内容目录
1. 服务器环境
Cenos6 acme.sh本质是shell脚本 linux内核系统(ubuntu debian…..)基本均可运行
openssl 3.0 参见另一篇文章 《centos6 升级openssl 1.0到3.0》
2. 下载解压
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
tar -zxvf master.tar.gz
cd acme.sh-master/3. 安装
[root@01 acme.sh-master]# ./acme.sh --install -m youremail
[Mon Mar 25 08:18:06 CST 2024] It is recommended to install socat first.
[Mon Mar 25 08:18:06 CST 2024] We use socat for standalone server if you use standalone mode.
[Mon Mar 25 08:18:06 CST 2024] If you don't use standalone mode, just ignore this warning.
[Mon Mar 25 08:18:06 CST 2024] Installing to /root/.acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installed to /root/.acme.sh/acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.bashrc'
[Mon Mar 25 08:18:06 CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.cshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.tcshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing cron job
[Mon Mar 25 08:18:06 CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Mar 25 08:18:08 CST 2024] OK4. 配置
vim ~/.bashrc创建阿里云AccessKey
https://ram.console.aliyun.com/manage/ak
系统增加环境变量
增加两行
export Ali_Key="your ali key"
export Ali_Secret="your ali Secret "重载.bashrc
source ~/.bashrc其他DNS服务商
参考教程
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
5. 申请证书
#泛域名 ./acme.sh --issue --dns dns_ali -d domain.com -d '*.domain.com'
[root@01 ld.so.conf.d]# acme.sh --issue --dns dns_ali -d test.domain.com
[Mon Mar 25 09:27:02 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Mar 25 09:27:02 CST 2024] Single domain='test.domain.com'
[Mon Mar 25 09:27:06 CST 2024] Getting webroot for domain='test.domain.com'
[Mon Mar 25 09:27:07 CST 2024] Adding txt value: H0QIf_L5v2fu97D1ad-TDdVAuHU7Rrb8MfVE1HCkLaw for domain: _acme-challenge.test.domain.com
[Mon Mar 25 09:27:11 CST 2024] The txt record is added: Success.
[Mon Mar 25 09:27:11 CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Mon Mar 25 09:27:32 CST 2024] You can use '--dnssleep' to disable public dns checks.
[Mon Mar 25 09:27:32 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Mon Mar 25 09:27:32 CST 2024] Checking test.domain.com for _acme-challenge.test.domain.com
[Mon Mar 25 09:27:33 CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Mon Mar 25 09:27:43 CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Mon Mar 25 09:27:43 CST 2024] Domain test.domain.com '_acme-challenge.test.domain.com' success.
[Mon Mar 25 09:27:43 CST 2024] All success, let's return
[Mon Mar 25 09:27:43 CST 2024] Verifying: test.domain.com
[Mon Mar 25 09:27:46 CST 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Mar 25 09:27:50 CST 2024] Success
[Mon Mar 25 09:27:50 CST 2024] Removing DNS records.
[Mon Mar 25 09:27:50 CST 2024] Removing txt: H0QIf_L5v2fu97D1ad-TDdVAuHU7Rrb8MfVE1HCkLaw for domain: _acme-challenge.test.domain.com
[Mon Mar 25 09:27:54 CST 2024] Removed: Success
[Mon Mar 25 09:27:54 CST 2024] Verify finished, start to sign.
[Mon Mar 25 09:27:54 CST 2024] Lets finalize the order.
[Mon Mar 25 09:27:54 CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/AMroP_uzrBnjMcEC42FJMg/finalize'
[Mon Mar 25 09:27:56 CST 2024] Order status is processing, lets sleep and retry.
[Mon Mar 25 09:27:56 CST 2024] Retry after: 15
[Mon Mar 25 09:28:12 CST 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/AMroP_uzrBnjMcEC42FJMg
[Mon Mar 25 09:28:14 CST 2024] Downloading cert.
