Administrator
发布于 2022-10-14 / 422 阅读 / 0 评论 / 0 点赞

acme自动申请更新ssl证书

文档

参考文档地址

安装

// 下载安装脚本
curl https://get.acme.sh | sh -s [email protected]
// 添加别名
vi /root/.bashrc
alias acme.sh='~/.acme.sh/acme.sh'
// :wq 保存退出
source /root/.bashrc
// 查看
acme.sh -h

image-1665730550143

更换默认服务商

// 根据自己的需求选择
acme.sh --set-default-ca --server letsencrypt

添加授权

// 根据自己的域名服务商选择对应
export GD_Key="xxxxxxxxxxx"

export GD_Secret="xxxxxxxxxxx"

****PS:这里需要注意,自己使用的域名厂商,选择对应的****

添加记录并验证

acme.sh --issue --dns dns_gd -d xxxxxx1.com -d xxxxxx2.com

image-1678698463820

安装证书到指定目录


acme.sh --install-cert -d xxxxxx1.com  --key-file  /root/nginx/ssl/xxxxxx.com.key --fullchain-file /root/nginx/ssl/xxxxxx.com.pem 

配置证书

// nginx 为例

server {
    listen                     80;
    server_name                download.xxxxxx.com;
    root                       /usr/share/nginx/html/download;
    gzip                       on;
    gzip_comp_level            6;
    gzip_min_length            1k;
    gzip_types                 text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;

    location / {
        index  index.html index.htm index.php;
    }

    if ($scheme = http) {
        return  301 https://$host$request_uri;
    }


    location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2)$ {
        expires        30d;
        log_not_found  off;
    }
}

server {
        listen       443 ssl;
        ssl          on;
        server_name  download.xxxxxx.com;
        root         /usr/share/nginx/html/download;

	// 这里是做了容器映射的-v /root/nginx/ssl:/etc/nginx/ssl,根据自己的目录位置来
        ssl_certificate /etc/nginx/ssl/xxxxxx.com.pem;
        ssl_certificate_key /etc/nginx/ssl/xxxxxx.com.key;

}

最后重起nginx即可

自动检查和更新

letsencrypt免费使用3个月,到期需要重新申请。acme已经做好了

image-1678699359135

执行脚本

写了个执行脚本,需要自取

#!/bin/bash
# @Author: TUTU
# @Description: acme.sh 申请证书dns自动注册运行脚本,本脚本支持Ali,GoDaddy,Cloudflare三家域名服务商的自动证书申请和续期
# @Use: sudo sh ./acme_auto.sh ali
# @Use: sudo sh ./acme_auto.sh gd
# @Use: sudo sh ./acme_auto.sh cf

########## 需填写配置 ###########
# 申请邮箱
send_mail="[email protected]"
# 域名
domain_name="xxx.comd"
# key
dns_key=""
# secret,Cloudflare为注册邮箱
dns_secret=""
# 证书安装地址
ssl_path=""
########## 需填写配置 ###########

if [[ ${send_mail} == "" ]] || [[ ${domain_name} == "" ]] || [[ ${dns_key} == "" ]] || [[ ${dns_secret} == "" ]] || [[ ${ssl_path} == "" ]]; then
    echo "请完善配置!"
    exit
fi

if [[ $1 == "" ]]; then
    echo "缺少必要参数!"
    exit
fi

curl https://get.acme.sh | sh -s email=${send_mail}
cd ~/.acme.sh/

# 添加别名
echo "alias acme.sh='~/.acme.sh/acme.sh'" >>/root/.bashrc
source /root/.bashrc

# 切换证书机构
acme.sh --set-default-ca --server letsencrypt

# dns 添加类型
dns_type=""
if [[ $1 == "ali" ]]; then

    export Ali_Key=${dns_key}
    export Ali_Secret=${dns_secret}
    dns_type="dns_ali"
elif [[ $1 == "gd" ]]; then

    export GD_Key=${dns_key}
    export GD_Secret=${dns_secret}
    dns_type="dns_gd"

elif [[ $1 == "cf" ]]; then

    export CF_Key=${dns_key}
    export CF_Email=${dns_secret}
    dns_type="dns_cf"
else
    echo "服务商错误!"
fi

# 泛域名证书申请
acme.sh --issue --dns ${dns_type} -d ${domain_name} -d *.${domain_name}
acme.sh --install-cert -d ${domain_name} --key-file ${ssl_path}/${domain_name}.key --fullchain-file ${ssl_path}/${domain_name}.pem

# 自动更新
acme.sh --upgrade --auto-upgrade

# 证书更新异常可用一下命令手动更新
# acme.sh --renew -d xxx.com -d *.xxx.com --force

# 检查定时任务
echo "------------ 脚本定时任务 -----------"
crontab -l
echo "------------ 脚本定时任务 -----------"

echo "THE END ..."