阿里域名认证方式acme安装证书

jimmy 2020年12月26日 297次浏览

下载 acme

curl https://get.acme.sh | sh

下载出错了

[root@ysl01 ~]# curl  https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   775    0   775    0     0    620      0 --:--:--  0:00:01 --:--:--   620
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed connect to raw.githubusercontent.com:443; Connection refused

修改/etc/hosts在文件结尾新增加一行如下内容
199.232.96.133 raw.githubusercontent.com

网站的ip地址通过https://www.ipaddress.com/查询到

重新安装成功

[root@ysl01 ~]# curl  https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   775    0   775    0     0    983      0 --:--:-- --:--:-- --:--:--   983
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  202k  100  202k    0     0  40893      0  0:00:05  0:00:05 --:--:-- 57446
[Sat Dec 26 17:40:02 CST 2020] Installing from online archive.
[Sat Dec 26 17:40:02 CST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat Dec 26 17:40:08 CST 2020] Extracting master.tar.gz
[Sat Dec 26 17:40:08 CST 2020] It is recommended to install socat first.
[Sat Dec 26 17:40:08 CST 2020] We use socat for standalone server if you use standalone mode.
[Sat Dec 26 17:40:08 CST 2020] If you don't use standalone mode, just ignore this warning.
[Sat Dec 26 17:40:08 CST 2020] Installing to /root/.acme.sh
[Sat Dec 26 17:40:08 CST 2020] Installed to /root/.acme.sh/acme.sh
[Sat Dec 26 17:40:08 CST 2020] Installing alias to '/root/.bashrc'
[Sat Dec 26 17:40:08 CST 2020] OK, Close and reopen your terminal to start using acme.sh
[Sat Dec 26 17:40:08 CST 2020] Installing alias to '/root/.cshrc'
[Sat Dec 26 17:40:08 CST 2020] Installing alias to '/root/.tcshrc'
[Sat Dec 26 17:40:08 CST 2020] Installing cron job
no crontab for root
no crontab for root
[Sat Dec 26 17:40:08 CST 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Dec 26 17:40:09 CST 2020] OK
[Sat Dec 26 17:40:09 CST 2020] Install success!

默认安装位置 /root/.acme.sh/

创建alias

alias acme.sh=/root/.acme.sh/acme.sh

DNS方式验证

export Ali_Key="***"
export Ali_Secret="***"

acme.sh --issue --force --dns dns_ali -d *.biyouliao.cn -d biyouliao.cn

默认证书保存位置

[Sat Dec 26 17:49:05 CST 2020] Your cert is in  /root/.acme.sh/*.biyouliao.cn/*.biyouliao.cn.cer 
[Sat Dec 26 17:49:05 CST 2020] Your cert key is in  /root/.acme.sh/*.biyouliao.cn/*.biyouliao.cn.key 
[Sat Dec 26 17:49:05 CST 2020] The intermediate CA cert is in  /root/.acme.sh/*.biyouliao.cn/ca.cer 
[Sat Dec 26 17:49:05 CST 2020] And the full chain certs is there:  /root/.acme.sh/*.biyouliao.cn/fullchain.cer 

更新 acme.sh

acme.sh --upgrade

自动更新 acme.sh

acme.sh --upgrade --auto-upgrade

关闭自动更新 acme.sh

acme.sh --upgrade --auto-upgrade 0

nginx使用证书文件

server {
    listen 443 ssl;
    server_name q.biyouliao.cn;
    ssl_certificate   /root/.acme.sh/*.biyouliao.cn/fullchain.cer;
    ssl_certificate_key   /root/.acme.sh/*.biyouliao.cn/*.biyouliao.cn.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    client_max_body_size 200M;

    location / {
        root /home/server/html/q;
        index index.html index.htm;
    }
}

证书自动更新

crontab自动加了一个定时任务

8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

会自动到期前更新证书