acme.sh 免费泛解析证书生成

环境准备

本篇文章使用的 ACME 客户端是基于 Docker 容器使用的,所以需要准备 Docker 运行环境。本文使用的是 CentOS 7.x 与 Docker CE - 19.03.13,且已经安装了 Docker Compose 工具。

我已经参考官方的 GitHub 文章编写了 acme.sh 需要的 Docker Compose 文件,标准模版如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
version: "3"

services:
  acme.sh:
    image: neilpang/acme.sh:latest
    container_name: acme.sh
    command: daemon
    volumes:
      - "<ACME 证书文件的生成目录>:/acme.sh"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - Ali_Key=<填写阿里云的 Access Key>
      - Ali_Secret=<填写阿里云的 Access Secret>
      - DEPLOY_DOCKER_CONTAINER_LABEL=__nginx__
      - DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="nginx -s reload -c /etc/nginx/nginx.conf"
    restart: always
    networks:
      - internal-network

networks:
  internal-network:
    external: true

参数配置

针对 ACME 的默认参数,我们只需要提供 DNS 服务商的 API 访问密钥即可,acme.sh 会自动对我们的域名进行配置验证,我这里以阿里云的为例,其他受支持的 DNS 服务商可以前往 Github 文档 查看。

除开环境变量的配置参数以外,针对 Acme 的证书文件生成目录也需要单独进行配置,这块可以用于。

具体使用

拉取镜像

执行一下命令拉取 acme.sh 的 Docker 镜像。

1
docker pull neilpang/acme.sh:latest

运行容器

1
docker-compose up -d

生成证书

由于已经在环境变量配置了阿里云的参数,所以现在只需要指定域名即可生成对应的证书,域名验证等一系列步骤都交由 acme.sh 自动完成。

进入到 acme.sh 的容器,执行生成命令。

1
acme.sh --issue --dns dns_ali -d example.com -d www.example.com

等待验证成功以后,就会在 acme.sh 文件夹生成对应的证书文件。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[Tue Mar 16 07:07:44 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 16 07:07:45 UTC 2021] Create account key ok.
[Tue Mar 16 07:07:45 UTC 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 16 07:07:46 UTC 2021] Registered
[Tue Mar 16 07:07:46 UTC 2021] ACCOUNT_THUMBPRINT='账号信息'
[Tue Mar 16 07:07:46 UTC 2021] Creating domain key
[Tue Mar 16 07:07:47 UTC 2021] The domain key is here: /acme.sh/example.com/example.com.key
[Tue Mar 16 07:07:47 UTC 2021] Multi domain='DNS:example.com,DNS:www.example.com'
[Tue Mar 16 07:07:47 UTC 2021] Getting domain auth token for each domain
[Tue Mar 16 07:07:49 UTC 2021] Getting webroot for domain='example.com'
[Tue Mar 16 07:07:49 UTC 2021] Getting webroot for domain='www.example.com'
[Tue Mar 16 07:07:49 UTC 2021] Adding txt value: eJ2UJrvi_lAMmY0D-BFrM4WNvDXkICUR0BSJ3EXyBtw for domain:  _acme-challenge.example.com
[Tue Mar 16 07:07:51 UTC 2021] The txt record is added: Success.
[Tue Mar 16 07:07:51 UTC 2021] Adding txt value: u_T1kks2iNU1E_1bAtE8zpz-e81uTISws8o_ZL8YE40 for domain:  _acme-challenge.www.example.com
[Tue Mar 16 07:07:53 UTC 2021] The txt record is added: Success.
[Tue Mar 16 07:07:53 UTC 2021] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Mar 16 07:08:14 UTC 2021] You can use '--dnssleep' to disable public dns checks.
[Tue Mar 16 07:08:14 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Tue Mar 16 07:08:14 UTC 2021] Checking example.com for _acme-challenge.example.com
[Tue Mar 16 07:08:16 UTC 2021] Domain example.com '_acme-challenge.example.com' success.
[Tue Mar 16 07:08:16 UTC 2021] Checking www.example.com for _acme-challenge.www.example.com
[Tue Mar 16 07:08:17 UTC 2021] Domain www.example.com '_acme-challenge.www.example.com' success.
[Tue Mar 16 07:08:17 UTC 2021] All success, let's return
[Tue Mar 16 07:08:17 UTC 2021] Verifying: example.com
[Tue Mar 16 07:08:21 UTC 2021] Success
[Tue Mar 16 07:08:21 UTC 2021] Verifying: www.example.com
[Tue Mar 16 07:08:25 UTC 2021] Success
[Tue Mar 16 07:08:25 UTC 2021] Removing DNS records.
[Tue Mar 16 07:08:25 UTC 2021] Removing txt: eJ2UJrvi_lAMmY0D-BFrM4WNvDXkICUR0BSJ3EXyBtw for domain: _acme-challenge.example.com
[Tue Mar 16 07:08:27 UTC 2021] Removed: Success
[Tue Mar 16 07:08:27 UTC 2021] Removing txt: u_T1kks2iNU1E_1bAtE8zpz-e81uTISws8o_ZL8YE40 for domain: _acme-challenge.www.example.com
[Tue Mar 16 07:08:30 UTC 2021] Removed: Success
[Tue Mar 16 07:08:30 UTC 2021] Verify finished, start to sign.
[Tue Mar 16 07:08:30 UTC 2021] Lets finalize the order.
[Tue Mar 16 07:08:30 UTC 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/123456'
[Tue Mar 16 07:08:31 UTC 2021] Downloading cert.
[Tue Mar 16 07:08:31 UTC 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/123456123456'
[Tue Mar 16 07:08:32 UTC 2021] Cert success.
-----BEGIN CERTIFICATE-----
你的证书文件信息。
-----END CERTIFICATE-----
[Tue Mar 16 07:08:32 UTC 2021] Your cert is in  /acme.sh/example.com/example.com.cer
[Tue Mar 16 07:08:32 UTC 2021] Your cert key is in  /acme.sh/example.com/example.com.key
[Tue Mar 16 07:08:32 UTC 2021] The intermediate CA cert is in  /acme.sh/example.com/ca.cer
[Tue Mar 16 07:08:32 UTC 2021] And the full chain certs is there:  /acme.sh/example.com/fullchain.cer

image-20210316151132311

Built with Hugo
主题 StackJimmy 设计