1. 程式人生 > >第一次使用acme.sh 手動生成證書(DNS手動模式)

第一次使用acme.sh 手動生成證書(DNS手動模式)

參考:https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

這種方法官方是不推薦的,不能自動續期(即需要手動續簽)

acme.sh的DNS手動模式生成證書

應該需要一個有公網ip的機器,至少我是這樣,回頭我再考證一下。

2018年12月10日測試:可以在虛擬機器上使用,不需要公網IP

 

一、安裝

curl https://get.acme.sh | sh

二、確保伺服器的nginx和apache沒有執行,別佔用80埠(DNS手動模式不需要)

三、動手

命令就一行,出現了報錯,要求在dns解析里加入兩行txt解析

[email protected]:~/.acme.sh# acme.sh --issue -d bombstory.com -d *.bombstory.com --dns dns-01
[Wed Dec  5 11:58:54 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Wed Dec  5 11:58:54 UTC 2018] Getting domain auth token for each domain
[Wed Dec  5 11:58:56 UTC 2018] Getting webroot for domain='bombstory.com'
[Wed Dec  5 11:58:56 UTC 2018] Getting webroot for domain='*.bombstory.com'
[Wed Dec  5 11:58:57 UTC 2018] Can not find dns api hook for: dns-01
[Wed Dec  5 11:58:57 UTC 2018] You need to add the txt record manually.
[Wed Dec  5 11:58:57 UTC 2018] Add the following TXT record:
[Wed Dec  5 11:58:57 UTC 2018] Domain: '_acme-challenge.bombstory.com'
[Wed Dec  5 11:58:57 UTC 2018] TXT value: 'nuV36UCKAvU3KiWLFkAxNIQAVahmmnC5witMoOrk7MQ'
[Wed Dec  5 11:58:57 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec  5 11:58:57 UTC 2018] so the resulting subdomain will be: _acme-challenge.bombstory.com
[Wed Dec  5 11:58:57 UTC 2018] Can not find dns api hook for: dns-01
[Wed Dec  5 11:58:57 UTC 2018] You need to add the txt record manually.
[Wed Dec  5 11:58:57 UTC 2018] Add the following TXT record:
[Wed Dec  5 11:58:57 UTC 2018] Domain: '_acme-challenge.bombstory.com'
[Wed Dec  5 11:58:57 UTC 2018] TXT value: 'HKXRN73W33CZnDCsUgXxCDDrgsn5xMagUPaMZl4yjkU'
[Wed Dec  5 11:58:57 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec  5 11:58:57 UTC 2018] so the resulting subdomain will be: _acme-challenge.bombstory.com
[Wed Dec  5 11:58:57 UTC 2018] Please add the TXT records to the domains, and re-run with --renew.
[Wed Dec  5 11:58:57 UTC 2018] Please add '--debug' or '--log' to check more details.
[Wed Dec  5 11:58:57 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

四、解析DNS

如下圖:

五、稍等一會兒,再次執行命令,這次執行後面要加--renew引數

[email protected]:~/.acme.sh# acme.sh --issue -d bombstory.com -d *.bombstory.com --dns dns-01 --renew
[Wed Dec  5 12:02:09 UTC 2018] Renew: 'bombstory.com'
[Wed Dec  5 12:02:10 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Wed Dec  5 12:02:10 UTC 2018] Getting domain auth token for each domain
[Wed Dec  5 12:02:10 UTC 2018] Verifying:bombstory.com
[Wed Dec  5 12:02:14 UTC 2018] Success
[Wed Dec  5 12:02:14 UTC 2018] Verifying:*.bombstory.com
[Wed Dec  5 12:02:17 UTC 2018] Pending
[Wed Dec  5 12:02:20 UTC 2018] Success
[Wed Dec  5 12:02:20 UTC 2018] Verify finished, start to sign.
[Wed Dec  5 12:02:22 UTC 2018] Cert success.
-----BEGIN CERTIFICATE-----
......此處省略一大段無用輸出......
-----END CERTIFICATE-----
[Wed Dec  5 12:02:22 UTC 2018] Your cert is in  /root/.acme.sh/bombstory.com/bombstory.com.cer 
[Wed Dec  5 12:02:22 UTC 2018] Your cert key is in  /root/.acme.sh/bombstory.com/bombstory.com.key 
[Wed Dec  5 12:02:22 UTC 2018] The intermediate CA cert is in  /root/.acme.sh/bombstory.com/ca.cer 
[Wed Dec  5 12:02:22 UTC 2018] And the full chain certs is there:  /root/.acme.sh/bombstory.com/fullchain.cer 

六、其中,需要用到的檔案有兩個:

一個key:/root/.acme.sh/bombstory.com/bombstory.com.key

一個證書:/root/.acme.sh/bombstory.com/fullchain.cer

 


2018年12月10日更新

使用DNS手動模式生成的證書續簽:

一、兩條DNS解析記錄別刪

二、該證書是4天前做的,還有85天

[email protected]:~$ zabbix_get -s 127.0.0.1 -k https.remaining[bombstory.com]
85

三、手動續簽:

[email protected]:~/.acme.sh# acme.sh --renew -d bombstory.com --force
[Mon Dec 10 05:14:54 UTC 2018] Renew: 'bombstory.com'
[Mon Dec 10 05:14:55 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Mon Dec 10 05:14:55 UTC 2018] Getting domain auth token for each domain
[Mon Dec 10 05:14:57 UTC 2018] Getting webroot for domain='bombstory.com'
[Mon Dec 10 05:14:57 UTC 2018] Getting webroot for domain='*.bombstory.com'
[Mon Dec 10 05:14:57 UTC 2018] bombstory.com is already verified, skip dns-01.
[Mon Dec 10 05:14:57 UTC 2018] *.bombstory.com is already verified, skip dns-01.
[Mon Dec 10 05:14:57 UTC 2018] Verify finished, start to sign.
[Mon Dec 10 05:15:00 UTC 2018] Cert success.
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
[Mon Dec 10 05:15:00 UTC 2018] Your cert is in  /root/.acme.sh/bombstory.com/bombstory.com.cer 
[Mon Dec 10 05:15:00 UTC 2018] Your cert key is in  /root/.acme.sh/bombstory.com/bombstory.com.key 
[Mon Dec 10 05:15:00 UTC 2018] The intermediate CA cert is in  /root/.acme.sh/bombstory.com/ca.cer 
[Mon Dec 10 05:15:00 UTC 2018] And the full chain certs is there:  /root/.acme.sh/bombstory.com/fullchain.cer 
[email protected]:~/.acme.sh# sz /root/.acme.sh/bombstory.com/fullchain.cer

四、替換證書檔案,reload nginx

[email protected]:/etc/nginx/ssl# ls -l
total 12
-rw-r--r-- 1 root root 1675 Dec  5 19:51 bombstory.com.key
-rw-r--r-- 1 root root 3575 Dec 10 13:15 fullchain.cer
-rw-r--r-- 1 root root 3575 Dec  5 20:02 fullchain.cerbak
[email protected]:/etc/nginx/ssl# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[email protected]:/etc/nginx/ssl# nginx -s reload

五、再次檢視,成功

[email protected]:~$ zabbix_get -s 127.0.0.1 -k https.remaining[bombstory.com]
89