一卓的博客

怕什么真理无穷,
进一寸有一寸的欢喜。

0%

使用 acme 生成免费的 Https 证书

发表于 阅读次数: Valine: 6k 5 分钟

今天介绍一个能自动从 Let’s Encrypt 颁发和续订免费证书的工具。

项目 Gitlab 地址:https://github.com/acmesh-official/acme.sh

首先需要有一个可访问的域名,并且将域名解析至对应的服务器地址。

第一步:安装

在 Linux 服务器上执行如下命令:

1
curl https://get.acme.sh | sh

或者

1
wget -O -  https://get.acme.sh | sh

或者从 github 安装

1
2
3
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install

第二步:生成证书。

如果提示端口占用,可以先停掉占用端口的服务。

单域名:

1
acme.sh  --issue -d example.com --standalone

多域名:

1
acme.sh --issue -d example.com -d www.example.com --standalone

如果输出内容如下:

1
2
3
4
root@zhuo:~# acme.sh  --issue -d example.com --standalone
[Mon 09 Nov 2020 07:00:28 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon 09 Nov 2020 07:00:28 PM CST] Please install socat tools first.
[Mon 09 Nov 2020 07:00:28 PM CST] _on_before_issue.

则需要先安装 Socat

Socat 是 Linux 下的一个多功能的网络工具,名字来由是 「Socket CAT」。其功能与有瑞士军刀之称的 Netcat 类似,可以看做是 Netcat 的加强版。

Socat 的主要特点就是在两个数据流之间建立通道,且支持众多协议和链接方式。如 IP、TCP、 UDP、IPv6、PIPE、EXEC、System、Open、Proxy、Openssl、Socket等。

Socat 的官方网站:http://www.dest-unreach.org/socat/

安装命令:

Centos

1
$ yum install -y socat

Debian/Ubuntu

1
$ apt-get install -y socat

安装完 Socat,再次执行命令生成证书

生成成功,输出内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@zhuo:~/.acme.sh# acme.sh --issue -d example.com -d www.example.com --standalone
[Mon 28 Dec 2020 02:37:29 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon 28 Dec 2020 02:37:29 PM CST] Standalone mode.
[Mon 28 Dec 2020 02:37:29 PM CST] Standalone mode.
[Mon 28 Dec 2020 02:37:29 PM CST] Multi domain='DNS:example.com,DNS:www.example.com'
[Mon 28 Dec 2020 02:37:29 PM CST] Getting domain auth token for each domain
[Mon 28 Dec 2020 02:37:38 PM CST] Getting webroot for domain='example.com'
[Mon 28 Dec 2020 02:37:38 PM CST] Getting webroot for domain='www.example.com'
[Mon 28 Dec 2020 02:37:38 PM CST] Verifying: example.com
[Mon 28 Dec 2020 02:37:38 PM CST] Standalone mode server
[Mon 28 Dec 2020 02:37:44 PM CST] Success
[Mon 28 Dec 2020 02:37:44 PM CST] Verifying: www.example.com
[Mon 28 Dec 2020 02:37:44 PM CST] Standalone mode server
[Mon 28 Dec 2020 02:37:50 PM CST] Success
[Mon 28 Dec 2020 02:37:50 PM CST] Verify finished, start to sign.
[Mon 28 Dec 2020 02:37:50 PM CST] Lets finalize the order.
[Mon 28 Dec 2020 02:37:50 PM CST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/96543253/2321987136'
[Mon 28 Dec 2020 02:37:53 PM CST] Downloading cert.
[Mon 28 Dec 2020 02:37:53 PM CST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/036a2607576c7cb654f34601cc2285245d38'
[Mon 28 Dec 2020 02:37:55 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISA2omB1dsfLVi9icBzCKFJF04MA0GCSqGSIb3DQEBCwUA
...
WoM6llNhcgSwsCy+8SMLJy6XuysA4g8MV+nv5oaxBUgXDbGCiAZrSdWRwPai+vi4
vYG+xYjCq7tgswkLAz6uukTSPw==
-----END CERTIFICATE-----
[Mon 28 Dec 2020 02:37:55 PM CST] Your cert is in  /root/.acme.sh/example.com/example.com.cer
[Mon 28 Dec 2020 02:37:55 PM CST] Your cert key is in  /root/.acme.sh/example.com/example.com.key
[Mon 28 Dec 2020 02:37:55 PM CST] The intermediate CA cert is in  /root/.acme.sh/example.com/ca.cer
[Mon 28 Dec 2020 02:37:55 PM CST] And the full chain certs is there:  /root/.acme.sh/example.com/fullchain.cer

输出信息中包含了证书路径。

第三步:配置 nginx

将证书拷贝至 nginx 对应的目录下

1
2
cp /root/.acme.sh/example.com/example.com.key /usr/local/nginx/ssl/example.com.key
cp /root/.acme.sh/example.com/fullchain.cer /usr/local/nginx/ssl/fullchain.cer

