阿里云 SSL 免费证书有效期从以前的一年调整为三个月,使用起来比较麻烦。
本文记录了在 CentOS 7.9 如何使用 acme.sh 完成免费证书的申请以及自动更新过程,再也不必为 SSL 证书过期而烦恼了。
acme.sh 是一个开源的纯shell 脚本编写的acme 客户端,可自动申请更新https 证书。 相比其他工具,acme.sh 更轻量,主要表现在: 只是一个脚本,无需编译安装。 无侵入性,不会更改任何web server 的配置。
# 安装 acme
[root@webf ~]# curl https://get.acme.sh | sh% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1032 0 1032 0 0 197 0 --:--:-- 0:00:05 --:--:-- 218% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 217k 100 217k 0 0 14749 0 0:00:15 0:00:15 --:--:-- 9779
[Wed Mar 20 09:30:32 CST 2024] Installing from online archive.
[Wed Mar 20 09:30:32 CST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Wed Mar 20 09:30:34 CST 2024] Extracting master.tar.gz
[Wed Mar 20 09:30:34 CST 2024] Installing to /root/.acme.sh
[Wed Mar 20 09:30:34 CST 2024] Installed to /root/.acme.sh/acme.sh
[Wed Mar 20 09:30:34 CST 2024] Installing alias to '/root/.bashrc'
[Wed Mar 20 09:30:34 CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Wed Mar 20 09:30:34 CST 2024] Installing alias to '/root/.cshrc'
[Wed Mar 20 09:30:34 CST 2024] Installing alias to '/root/.tcshrc'
[Wed Mar 20 09:30:35 CST 2024] Installing cron job
58 7 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Wed Mar 20 09:30:35 CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Mar 20 09:30:36 CST 2024] OK
[Wed Mar 20 09:30:36 CST 2024] Install success!# 手动申请泛域名证书
[root@webf ~]# ~/.acme.sh/acme.sh --issue --force -d *.xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Mar 20 10:01:25 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Mar 20 10:01:25 CST 2024] Creating domain key
[Wed Mar 20 10:01:25 CST 2024] The domain key is here: /root/.acme.sh/*.xxx.com_ecc/*.xxx.com.key
[Wed Mar 20 10:01:25 CST 2024] Single domain='*.xxx.com'
[Wed Mar 20 10:01:29 CST 2024] Getting webroot for domain='*.xxx.com'
[Wed Mar 20 10:01:29 CST 2024] Add the following TXT record:
[Wed Mar 20 10:01:29 CST 2024] Domain: '_acme-challenge.xxx.com'
[Wed Mar 20 10:01:29 CST 2024] TXT value: 'TgxdGIWCS7GheIj14BnCDcJA1zI6HMpqMrxYePV9_Yk'
[Wed Mar 20 10:01:29 CST 2024] Please be aware that you prepend _acme-challenge. before your domain
[Wed Mar 20 10:01:29 CST 2024] so the resulting subdomain will be: _acme-challenge.xxx.com
[Wed Mar 20 10:01:29 CST 2024] Please add the TXT records to the domains, and re-run with --renew.
[Wed Mar 20 10:01:29 CST 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log
在 xxx.com 域名解析中设置 TXT 记录:_acme-challenge.xxx.com,值为上面生成的:TgxdGIWCS7GheIj14BnCDcJA1zI6HMpqMrxYePV9_Yk
完整命令:https://www.laobingbiji.com/page/202403201143160000000010672815.html
通过以上操作,SSL 证书已申请并设置了定时任务自动更新,Nginx 中配置SSL证书参考:
Nginx 配置文件 nginx.conf(SSL证书)