博客一年的证书快到期了,准备部署一个ACME来实现自动免费续期,自动部署服务,下面把整个过程记录出来。
https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E
ACME(Let's Encrypt)简介
acme.sh 实现了
acme协议, 可以从 letsencrypt 生成免费的证书.主要步骤:
- 安装 acme.sh
- 生成证书
- copy 证书到 nginx/apache 或者其他服务
- 更新证书
- 更新 acme.sh
1. 安装 acme.sh
安装很简单, 一个命令:
curl https://get.acme.sh | sh -s email=my@example.com执行结果
(base) [root@VM-4-5-centos ~]# curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1032 0 1032 0 0 351 0 --:--:-- 0:00:02 --:--:-- 351
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 219k 100 219k 0 0 47927 0 0:00:04 0:00:04 --:--:-- 58853
[Thu Sep 19 09:50:03 CST 2024] Installing from online archive.
[Thu Sep 19 09:50:03 CST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Thu Sep 19 09:50:05 CST 2024] Extracting master.tar.gz
[Thu Sep 19 09:50:05 CST 2024] It is recommended to install socat first.
[Thu Sep 19 09:50:05 CST 2024] We use socat for the standalone server, which is used for standalone mode.
[Thu Sep 19 09:50:05 CST 2024] If you don't want to use standalone mode, you may ignore this warning.
[Thu Sep 19 09:50:05 CST 2024] Installing to /root/.acme.sh
[Thu Sep 19 09:50:05 CST 2024] Installed to /root/.acme.sh/acme.sh
[Thu Sep 19 09:50:05 CST 2024] Installing alias to '/root/.bashrc'
[Thu Sep 19 09:50:05 CST 2024] Close and reopen your terminal to start using acme.sh
[Thu Sep 19 09:50:05 CST 2024] Installing alias to '/root/.cshrc'
[Thu Sep 19 09:50:05 CST 2024] Installing alias to '/root/.tcshrc'
[Thu Sep 19 09:50:05 CST 2024] Installing cron job
[Thu Sep 19 09:50:05 CST 2024] bash has been found. Changing the shebang to use bash as preferred.
[Thu Sep 19 09:50:07 CST 2024] OK
[Thu Sep 19 09:50:07 CST 2024] Install success!看到Install success 则安装成功
这里直接执行acme.sh 会提示命令不存在
acme.sh --issue -d cctvcloud.cn --nginx
-bash: acme.sh: command not found需要让环境变量生效
source /root/.bashrc2. 生成证书
因为我服务器是nginx,我使用命令
acme.sh --issue -d mydomain.com --nginx提示
[Thu Sep 19 09:52:50 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Sep 19 09:52:50 CST 2024] Account key creation OK.
[Thu Sep 19 09:52:50 CST 2024] No EAB credentials found for ZeroSSL, let's obtain them
[Thu Sep 19 09:52:50 CST 2024] acme.sh is using ZeroSSL as default CA now.
[Thu Sep 19 09:52:50 CST 2024] Please update your account with an email address first.
[Thu Sep 19 09:52:50 CST 2024] acme.sh --register-account -m my@example.com
[Thu Sep 19 09:52:50 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Thu Sep 19 09:52:50 CST 2024] Please add '--debug' or '--log' to see more information.
[Thu Sep 19 09:52:50 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.shacme.sh 脚本正在使用 ZeroSSL 作为默认的证书颁发机构(CA),并且要求你在继续之前先注册一个账户并提供一个电子邮件地址。以下是解决这个问题的步骤:
注册账户并提供电子邮件地址:
你需要使用以下命令注册账户并提供一个电子邮件地址:执行
acme.sh --register-account -m your-email@example.com将
your-email@example.com替换为你自己的电子邮件地址。
提示
(base) [root@VM-4-5-centos ~]# acme.sh --register-account -m xxx@qq.com
[Thu Sep 19 09:55:37 CST 2024] No EAB credentials found for ZeroSSL, let's obtain them
[Thu Sep 19 09:55:38 CST 2024] Registering account: https://acme.zerossl.com/v2/DV90
[Thu Sep 19 09:55:41 CST 2024] Registered
[Thu Sep 19 09:55:41 CST 2024] ACCOUNT_THUMBPRINT='wFp3y1PHfKcEmoUgyezlvb4F_ykEBaOo1-lrVChd-qk'继续执行
acme.sh --issue -d cctvcloud.cn --nginx返回
(base) [root@VM-4-5-centos ~]# acme.sh --issue -d cctvcloud.cn --nginx
[Thu Sep 19 10:06:03 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Sep 19 10:06:03 CST 2024] Creating domain key
[Thu Sep 19 10:06:03 CST 2024] The domain key is here: /root/.acme.sh/cctvcloud.cn_ecc/cctvcloud.cn.key
[Thu Sep 19 10:06:03 CST 2024] Single domain='cctvcloud.cn'
[Thu Sep 19 10:06:07 CST 2024] Getting webroot for domain='cctvcloud.cn'
[Thu Sep 19 10:06:07 CST 2024] Verifying: cctvcloud.cn
[Thu Sep 19 10:06:07 CST 2024] Nginx mode for domain: cctvcloud.cn
[Thu Sep 19 10:06:07 CST 2024] Cannot find nginx config.