在配置文件 nginx.conf 中的 server 节点新增如下配置,证书路径需改为你自己的证书路径

1
2
3
ssl on;
 ssl_certificate /usr/local/nginx/ssl/fullchain.cer;
 ssl_certificate_key /usr/local/nginx/ssl/example.com.key;

如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
server {
     listen 443;
     server_name example.com;
	   ssl on;
     ssl_certificate /usr/local/nginx/ssl/fullchain.cer;
     ssl_certificate_key /usr/local/nginx/ssl/example.com.key;
	   charset utf-8;
     location / {
        root   /usr/share/nginx/html;  #访问路径,相当于 Tomcat 的 ROOT,这里自己配
        index  index.html index.htm;   #访问 index
        try_files $uri $uri/ /index.html;
     }
  }

第四步:执行命令使配置生效

1
nginx -s reload

或直接重启 nginx 即可。

Https 证书到此配置完毕。

证书过期,重新生成证书

如果提示端口占用,可以先停掉占用端口的服务。

单域名:

1
acme.sh  --renew -d example.com

多域名:

1
acme.sh --renew -d example.com -d www.example.com -d xxx.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@zhuo:/home/zhuo/nginx/ssl# acme.sh --renew -d example.com -d www.example.com -d xxx.com
[Thu 28 Jan 2021 12:16:29 PM CST] Renew: 'example.com'
[Thu 28 Jan 2021 12:16:31 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu 28 Jan 2021 12:16:31 PM CST] Standalone mode.
[Thu 28 Jan 2021 12:16:31 PM CST] Standalone mode.
[Thu 28 Jan 2021 12:16:31 PM CST] Standalone mode.
[Thu 28 Jan 2021 12:16:31 PM CST] Multi domain='DNS:example.com,DNS:www.example.com,DNS:xxx.com'
[Thu 28 Jan 2021 12:16:31 PM CST] Getting domain auth token for each domain
[Thu 28 Jan 2021 12:16:40 PM CST] Getting webroot for domain='example.com'
[Thu 28 Jan 2021 12:16:40 PM CST] Getting webroot for domain='www.example.com'
[Thu 28 Jan 2021 12:16:40 PM CST] Getting webroot for domain='xxx.com'
[Thu 28 Jan 2021 12:16:40 PM CST] Verifying: example.com
[Thu 28 Jan 2021 12:16:40 PM CST] Standalone mode server
[Thu 28 Jan 2021 12:16:48 PM CST] Success
[Thu 28 Jan 2021 12:16:48 PM CST] Verifying: www.example.com
[Thu 28 Jan 2021 12:16:48 PM CST] Standalone mode server
[Thu 28 Jan 2021 12:16:53 PM CST] Success
[Thu 28 Jan 2021 12:16:53 PM CST] Verifying: xxx.com
[Thu 28 Jan 2021 12:16:53 PM CST] Standalone mode server
[Thu 28 Jan 2021 12:16:58 PM CST] Success
[Thu 28 Jan 2021 12:16:58 PM CST] Verify finished, start to sign.
[Thu 28 Jan 2021 12:16:58 PM CST] Lets finalize the order.
[Thu 28 Jan 2021 12:16:58 PM CST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/101291916/7567203492'
[Thu 28 Jan 2021 12:17:00 PM CST] Downloading cert.
[Thu 28 Jan 2021 12:17:00 PM CST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/030c0a4b859281221354841535ab7314ad2e'
[Thu 28 Jan 2021 12:17:01 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIFejCCBGKgAwIBAgISAwwKS4WSgSITVIQVNatzFK0uMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...
B4kfqgGZDiAH94ffm/8mdk3pPFesqhEf0ew4ZI29WSNJaAYomoM38h9WG2OMunDN
xGwTb6hqLB0zos29nd4VhDpgmujB+gnu+B/Dg4j4PWfi8rUx+f4PQCE98C/pfeQI
r/JENs5VnKvTGYOD7sM=
-----END CERTIFICATE-----
[Thu 28 Jan 2021 12:17:01 PM CST] Your cert is in  /root/.acme.sh/example.com/example.com.cer
[Thu 28 Jan 2021 12:17:01 PM CST] Your cert key is in  /root/.acme.sh/example.com/example.com.key
[Thu 28 Jan 2021 12:17:01 PM CST] The intermediate CA cert is in  /root/.acme.sh/example.com/ca.cer
[Thu 28 Jan 2021 12:17:01 PM CST] And the full chain certs is there:  /root/.acme.sh/example.com/fullchain.cer
root@zhuo:/home/zhuo/nginx/ssl#

Acme 更新

升级 acme.sh 到最新版 :

1
acme.sh --upgrade
请作者喝杯咖啡吧