IT基礎(chǔ)設(shè)施:使用acme.sh申請免費(fèi)泛域名證書

前言

前面寫過一個(gè)在云服務(wù)器上布署SSL證書的文《IT基礎(chǔ)設(shè)施:在CentOS7中為nginx布署免費(fèi)SSL證書》,使用certbot的時(shí)候,它會自動檢測應(yīng)用配置,找到應(yīng)用所在的目錄,使用文件進(jìn)行域名的所有權(quán)驗(yàn)證。但是,如果我在家里沒有80端口的情況下布署應(yīng)用,就沒辦法完成這個(gè)驗(yàn)證了,今天在路由器里的插件中偶然得知了acme.sh,可以通過域名解析服務(wù)的API,通過添加DNS完成域名所有權(quán)驗(yàn)證。

關(guān)鍵詞

  • Let's Encrypt
  • HTTPS
  • 沒有80
  • DNS驗(yàn)證

環(huán)境

  • CentOS 7 x64
  • 家庭寬帶內(nèi)網(wǎng)

過程

以下我們以阿里的解析服務(wù)為例:

1、先到阿里控制臺,找到自己的Access_KeyAccess_Secret。

2、下載acme.sh

curl  https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh

下面設(shè)置一下變量,將引號里的內(nèi)容改為你自己的Key與Secret

export Ali_Key="11111111"
export Ali_Secret="2222222222222222222222222222"

申請泛域名證書

acme.sh --issue --dns dns_ali -d *.blackice.me -d blackice.me

等待程序執(zhí)行完成

[Tue Feb 19 22:50:12 CST 2019] Multi domain='DNS:*.blackice.me,DNS:blackice.me'
[Tue Feb 19 22:50:12 CST 2019] Getting domain auth token for each domain
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='*.blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:23 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:25 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Tue Feb 19 22:50:46 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:49 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:49 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:51 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:51 CST 2019] All success, let's return
[Tue Feb 19 22:50:51 CST 2019] Verifying: *.blackice.me
[Tue Feb 19 22:50:55 CST 2019] Success
[Tue Feb 19 22:50:55 CST 2019] Verifying: blackice.me
[Tue Feb 19 22:50:58 CST 2019] Success
[Tue Feb 19 22:50:58 CST 2019] Removing DNS records.
[Tue Feb 19 22:51:05 CST 2019] Verify finished, start to sign.
[Tue Feb 19 22:53:35 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
#這里會顯示證書文本#
-----END CERTIFICATE-----
[Tue Feb 19 22:53:35 CST 2019] Your cert is in  /root/.acme.sh/*.blackice.me/*.blackice.me.cer 
[Tue Feb 19 22:53:35 CST 2019] Your cert key is in  /root/.acme.sh/*.blackice.me/*.blackice.me.key 
[Tue Feb 19 22:53:35 CST 2019] The intermediate CA cert is in  /root/.acme.sh/*.blackice.me/ca.cer 
[Tue Feb 19 22:53:35 CST 2019] And the full chain certs is there:  /root/.acme.sh/*.blackice.me/fullchain.cer

補(bǔ)充:

如果無法自動創(chuàng)建DNS,則可以使用手工創(chuàng)建的方式

1、運(yùn)行命令,生成記錄值

acme.sh --issue -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

下面的示例中 Txt Value部分就是記錄值,這里申請了幾個(gè)域名,就要添加幾個(gè)記錄值。

[root@GitServer home]# acme.sh --issue -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 27 06:01:46 CST 2019] Multi domain='DNS:*.xxx.com,xxx.com'
[Mon May 27 06:01:46 CST 2019] Getting domain auth token for each domain
[Mon May 27 06:01:54 CST 2019] Getting webroot for domain='*.xxx.com'
[Mon May 27 06:01:54 CST 2019] Getting webroot for domain='xxx.com'
[Mon May 27 06:01:54 CST 2019] Add the following TXT record:
[Mon May 27 06:01:54 CST 2019] Domain: '_acme-challenge.xxx.com'
[Mon May 27 06:01:54 CST 2019] TXT value: '4BMosUI7G-3TgWLLwrIbh4ykOA8oe9m77bXl_CiRevo'
[Mon May 27 06:01:54 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 27 06:01:54 CST 2019] so the resulting subdomain will be: _acme-challenge.xxx.com
[Mon May 27 06:01:55 CST 2019] Add the following TXT record:
[Mon May 27 06:01:55 CST 2019] Domain: '_acme-challenge.xxx.com'
[Mon May 27 06:01:55 CST 2019] TXT value: 'YZjDJKNgRCYnO8wl7gkGjUk8o-iosMWrVRFCmW2gtNI'
[Mon May 27 06:01:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 27 06:01:55 CST 2019] so the resulting subdomain will be: _acme-challenge.xxx.com
[Mon May 27 06:01:55 CST 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon May 27 06:01:55 CST 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log

2、到控制臺創(chuàng)建TXT解析記錄

3、重新運(yùn)行命令獲取證書

acme.sh --renew -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

驗(yàn)證通過后頒發(fā)證書

[root@GitServer home]# acme.sh --renew -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 27 06:08:58 CST 2019] Renew: '*.xxx.com'
[Mon May 27 06:08:59 CST 2019] Multi domain='DNS:*.xxx.com,DNS:xxx.com'
[Mon May 27 06:08:59 CST 2019] Getting domain auth token for each domain
[Mon May 27 06:08:59 CST 2019] *.xxx.com is already verified, skip dns-01.
[Mon May 27 06:08:59 CST 2019] Verifying: xxx.com
[Mon May 27 06:09:06 CST 2019] Success
[Mon May 27 06:09:06 CST 2019] Verify finished, start to sign.
[Mon May 27 06:09:06 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/23423234432/234234
[Mon May 27 06:09:11 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/2342341234214
[Mon May 27 06:09:15 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
...證書內(nèi)容
-----END CERTIFICATE-----
[Mon May 27 06:09:15 CST 2019] Your cert is in  /root/.acme.sh/*.xxx.com/*.xxx.com.cer 
[Mon May 27 06:09:15 CST 2019] Your cert key is in  /root/.acme.sh/*.xxx.com/*.xxx.com.key 
[Mon May 27 06:09:15 CST 2019] The intermediate CA cert is in  /root/.acme.sh/*.xxx.com/ca.cer 
[Mon May 27 06:09:15 CST 2019] And the full chain certs is there:  /root/.acme.sh/*.xxx.com/fullchain.cer

補(bǔ)充:IIS或Azure需要pfx格式的證書,在Linux運(yùn)行下列命令,輸入兩次密碼即可將crt和key合并為pfx.

openssl pkcs12 -export -out xxx.com.pfx -inkey xxx.com.key -in xxx.com.crt
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容