https://github.com/acmesh-official/acme.sh
文档在 Wiki 与 README 中
默认使用 ZeroSSL.com CA 证书
本文以 Cloudflare 为 DNS 服务商。
若 DNS 注册商不提供 API,也可以在不转移域名的情况下使用 Cloudflare 作为服务商(在 DNS 注册商处自定义域名服务器为 Cloudflare 提供的域名服务器)
1 安装 acme.sh
1.1 Arch Linux Only
安装 archlinuxcn/acme.sh-git 软件包
1.2 通用安装步骤
事先确保系统上已经安装
ca-certificates软件包(以 Debian 为例),其他发行版可能有不同的软件包名称。
git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install -m <my@example.com>
将 <my@example.com> 替换成自己的电子邮件地址
默认安装在 ~/.acme.sh
其他高级安装方法参考官方 wiki: How to install
2 申请泛域名 SSL 证书 (DNS API Mode)
2.1 使用 DoH(可选)
echo "export DOH_CLOUDFLARE=1" >> ~/.acme.sh/acme.sh.env
source ~/.acme.sh/acme.sh.env
Reference:
2.2 注册 ZeroSSL.com CA 账号
无论是否已经有账号,都要执行一次该命令(仅第一次)
acme.sh --register-account -m <myemail@example.com> --server zerossl
2.3 配置邮件通知(可选)
安装 extra/msmtp 与 core/inetutils 软件包
echo 'export MAIL_BIN="msmtp"' >> ~/.acme.sh/acme.sh.env
echo 'export MAIL_MSMTP_ACCOUNT="acme.sh"' >> ~/.acme.sh/acme.sh.env
echo 'export MAIL_FROM="xxx@xxx.com"' >> ~/.acme.sh/acme.sh.env # or "Xxx Xxx <xxx@xxx.com>", currently works only with sendmail
echo 'export MAIL_TO="xxx@xxx.com"' >> ~/.acme.sh/acme.sh.env # your account e-mail will be used as default if available
source ~/.acme.sh/acme.sh.env
acme.sh --set-notify --notify-hook mail
Reference:
软件源里的 archlinuxcn/acme.sh-git 文件不全,需 clone 下 acme.sh git 仓库,将 notify 目录复制到 ~/.acme.sh/
git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
cp -r acme.sh/notify ~/.acme.sh/
上面的 MAIL_MSMTP_ACCOUNT 与 MAIL_FROM 是有讲究的,具体参考:msmtp - ArchWiki
2.4 Cloudflare 支持两种方式的 API,以 API 令牌为例
于账号的个人资料中创建 API 令牌
令牌名称随意
权限处添加两项:
- 区域 区域 读取 read access to Zone.Zone
- 区域 DNS 编辑 write access to Zone.DNS
区域资源:
- 包括 所有区域 across all Zones
客户端 IP 地址筛选随意,默认空即可
TTL 随意
于站点 dashboard 页向下滚动,查看 “API - 账户 ID”
证书申请
echo 'export CF_Token="xxxxxxxxxxxxxxxxxx"' >> ~/.acme.sh/acme.sh.env echo 'export CF_Account_ID="xxxxxxxxxxxxx"' >> ~/.acme.sh/acme.sh.env source ~/.acme.sh/acme.sh.env acme.sh --issue --dns dns_cf -d example.com -d '*.example.com' --days 77 --keylength ec-256--days: Specifies the days to renew the cert when using ‘–issue’ command. The default value is 60 days.--keylength: Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. (RSA or ECC)
Reference:
2.5 将申请好的证书安装到 Nginx
证书路径一般为: /etc/nginx/certificate,给其普通用户的读写权限
acme.sh --install-cert -d example.com --ecc \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/in/nginx/cert.pem \
--reloadcmd "sudo systemctl restart nginx.service"
If you are completely sure of the issues and the possibilities with the usage of sudo and still want to use it, you can pass the --force parameter to work with sudo. (https://github.com/acmesh-official/acme.sh/wiki/sudo)
The cert will be renewed every 60 days by default (which is configurable. eg: 77 days). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command.
Reference:
2.6 使用 systemd units 代替 cron 定期执行证书自动更新服务
Create a systemd unit for acme.sh: /usr/local/lib/systemd/system/acme_sh.service.
[Unit]
Description=Renew ZeroSSL certificates using acme.sh
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
User=xxx
Restart=on-failure
RestartSec=10
WorkingDirectory=/home/xxx/.acme.sh
ExecStart=/usr/bin/acme.sh --cron --home /home/xxx/.acme.sh
SuccessExitStatus=0 2
[Install]
WantedBy=multi-user.target
Test that it works before creating the timer.
sudo systemctl daemon-reload
sudo systemctl start acme_sh.service
Create systemd timer unit for the service above: /usr/local/lib/systemd/system/acme_sh.timer.
[Unit]
Description=Scheduled ZeroSSL certificates renewal
Wants=network-online.target
After=network-online.target
[Timer]
OnCalendar=weekly
RandomizedDelaySec=1d
Persistent=true
[Install]
WantedBy=timers.target
Enable timer.
sudo systemctl enable --now acme_sh.timer
Reference:
其他
- acme.sh 支持很多服务商的 DNS API,包括 DigitalOcean、Linode 等等,具体可查看项目 Wiki 页