使用acme.sh生成letsencrypt的泛域名证书
- 原先的服务器都是使用的
certbot,没有使用泛域名证书,每次新增一个服务需要手动执行一次 - Challenge Types有多种模式,其中
DNS支持泛域名证书,早期列出的DNS域名服务商没有阿里云- HTTP-01 challenge
- DNS-01 challenge
- TLS-SNI-01
- TLS-ALPN-01
而acme.sh支持通过阿里云的API实现的
| DNS Hosting Provider | ACME Client Support | Cost |
|---|---|---|
| Akamai Edge DNS 443 | Certbot 339, lego 3.0k, Posh-ACME 3.0k , acme.sh 16.0k | Contract Specific |
| Aliyun (CN) 251 & Alibaba Cloud DNS (EN) 127 | acme.sh 16.0k, lego 3.0k, Posh-ACME 3.0k | Bundled with domain registration or Cloud DNS pricing 132 |
| Amazon Route53 | Certbot 1.8k, acme.sh 16.0k, others 2.3k | ~$0.50/mo per domain |
| Azure DNS | acme.sh 16.0k, lego 3.0k, Posh-ACME 3.0k | ~$0.50/mo per domain |
| Cloudflare | Certbot 3.4k, acme.sh 16.0k, others 2.3k | Free (except for Freenom domains) 3.1k Note: Cloudflare is also a Registrar. |
| ClouDNS | acme.sh 16.0k, lego 3.0k, Posh-ACME 3.0k, others 2.3k | >= $2.95/mo (with API-support) |
docker方式运行
--dns dns_ali表示域名服务商名称为ali
docker run --rm -it -v "$(pwd)/out":/acme.sh \
-e Ali_Key=your_access_key_id \
-e Ali_Secret=your_access_key_secret \
neilpang/acme.sh --issue --dns dns_ali --server letsencrypt \
-d *.eoekun.top --dnssleep 300
自定义的shell,如果已经生成或者未到续期时间,添加额外参数--force
只需要添加到crontab中定期执行renew即可: crontab -e crontab -l
0 3 * * * /root/script/acme_script.sh auto
#!/bin/bash
#!/bin/bash
# 配置参数
WORKDIR='/docker/acme.sh/out/'
INSTALL_DIR='/docker/nginx/etc/cert_file'
mkdir -p $WORKDIR && mkdir -p $INSTALL_DIR
# 证书文件路径
KEY_FILE="$INSTALL_DIR/privkey.pem"
FULLCHAIN_FILE="$INSTALL_DIR/fullchain.pem"
DNS_TYPE='ali'
ACCESS_KEY_ID='your_access_key_id'
ACCESS_KEY_SECRET='your_access_key_secret'
# 根域名
DOMAIN_NAME='eoekun.top'
# 泛域名
WILDCARD_DOMAIN="*.$DOMAIN_NAME"
# Reload 命令
RELOAD_CMD='echo "Do nothing in docker"'
# 函数定义
# 新增证书
issue_certificate() {
docker run --rm -it -v "$WORKDIR":/acme.sh \
-e Ali_Key="$ACCESS_KEY_ID" \
-e Ali_Secret="$ACCESS_KEY_SECRET" \
neilpang/acme.sh --issue --dns dns_"$DNS_TYPE" --server letsencrypt \
--dnssleep 60 -d "$DOMAIN_NAME" -d "$WILDCARD_DOMAIN" "$@"
}
# 续期证书
renew_certificate() {
docker run --rm -it -v "$WORKDIR":/acme.sh \
-e Ali_Key="$ACCESS_KEY_ID" \
-e Ali_Secret="$ACCESS_KEY_SECRET" \
neilpang/acme.sh --renew -d "$DOMAIN_NAME" -d "$WILDCARD_DOMAIN" "$@"
}
# 安装证书
install_certificate() {
# 泛域名证书
docker run --rm -it -v "$WORKDIR":/acme.sh -v "$INSTALL_DIR:$INSTALL_DIR" \
neilpang/acme.sh --install-cert -d "$DOMAIN_NAME" -d "$WILDCARD_DOMAIN" \
--key-file "$KEY_FILE" \
--fullchain-file "$FULLCHAIN_FILE" \
--reloadcmd "$RELOAD_CMD" "$@"
}
# 检查输入参数并执行相应功能
execute_command() {
local command="$1"
shift # 移除第一个参数,使得 $@ 包含额外参数
case "$command" in
# 续期、证书替换、重启服务
auto)
renew_certificate
if [ $? -ne 0 ]; then
echo "Skip install"
return 2
fi
install_certificate
# 重启 nginx 的 Docker 容器
echo "Restarting nginx..."
echo "======================================="
docker restart nginx
echo "Done."
;;
issue)
issue_certificate "$@"
;;
renew)
renew_certificate "$@"
;;
install)
install_certificate "$@"
# 重启 nginx 的 Docker 容器
echo "Restarting nginx..."
echo "======================================="
docker restart nginx
echo "Done."
;;
*)
echo "Usage: $0 {issue|renew|install} [additional acme.sh options]"
exit 1
;;
esac
}
# 执行命令
execute_command "$@"
其他常见DNS服务商
| 服务商 | 简称 | 环境变量 | access_key创建 |
|---|---|---|---|
| CloudXNS | cx | export CX_Key="your_access_key_id"export CX_Secret="your_access_key_secret" |
cloudxns.net/AccountManage/apimanage.html |
| 阿里云 | aliyun | export Ali_Key="your_access_key_id"export Ali_Secret="your_access_key_secret" |
ram.console.aliyun.com/manage/ak |
| Cloudflare | cloudflare | export CF_Key="your_access_key_id"export CF_Email="your_access_key_secret" |
dash.cloudflare.com/profile/api-tokens |
| AWS | aws | export AWS_ACCESS_KEY_ID=your_access_key_idexport AWS_SECRET_ACCESS_KEY=your_access_key_secret |
docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html |
shell方式运行
1. 安装acme.sh
首先,安装acme.sh说明。可以使用以下命令:
curl https://get.acme.sh | sh
2. 设置阿里云DNS API(以阿里云为例)
acme.sh支持多种DNS提供商。这里以阿里云为例:
export Ali_Key="your_access_key_id"
export Ali_Secret="your_access_key_secret"
3. 生成泛域名证书
使用以下命令生成泛域名证书:
acme.sh --issue --dns dns_ali -d example.com -d *.example.com
4. 安装证书
生成证书后,可以使用以下命令安装到指定目录:
acme.sh --install-cert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"