[Thu Sep 19 10:06:07 CST 2024] Please add '--debug' or '--log' to see more information.
[Thu Sep 19 10:06:07 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh提示说的是无法找到nginx配置文件
既然无法找到nginx,我们就指定网站目录
(base) [root@VM-4-5-centos ~]# acme.sh --issue -d cctvcloud.cn --webroot /var/www/typecho
[Thu Sep 19 10:20:45 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Sep 19 10:20:45 CST 2024] Single domain='cctvcloud.cn'
[Thu Sep 19 10:20:49 CST 2024] Getting webroot for domain='cctvcloud.cn'
[Thu Sep 19 10:20:49 CST 2024] Verifying: cctvcloud.cn
[Thu Sep 19 10:20:50 CST 2024] Processing. The CA is processing your order, please wait. (1/30)
[Thu Sep 19 10:20:55 CST 2024] Success
[Thu Sep 19 10:20:55 CST 2024] Verification finished, beginning signing.
[Thu Sep 19 10:20:55 CST 2024] Let's finalize the order.
[Thu Sep 19 10:20:55 CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/3dV2Srpyf2CunpCNYC7wMA/finalize'
[Thu Sep 19 10:20:57 CST 2024] Order status is 'processing', let's sleep and retry.
[Thu Sep 19 10:20:57 CST 2024] Sleeping for 15 seconds then retrying
[Thu Sep 19 10:21:13 CST 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/3dV2Srpyf2CunpCNYC7wMA
[Thu Sep 19 10:21:14 CST 2024] Downloading cert.
[Thu Sep 19 10:21:14 CST 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/VuY8VcXb159DjfIlfvif4g'
[Thu Sep 19 10:21:16 CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
[Thu Sep 19 10:21:16 CST 2024] Your cert is in: /root/.acme.sh/cctvcloud.cn_ecc/cctvcloud.cn.cer
[Thu Sep 19 10:21:16 CST 2024] Your cert key is in: /root/.acme.sh/cctvcloud.cn_ecc/cctvcloud.cn.key
[Thu Sep 19 10:21:16 CST 2024] The intermediate CA cert is in: /root/.acme.sh/cctvcloud.cn_ecc/ca.cer
[Thu Sep 19 10:21:16 CST 2024] And the full-chain cert is in: /root/.acme.sh/cctvcloud.cn_ecc/fullchain.cer
(base) [root@VM-4-5-centos ~]# client_loop: send disconnect: Broken pipe提示证书生成成功
copy/安装 证书
前面证书生成以后, 接下来需要把证书 copy 到真正需要用它的地方.
注意, 默认生成的证书都放在安装目录下: ~/.acme.sh/, 请不要直接使用此目录下的文件, 例如: 不要直接让 nginx/apache 的配置文件使用这下面的文件. 这里面的文件都是内部使用, 而且目录结构可能会变化.
正确的使用方法是使用 --install-cert 命令,并指定目标位置, 然后证书文件会被copy到相应的位置, 例如:
acme.sh --install-cert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"重新访问网站,结果正确,已经换到最近3个月的证书有效期,然后我们设置定时任务来完成自动化。自动化的操作主要2个
- 申请下载证书
- 复制证书到nginx目录
- 重启nginx
这是我的脚本
#!/bin/bash
# 触发 acme.sh 续期任务
/root/.acme.sh/acme.sh --cron --home "/root/.acme.sh"
# 复制证书到网站目录
cp /root/.acme.sh/cctvcloud.cn_ecc/fullchain.cer /usr/nginx/certificates/cctvcloud.cn_bundle.crt
cp /root/.acme.sh/cctvcloud.cn_ecc/cctvcloud.cn.key /usr/nginx/certificates/cctvcloud.cn.key
# 重新加载 Nginx 配置
service nginx force-reload设置定时任务
0 0 * * * /path/to/renew_cert.sh > /dev/null 2>&1每天晚上0点执行,并且不输出任何信息。
这样就完成了nginx自动,免费申请部署https证书
网站访问www发现刚刚申请证书的时候,忘记添加www域名了,带www跟不带是2个域名,这里重新申请
acme.sh --issue -d cctvcloud.cn -d www.cctvcloud.cn --nginx再执行安装重启,完成
acme.sh --install-cert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"当然这个是自己基于acme.sh 属于偏底层自动申请, 因为申请证书实在太麻烦,有些公司还封装了集成度更高的工具,例如baidu公司的产品Certbot
### 安装Certbot
Certbot支持多种操作系统和Web服务器,你可以在其官方网站上找到适合自己环境的安装指南。例如,对于使用Ubuntu和Nginx的服务器,可以使用以下命令安装Certbot:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot获取证书
sudo certbot certonly --webroot -w /var/www/html配置nginx 替换证书,然后设置定时申请功能,跟acme.sh 是一个原理。
评论