛域名证书并自动续期
说明
GitHub仓库地址:https://github.com/acmesh-official/acme.sh
Gitlab镜像仓库:https://jihulab.com/qiqi-lpb/Acme.sh.git
安装 acme.sh
使用镜像仓库安装
$ git clone https://jihulab.com/qiqi-lpb/Acme.sh.git
$ cd Acme.sh/
$ ./acme.sh --install -m my@example.com
[Thu 04 Jan 2024 04:47:56 PM CST] Installing to /root/.acme.sh
[Thu 04 Jan 2024 04:47:56 PM CST] Installed to /root/.acme.sh/acme.sh
[Thu 04 Jan 2024 04:47:56 PM CST] Installing alias to '/root/.bashrc'
[Thu 04 Jan 2024 04:47:56 PM CST] OK, Close and reopen your terminal to start using acme.sh
[Thu 04 Jan 2024 04:47:56 PM CST] Installing cron job
no crontab for root
no crontab for root
[Thu 04 Jan 2024 04:47:56 PM CST] Good, bash is found, so change the shebang to use bash as preferred.
[Thu 04 Jan 2024 04:47:59 PM CST] OK使用 DNSPOD api配置自动dns解析
acme.sh 目前支持 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.
需要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是免费的. 然后:
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
acme.sh --issue --dns dns_dp -d aa.com -d www.aa.com
# 申请日志
./acme.sh --issue --dns dns_dp -d *.qiqios.com
[Thu 04 Jan 2024 05:13:59 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Thu 04 Jan 2024 05:13:59 PM CST] Create account key ok.
[Thu 04 Jan 2024 05:13:59 PM CST] No EAB credentials found for ZeroSSL, let's get one
[Thu 04 Jan 2024 05:14:01 PM CST] Registering account: https://acme.zerossl.com/v2/DV90
[Thu 04 Jan 2024 05:14:05 PM CST] Registered
[Thu 04 Jan 2024 05:14:05 PM CST] ACCOUNT_THUMBPRINT='fO3aKdyWedCUjoMIEJqYDHppU_7JKVnvCeYOFeQkB1U'
[Thu 04 Jan 2024 05:14:05 PM CST] Creating domain key
[Thu 04 Jan 2024 05:14:05 PM CST] The domain key is here: /root/.acme.sh/*.qiqios.com_ecc/*.qiqios.com.key
[Thu 04 Jan 2024 05:14:05 PM CST] Single domain='*.qiqios.com'
[Thu 04 Jan 2024 05:14:05 PM CST] Getting domain auth token for each domain
[Thu 04 Jan 2024 05:14:24 PM CST] Getting webroot for domain='*.qiqios.com'
[Thu 04 Jan 2024 05:14:24 PM CST] Adding txt value: lV1F4KAw8wYQ-pq9NKU1QiEUA8OT8YEaH6Qig2XrRbM for domain: _acme-challenge.qiqios.com
[Thu 04 Jan 2024 05:14:24 PM CST] Adding record
[Thu 04 Jan 2024 05:14:25 PM CST] The txt record is added: Success.
[Thu 04 Jan 2024 05:14:25 PM CST] Let's check each DNS record now. Sleep 20 seconds first.
[Thu 04 Jan 2024 05:14:46 PM CST] You can use '--dnssleep' to disable public dns checks.
[Thu 04 Jan 2024 05:14:46 PM CST] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu 04 Jan 2024 05:14:46 PM CST] Checking qiqios.com for _acme-challenge.qiqios.com
[Thu 04 Jan 2024 05:14:47 PM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Thu 04 Jan 2024 05:14:55 PM CST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Thu 04 Jan 2024 05:14:56 PM CST] Domain qiqios.com '_acme-challenge.qiqios.com' success.
[Thu 04 Jan 2024 05:14:56 PM CST] All success, let's return
[Thu 04 Jan 2024 05:14:56 PM CST] Verifying: *.qiqios.com
[Thu 04 Jan 2024 05:14:57 PM CST] Processing, The CA is processing your order, please just wait. (1/30)
[Thu 04 Jan 2024 05:15:14 PM CST] Success
[Thu 04 Jan 2024 05:15:14 PM CST] Removing DNS records.
[Thu 04 Jan 2024 05:15:14 PM CST] Removing txt: lV1F4KAw8wYQ-pq9NKU1QiEUA8OT8YEaH6Qig2XrRbM for domain: _acme-challenge.qiqios.com
[Thu 04 Jan 2024 05:15:16 PM CST] Removed: Success
[Thu 04 Jan 2024 05:15:16 PM CST] Verify finished, start to sign.
[Thu 04 Jan 2024 05:15:16 PM CST] Lets finalize the order.
[Thu 04 Jan 2024 05:15:16 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/NNLM7QatJdG3SzQNC8xpHQ/finalize'
[Thu 04 Jan 2024 05:15:31 PM CST] Order status is processing, lets sleep and retry.
