用ACME申请证书

在的各大网站基本上都部署了SSL证书来增加访问时的安全性和隐私性,恰逢自己搞了这样一个博客来消遣,所以也尝试使用一下SSL证书,毕竟人生在于折腾。。。但一个随便的小战,实在是不想往上面再投入资金来买SSL证书了,所以就用免费的凑合一下,Let'S Encrypt就是个挺不错的解决方案,所以就学习了一下。发现用acme.sh这个脚本的话申请和安装都比较方便,所以就在这里记录一下安装使用的过程,免得日后忘记,不知道该怎么做。官方说明在这里,以下的安装使用可能比较个人化一些,仅供参考。

安装

官方命令倒是挺简单易懂的,

1
curl  https://get.acme.sh | sh

就结束了,安装在了~/.acme.sh/之中。

更新一下shell的环境变量,以后直接可以使用acme.sh,稍微方便一些。

个人习惯,还是先用help命令看看具体的参数和用法:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
https://github.com/acmesh-official/acme.sh
v2.9.0
Usage: acme.sh <command> ... [parameters ...]
Commands:
  -h, --help               Show this help message.
  -v, --version            Show version info.
  --install                Install acme.sh to your system.
  --uninstall              Uninstall acme.sh, and uninstall the cron job.
  --upgrade                Upgrade acme.sh to the latest code from https://github.com/acmesh-official/acme.sh.
  --issue                  Issue a cert.
  --deploy                 Deploy the cert to your server.
  -i, --install-cert       Install the issued cert to apache/nginx or any other server.
  -r, --renew              Renew a cert.
  --renew-all              Renew all the certs.
  --revoke                 Revoke a cert.
  --remove                 Remove the cert from list of certs known to acme.sh.
  --list                   List all the certs.
  --to-pkcs12              Export the certificate and key to a pfx file.
  --to-pkcs8               Convert to pkcs8 format.
  --sign-csr               Issue a cert from an existing csr.
  --show-csr               Show the content of a csr.
  -ccr, --create-csr       Create CSR, professional use.
  --create-domain-key      Create an domain private key, professional use.
  --update-account         Update account info.
  --register-account       Register account key.
  --deactivate-account     Deactivate the account.
  --create-account-key     Create an account private key, professional use.
  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob      Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron                   Run cron job to renew all the certs.
  --set-notify             Set the cron notification hook, level or mode.
  --deactivate             Deactivate the domain authz, professional use.
  --set-default-ca         Used with '--server', Set the default CA to use.
                           See: https://github.com/acmesh-official/acme.sh/wiki/Server


Parameters:
  -d, --domain <domain.tld>         Specifies a domain, used to issue, renew or revoke etc.
  --challenge-alias <domain.tld>    The challenge domain alias for DNS alias mode.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

  --domain-alias <domain.tld>       The domain alias for DNS alias mode.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

  --preferred-chain <chain>         If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
                                    If no match, the default offered chain will be used. (default: empty)
                                    See: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain

  -f, --force                       Force install, force cert renewal or override sudo restrictions.
  --staging, --test                 Use staging server, for testing.
  --debug [0|1|2|3]                 Output debug info. Defaults to 1 if argument is omitted.
  --output-insecure                 Output all the sensitive messages.
                                    By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
  -w, --webroot <directory>         Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --alpn                            Use standalone alpn mode.
  --stateless                       Use stateless mode.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode

  --apache                          Use apache mode.
  --dns [dns_hook]                  Use dns manual mode or dns api. Defaults to manual mode when argument is omitted.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/dnsapi

  --dnssleep <seconds>              The time in seconds to wait for all the txt records to propagate in dns api mode.
                                    It's not necessary to use this by default, acme.sh polls dns status by DOH automatically.
  -k, --keylength <bits>            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
  -ak, --accountkeylength <bits>    Specifies the account key length: 2048, 3072, 4096
  --log [file]                      Specifies the log file. Defaults to "/root/.acme.sh/acme.sh.log" if argument is omitted.
  --log-level <1|2>                 Specifies the log level, default is 1.
  --syslog <0|3|6|7>                Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
  --eab-kid <eab_key_id>            Key Identifier for External Account Binding.
  --eab-hmac-key <eab_hmac_key>     HMAC key for External Account Binding.


  These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:

  --cert-file <file>                Path to copy the cert file to after issue/renew..
  --key-file <file>                 Path to copy the key file to after issue/renew.
  --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.
  --fullchain-file <file>           Path to copy the fullchain cert file to after issue/renew.
  --reloadcmd <command>             Command to execute after issue/renew to reload the server.

