使用acme.sh申请 SSL(HTTPS) 泛域名证书

轻松运维小猪
628 阅读6分钟

acme.sh 介绍

acme.sh 是一个 Unix shell script 实现 ACME client 协议。github 地址是:github.com/acmesh-offi… ,使用它可以申请到免费域名证书,目前它支持申请下面的 CA:

Install acme.sh

安装 acme.sh 非常简单,执行下面命令,记得替换下邮箱地址,不用真实邮箱地址

curl https://get.acme.sh | sh -s email=my@example.com

普通用户和 root 用户都可以安装使用. 安装过程进行了以下几步:

  1. 把 acme.sh 安装到你的 home 目录下:
  2. 自动创建 alias : acme.sh=~/.acme.sh/acme.sh
  3. 当前用户创建定时任务去检查和更新证书

image.png

申请 letsencrypt 证书

如果安装 acme.sh 没有指定邮箱(使用-s email=my@example.com参数),需要执行以下命令去注册 account key 和指定邮箱地址

acme.sh --register-account -m zzwade@163.com

image.png

默认 ca 是 ZeroSSL,使用 --set-default-ca --server letsencrypt 修改成 letsencrypt,这里使用手动 dns 方式

acme.sh --set-default-ca --server letsencrypt --issue --dns -d "*.zwade.top" -d "zwade.top" --yes-I-know-dns-manual-mode-enough-go-ahead-please

执行还是报错 image.png

查看文件,ACCOUNT_EMAIL 还是 my@example.com image.png 修改 ACCOUNT_EMAIL 的值

vim ~/.acme.sh/account.conf

重新执行,提示需要添加两条 txt dns 记录 image.png

dns 控制台添加记录 image.png

检查 txt 记录是否生效 image.png

等待解析完成之后, 重新生成证书, 注意第二次这里用的是 --renew

root@devops:/data/compose# acme.sh --renew  -d "*.zwade.top" -d "zwade.top" --yes-I-know-dns-manual-mode-enough-go-ahead-please 
[Sun Aug 18 23:43:42 CST 2024] The domain '*.zwade.top' seems to already have an ECC cert, let's use it.
[Sun Aug 18 23:43:42 CST 2024] Renewing: '*.zwade.top'
[Sun Aug 18 23:43:42 CST 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 18 23:43:43 CST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 18 23:43:43 CST 2024] Multi domain='DNS:*.zwade.top,DNS:zwade.top'
[Sun Aug 18 23:43:43 CST 2024] Verifying: *.zwade.top
[Sun Aug 18 23:43:44 CST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Sun Aug 18 23:43:48 CST 2024] Success
[Sun Aug 18 23:43:48 CST 2024] Verifying: zwade.top
[Sun Aug 18 23:43:48 CST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Sun Aug 18 23:43:52 CST 2024] Success
[Sun Aug 18 23:43:52 CST 2024] Verification finished, beginning signing.
[Sun Aug 18 23:43:52 CST 2024] Let's finalize the order.
[Sun Aug 18 23:43:52 CST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1897682456/297359455456'
[Sun Aug 18 23:43:53 CST 2024] Downloading cert.
[Sun Aug 18 23:43:53 CST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0372e45a153daff649f272e9b3b197020ff5'
[Sun Aug 18 23:43:53 CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIDgzCCAwigAwIBAgISA3LkWhU9r/ZJ8nLps7GXAg/1MAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNDA4MTgxNDQ1MjJaFw0yNDExMTYxNDQ1MjFaMBYxFDASBgNVBAMMCyou
endhZGUudG9wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg5goXXOFWLDkqjfy
Dzxp019OnwrDYsKbReEMytMww37pzyWuL8lP2BTOScgj7UDDHYZqPWfyIge/NY/y
rsfgKaOCAhgwggIUMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEUcLCtPY8aqMwzW2
VDHEzy/nuM4wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYB
BQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYI
KwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNyLm9yZy8wIQYDVR0RBBowGIILKi56
d2FkZS50b3CCCXp3YWRlLnRvcDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs
+GRuAAABkWYowlsAAAQDAEcwRQIgGdVJ3UE6zu/tiFpJzkDBye2kgfGLUKF18ObN
4CwhuvcCIQDeUxDODXBzsOLZuYZcEkO+AK6LyiELAwCXjGRBGFLhXwB2AHb/iD8K
tvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABkWYowp8AAAQDAEcwRQIhAKzw
590GfHvAPRCA/lr5a3P8h7WIxkpwJai6kJolIul0AiAU0XOfjFTv1ZP15CKulm2O
mZBWrws/0oc0xlFWqwNQ6zAKBggqhkjOPQQDAwNpADBmAjEAwCMtwOIf9OLP888y
7cF+2sn7BmA2DRKlU8Q8g06ik02uUCW9X4jBKvxwGn2dKGccAjEArMujolb6OzYd
R1rGjzDWJe2GY3qaCF9g3tvic/HVp2OS/atuefAs4QgFdkgw3tOu
-----END CERTIFICATE-----
[Sun Aug 18 23:43:53 CST 2024] Your cert is in: /root/.acme.sh/*.zwade.top_ecc/*.zwade.top.cer
[Sun Aug 18 23:43:53 CST 2024] Your cert key is in: /root/.acme.sh/*.zwade.top_ecc/*.zwade.top.key
[Sun Aug 18 23:43:53 CST 2024] The intermediate CA cert is in: /root/.acme.sh/*.zwade.top_ecc/ca.cer
[Sun Aug 18 23:43:53 CST 2024] And the full-chain cert is in: /root/.acme.sh/*.zwade.top_ecc/fullchain.cer

使用 openssl 命令查看证书信息

申请的证书和私钥存放在 /root/.acme.sh/*.zwade.top_ecc/ 目录,可以使用 openssl 命令查看证书内容 image.png

配置 Nginx 域名证书访问

将申请好的证书 copy 到 nginx 相应目录下,配置 nginx 域名 https 访问

# test.zwade.top.conf
# generated 2024-08-18, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.d1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.d1.1k&guideline=5.7

server {
    listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name *.zwade.top;

    ssl_certificate /etc/nginx/conf.d/ssl/zwade.top/zwade.top.cer;
    ssl_certificate_key /etc/nginx/conf.d/ssl/zwade.top/zwade.top.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /etc/nginx/conf.d/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
        default_type text/plain;
        echo "Can you see me?";

    }

}

测试访问

root@devops:/data/compose/openresty/conf.d# curl -sv https://test.zwade.top/
* Host test.zwade.top:443 was resolved.
* IPv6: (none)
* IPv4: 3.76.222.255
*   Trying 3.76.222.255:443...
* Connected to test.zwade.top (3.76.222.255) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.zwade.top
*  start date: Aug 18 14:45:22 2024 GMT
*  expire date: Nov 16 14:45:21 2024 GMT
*  subjectAltName: host "test.zwade.top" matched cert's "*.zwade.top"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://test.zwade.top/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: test.zwade.top]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: test.zwade.top
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/2 200 
< server: openresty
< date: Mon, 19 Aug 2024 06:34:25 GMT
< content-type: text/plain
< strict-transport-security: max-age=63072000
< 
Can you see me?
* Connection #0 to host test.zwade.top left intact
avatar
文章
阅读
粉丝