[Thu 04 Jan 2024 05:15:31 PM CST] Retry after: 15
[Thu 04 Jan 2024 05:15:47 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/NNLM7QatJdG3SzQNC8xpHQ
[Thu 04 Jan 2024 05:16:05 PM CST] Downloading cert.
[Thu 04 Jan 2024 05:16:05 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/nTOJ7enHYSLJlOAB1sKoKg'
[Thu 04 Jan 2024 05:16:19 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIID+zCCA4GgAwIBAgIQV405qL7pYvXyp76bX5phGTAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDEwNDAwMDAwMFoXDTI0MDQw
MzIzNTk1OVowFzEVMBMGA1UEAwwMKi5xaXFpb3MuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEEN3vAvp51VUl4bDspR1sxvMaYRFDGGzbC0aUL+9veUu8OlN5
y/gumwJgt/JEPZItnibIQ94FSrPwiV+7jGVaKaOCAnkwggJ1MB8GA1UdIwQYMBaA
FA9r5kvOOUeu9n6QHnnwMJGSyF+jMB0GA1UdDgQWBBQwGSn6UiDWFIe70oVEAOAB
qsgUSzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgG
CCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDovL3plcm9zc2wuY3J0LnNl
Y3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsG
AQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBBQYKKwYB
BAHWeQIEAgSB9gSB8wDxAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xa
OnQAAAGM08Gn4wAABAMASDBGAiEA6yggWEN9DF92fTRPP1lPQ4AZI8LFwEVV2g9h
g1qz634CIQDSt9Tk6rbKYm+a1jO1fsX6kSSFinoT5jYb0159MQIRvgB2ADtTd3U+
LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjNPBp5QAAAQDAEcwRQIhANHZ
27o3qGTvyTSqoONeqUmKfHY1s9RPT4Ivl7XYagqmAiBybOXF+TzY5lK+XMGebUMs
INttwjPIBx2QIzmyCSscKzAXBgNVHREEEDAOggwqLnFpcWlvcy5jb20wCgYIKoZI
zj0EAwMDaAAwZQIwPpFvsXfB/qPTu6x21fMXGzI9R62Eii6PSWjVYQ2NwZtNNBAa
9wkfAN4N2lpe+tauAjEA7qKCn3ZL2EFMHPHW75cB6tEx0ohoNJqoWORfvHE/kjIP
g92opE86Joh28VOwlQtx
-----END CERTIFICATE-----
[Thu 04 Jan 2024 05:16:19 PM CST] Your cert is in: /root/.acme.sh/*.qiqios.com_ecc/*.qiqios.com.cer
[Thu 04 Jan 2024 05:16:19 PM CST] Your cert key is in: /root/.acme.sh/*.qiqios.com_ecc/*.qiqios.com.key
[Thu 04 Jan 2024 05:16:19 PM CST] The intermediate CA cert is in: /root/.acme.sh/*.qiqios.com_ecc/ca.cer
[Thu 04 Jan 2024 05:16:19 PM CST] And the full chain certs is there: /root/.acme.sh/*.qiqios.com_ecc/fullchain.cer更详细的 api 用法: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
查看已安装证书信息
./acme.sh --info -d *.qiqios.com
[Thu 04 Jan 2024 05:19:04 PM CST] The domain '*.qiqios.com' seems to have a ECC cert already, lets use ecc cert.
DOMAIN_CONF=/root/.acme.sh/*.qiqios.com_ecc/*.qiqios.com.conf
Le_Domain=*.qiqios.com
Le_Alt=no
Le_Webroot=dns_dp
Le_PreHook=
Le_PostHook=
Le_RenewHook=
Le_API=https://acme.zerossl.com/v2/DV90
Le_Keylength=ec-256
Le_OrderFinalize=https://acme.zerossl.com/v2/DV90/order/NNLM7QatJdG3SzQNC8xpHQ/finalize
Le_LinkOrder=https://acme.zerossl.com/v2/DV90/order/NNLM7QatJdG3SzQNC8xpHQ
Le_LinkCert=https://acme.zerossl.com/v2/DV90/cert/nTOJ7enHYSLJlOAB1sKoKg
Le_CertCreateTime=1704359779
Le_CertCreateTimeStr=2024-01-04T09:16:19Z
Le_NextRenewTimeStr=2024-03-03T09:16:19Z
Le_NextRenewTime=1709457379更新证书
目前证书在 60 天以后会自动更新, 无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.
请确保 cronjob 正确安装, 看起来是类似这样的:
crontab -l
56 23 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null更新 acme.sh
目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.
升级 acme.sh 到最新版 :
acme.sh --upgrade如果不想手动升级, 可以开启自动升级:
$ acme.sh --upgrade --auto-upgrade
[Thu 04 Jan 2024 05:24:20 PM CST] Already uptodate!
[Thu 04 Jan 2024 05:24:20 PM CST] Upgrade success!之后, acme.sh 就会自动保持更新了.
也可以随时关闭自动更新:
acme.sh --upgrade --auto-upgrade 0使用acme.sh生成泛域名证书并自动续期
http://www.qiqios.cn/2024/01/04/使用acme.sh生成泛域名证书并自动续期/