  --server <server_uri>             ACME Directory Resource URI. (default: https://acme-v02.api.letsencrypt.org/directory)
                                    See: https://github.com/acmesh-official/acme.sh/wiki/Server

  --accountconf <file>              Specifies a customized account config file.
  --home <directory>                Specifies the home dir for acme.sh.
  --cert-home <directory>           Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home <directory>         Specifies the home dir to save all the configurations.
  --useragent <string>              Specifies the user agent string. it will be saved for future use too.
  -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
  --accountkey <file>               Specifies the account key path, only valid for the '--install' command.
  --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
  --httpport <port>                 Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --tlsport <port>                  Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --local-address <ip>              Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  --listraw                         Only used for '--list' command, list the certs in raw format.
  -se, --stop-renew-on-error        Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle <file>                Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path <directory>             Specifies directory containing CA certificates in PEM format, used by wget or curl.
  --no-cron                         Only valid for '--install' command, which means: do not install the default cron job.
                                    In this case, the certs will not be renewed automatically.
  --no-profile                      Only valid for '--install' command, which means: do not install aliases to user profile.
  --no-color                        Do not output color text.
  --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc                             Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
  --csr <file>                      Specifies the input csr.
  --pre-hook <command>              Command to be run before obtaining any certificates.
  --post-hook <command>             Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
  --renew-hook <command>            Command to be run after each successfully renewed certificate.
  --deploy-hook <hookname>          The hook file to deploy cert
  --ocsp, --ocsp-must-staple        Generate OCSP-Must-Staple extension.
  --always-force-new-domain-key     Generate new domain key on renewal. Otherwise, the domain key is not changed by default.
  --auto-upgrade [0|1]              Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted.
  --listen-v4                       Force standalone/tls server to listen at ipv4.
  --listen-v6                       Force standalone/tls server to listen at ipv6.
  --openssl-bin <file>              Specifies a custom openssl bin location.
  --use-wget                        Force to use wget, if you have both curl and wget installed.
  --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force use of dns manual mode.
                                    See:  https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode

  -b, --branch <branch>             Only valid for '--upgrade' command, specifies the branch name to upgrade to.
  --notify-level <0|1|2|3>          Set the notification level:  Default value is 2.
                                    0: disabled, no notification will be sent.
                                    1: send notifications only when there is an error.
                                    2: send notifications when a cert is successfully renewed, or there is an error.
                                    3: send notifications when a cert is skipped, renewed, or error.
  --notify-mode <0|1>               Set notification mode. Default value is 0.
                                    0: Bulk mode. Send all the domain's notifications in one message(mail).
                                    1: Cert mode. Send a message for every single cert.
  --notify-hook <hookname>          Set the notify hook
  --revoke-reason <0-10>            The reason for revocation, can be used in conjunction with the '--revoke' command.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/revokecert

  --password <password>             Add a password to exported pfx file. Use with --to-pkcs12.

如此一来,怎么用大致心里就有点数了。

申请证书

我是比较喜欢用dns验证来申请的,所以这次也是用cloudflare来实际操作一下。(具体怎么在cloudflare里面添加域名和dns解析就不多说了,这个不是什么难事)

从Cloudflare获取令牌

因为用全局的API密钥(Global API Key)的话感觉似乎不安全,所以我们还是选择用区域 ID(Zone ID)、账户ID(帐户 ID)和自己新建的令牌(Token)。

1、点击已经添加好的域名,进入相应的管理界面,在右下角很容易发现区域ID和账户ID。

2、这两个比较好找,所以我们要注意的还是自己创建的令牌。

点击获取您的API令牌->API令牌->创建令牌,因为我们在申请证书的过程中只是要编辑一下DNS,所以点击编辑区域DNS对应的使用模板

然后如下图所示编辑,涂黑区域选择自己的域名就好。

编辑完后,点击继续以显示摘要->创建令牌,即可显示。

保存好令牌,准备下一步。

开始申请

因为要使用cloudflare的API,所以我们先声明一下刚才获得的三个环境变量,

1
2
3
export CF_Token="xxxxxxxxxxxxxxxxxxxxxxxx"
export CF_Account_ID="xxxxxxxxxxxxx"
export CF_Zone_ID="xxxxxxxxxxxxx"

将其中的值换成自己刚才得到的。

把以下的域名换成自己的,然后开始申请,

1
acme.sh --issue --dns dns_cf -d example.com -d *.example.com -k ec-256 --ecc

PS:时至今日,总的来说ECC证书更好一些,实在担心远古设备兼容性的话,就不要加-k ec-256--ecc这两个参数了。

另外acme.sh脚本默认的 Let’s Encrypt 存在着频率上限,尽量不要反复多次申请。

申请成功后,就可以在~/.acme.sh目录下找到与域名同名的文件夹,里面便是申请的证书。此外还可以通过acme.sh --list查看已经申请的证书情况。

安装

根据自己的情况来就好,

1
2
3
4
5
6
acme.sh --install-cert -d example.com --ecc \
--key-file       /path/to/your/dir/xxx.key  \
--fullchain-file /path/to/your/dir/fullchain.cer \
--cert-file      /path/to/your/dir/xxx.cer  \
--ca-file        /path/to/your/dir/ca.cer   \
--reloadcmd     "echo xxxxxx | sudo -S nginx -s reload"

我用的nginx的相关安装方式,具体情况要看web服务器,--reloadcmd也可根据自己情况调整。 如果申请时加了--ecc的话,安装时也要记的加上。

其它

其实acme.sh脚本也支持ZeroSSLBuyPass等证书的申请,详情可以参照官方给出的说明:

Change default CA to ZeroSSL

实际上也没什么难的😏。

ps:最近好像把默认CA换成了ZeroSSL,要先注册一下,不过换回来的方法也是一样的。

OVER

updatedupdated2023-04-072023-04-07