[Mon Mar 25 09:28:14 CST 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/-80WyCt9XAYq0tmzcohEMQ'
[Mon Mar 25 09:28:15 CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIID/zCCA4WgAwIBAgIQa+ncB9WXUxC3k8zkdmxbMDAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDMyNTAwMDAwMFoXDTI0MDYy
MzIzNTk1OVowGjEYMBYGA1UEAxMPdGVzdC50cnRybXMuY29tMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEx1GzlJTNlI4HuaMrMzI40WIONTVVotVFDe+ACkOKeu6V
4H6PtS4GB6kblb7Cg9E66666666666666666666666666666wggJ2MB8GA1UdIwQY
MBaAFA9r5kvOOUeu9n6QHnnwMJGSyF+jMB0GA1UdDgQWBBRY2FpavcFLu9BZtrmH
wyTG6XnB5zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAl
MCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEw
gYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDovL3plcm9zc2wuY3J0
LnNlY3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsG
CCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYK
KwYBBAHWeQIEAgSB9ASB8QDvAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m
Z0xaOnQAAAGOczi03QAABAMARzBFAiEA3ZHF7uyO3UZ5qdQ0Yy0KIqhTMawAk0eL
Rp0DqAa2LE4CIDFEpI3/fqMoBDBqqMZFkdvcLeRRY3fGVEFuKifiVxVbAHUAO1N3
dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGOczi0iAAABAMARjBEAiAG
9UvRVHhRMoOGp9u7OKUPd0V6H/C0RcSBy2LwLJB0SQIgZi//DDc5SgJi4pomlTES
aY1ab9PJChIYs/3ueUgxAZAwGgYDVR0RBBMwEYIPdGVzdC50cnRybXMuY29tMAoG
CCqGSM49BAMDA2gAMGUCMQC3JVCNv0AgLI/3NkXgM/xKAl9Itk0OK50y1RQwEWGY
TROVwyNjYYG1LO5FdxnV+oUCMEruJn6akbXMJOV0h5JxAeXcPbxGDmMERZ2zYQEi
BTBGu6vLLwTg9vs7p9Mf+/noVQ==
-----END CERTIFICATE-----
[Mon Mar 25 09:28:15 CST 2024] Your cert is in: /root/.acme.sh/test.domain.com_ecc/test.domain.com.cer
[Mon Mar 25 09:28:15 CST 2024] Your cert key is in: /root/.acme.sh/test.domain.com_ecc/test.domain.com.key
[Mon Mar 25 09:28:15 CST 2024] The intermediate CA cert is in: /root/.acme.sh/test.domain.com_ecc/ca.cer
[Mon Mar 25 09:28:15 CST 2024] And the full chain certs is there: /root/.acme.sh/test.domain.com_ecc/fullchain.cer6. 部署证书
部署示例 nginx部署
#如果申请泛域名证书 acme.sh --install-cert -d domain.com -d '*.domain.com'
acme.sh --install-cert -d test.domain.com \
--key-file /etc/ssl/test.domain.com/key.pem \
--fullchain-file /etc/ssl/test.domain.com/fullchain.pem \
--reloadcmd "/usr/sbin/nginx -s reload"让我们逐步解释这个命令:
-
--install-cert参数指示 acme.sh 工具安装证书。 -
-d test.domain.com参数指定了证书要签发的域名。 -
--key-file参数指定了私钥文件的路径,通常是 SSL 密钥文件的位置。 -
--fullchain-file参数指定了证书链文件的路径,通常是包含完整证书链的文件。 -
--reloadcmd参数指定了重新加载服务器的命令,这里使用了 Nginx 的重新加载命令。在安装证书后,acme.sh 将执行该命令来重新加载 Nginx 以应用新的证书。
您需要将 test.domain.com 替换为您自己的域名,同时确保指定的文件路径正确,并且您拥有对应的权限来执行这些操作。
其中reloadcmd是你的nginx重载命令,大家路径或者命令可能各不相同
例如
service nginx reload
systemctl reload nginx
/usr/local/web/nginx -s reloadacme.sh申请的SSL证书转p12 jks证书
根据日志输出的路径信息,使用 acme.sh 申请的证书和密钥文件位置如下:
- 证书文件:
/root/.acme.sh/test.domain.com_ecc/test.domain.com.cer - 私钥文件:
/root/.acme.sh/test.domain.com_ecc/test.domain.com.key - 中间证书文件:
/root/.acme.sh/test.domain.com_ecc/ca.cer - 完整链证书文件:
/root/.acme.sh/test.domain.com_ecc/fullchain.cer
以下是包含密码的完整脚本,用于将这些文件转换为 JKS 格式:
#!/bin/bash
# 证书文件路径
CERT_PATH="/root/.acme.sh/test.domain.com_ecc"
CERT_FILE="$CERT_PATH/test.domain.com.cer"
KEY_FILE="$CERT_PATH/test.domain.com.key"
CA_FILE="$CERT_PATH/ca.cer"
FULLCHAIN_FILE="$CERT_PATH/fullchain.cer"
#输出路径和文件名
P12_FILE="/root/keystore.p12"
JKS_FILE="/root/keystore.jks"
ALIAS_NAME="test_domain_com"
# 设置密码
EXPORT_PASSWORD="your_export_password"
JKS_PASSWORD="your_jks_password"
# 将 PEM 转换为 PKCS12
openssl pkcs12 -export -in $FULLCHAIN_FILE -inkey $KEY_FILE -certfile $CA_FILE -out $P12_FILE -name $ALIAS_NAME -passout pass:$EXPORT_PASSWORD
# 将 PKCS12 转换为 JKS
keytool -importkeystore -destkeystore $JKS_FILE -srckeystore $P12_FILE -srcstoretype PKCS12 -alias $ALIAS_NAME -deststorepass $JKS_PASSWORD -srcstorepass $EXPORT_PASSWORD解释:
-
路径定义:
CERT_PATH:包含所有证书文件的目录。CERT_FILE:单独的证书文件。KEY_FILE:私钥文件。CA_FILE:中间证书文件。FULLCHAIN_FILE:完整链证书文件(用于生成 PKCS12 文件)。P12_FILE:生成的 PKCS12 文件路径。JKS_FILE:生成的 JKS 文件路径。ALIAS_NAME:证书别名。
-
密码设置:
EXPORT_PASSWORD:用于保护 PKCS12 文件的密码。JKS_PASSWORD:用于保护 JKS 文件的密码。
-
转换步骤:
openssl pkcs12 -export:将 PEM 格式的证书和密钥转换为 PKCS12 格式,指定导出密码。keytool -importkeystore:将 PKCS12 格式的文件转换为 JKS 格式,指定源和目标密钥库的密码。
运行这个脚本,你将会在指定路径生成一个受密码保护的 keystore.jks 文件,可以在 Java 应用中使用。请记住安全保存这些密码,防止未经授权的访问。
7. nginx配置文件示例
server {
listen 3001 ssl;
server_name test.domain.com;
ssl_certificate /etc/ssl/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/ssl/test.domain.com/key.pem;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}8. 自动续签域名证书
部署证书后acme会自动增加续签计划任务
[root@01 ]# crontab -l
6 18 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null查看已安装证书信息
acme.sh --info -d test.domain.com如果需要修改reloadcmd
参考https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E
附录
更多说明参看github acme项目
https://github.com/acmesh-official/acme.sh
English
Installing acme on CentOS 6 for automatic issuance and renewal of certificates using AliDNS
1. Server Environment
CentOS 6
OpenSSL 3.0 (Refer to another article "Upgrade OpenSSL 1.0 to 3.0 on CentOS 6")
2. Download and Extract
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
tar -zxvf master.tar.gz
cd acme.sh-master/3. Installation
[root@01 acme.sh-master]# ./acme.sh --install -m youremail
[Mon Mar 25 08:18:06 CST 2024] It is recommended to install socat first.
[Mon Mar 25 08:18:06 CST 2024] We use socat for standalone server if you use standalone mode.
[Mon Mar 25 08:18:06 CST 2024] If you don't use standalone mode, just ignore this warning.
[Mon Mar 25 08:18:06 CST 2024] Installing to /root/.acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installed to /root/.acme.sh/acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.bashrc'
[Mon Mar 25 08:18:06 CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.cshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.tcshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing cron job
[Mon Mar 25 08:18:06 CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Mar 25 08:18:08 CST 2024] OK4. Configuration
vim ~/.bashrcAdd two lines
export Ali_Key="your ali key"
export Ali_Secret="your ali Secret "Reload .bashrc
source ~/.bashrc5. Apply for Certificate
[root@01 ld.so.conf.d]# acme.sh --issue --dns dns_ali -d test.domain.com
[Mon Mar 25 09:27:02 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Mar 25 09:27:02 CST 2024] Single domain='test.domain.com'
[Mon Mar 25 09:27:06 CST 2024] Getting webroot for domain='test.domain.com'
[Mon Mar 25 09:27:07 CST 2024] Adding txt value: H0QIf_L5v2fu97D1ad-TDdVAuHU7Rrb8MfVE1HCkLaw for domain: _acme-challenge.test.domain.com
[Mon Mar 25 09:27:11 CST 2024] The txt record is added: Success.
[Mon Mar 25 09:27:11 CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
...6. Deploy Certificate
acme.sh --install-cert -d test.domain.com \
--key-file /etc/ssl/test.domain.com/key.pem \
--fullchain-file /etc/ssl/test.domain.com/fullchain.pem \
--reloadcmd "/usr/sbin/nginx -s reload"Replace test.domain.com with your domain name and ensure the specified file paths are correct, and you have the corresponding permissions. The reloadcmd is your nginx reload command, paths or commands may vary for everyone.
7. Nginx Configuration File Example
server {
listen 3001 ssl;
server_name test.domain.com;
ssl_certificate /etc/ssl/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/ssl/test.domain.com/key.pem;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}8. Automatic Renewal of Domain Certificates
After deploying the certificate, acme will automatically add a renewal cron job.
[root@01 ]# crontab -l
6 18 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/nullAppendix
For more information, refer to the GitHub acme project:
https://github.com/acmesh-official/acme.sh
近期评论