0%

使用 acme.sh 工具申请 Let's Encrypt 证书

发表于 2017-03-15 更新于 2018-06-11 分类于 https

使用 acme.sh 工具申请 Let’s Encrypt 免费证书，新增申请通配符证书操作。

操作系统版本：CentOS 6.7_64

acme.sh 安装

下载 acme.sh 代码

[root@UCT-PRD ~]# git clone https://github.com/Neilpang/acme.sh.git
Initialized empty Git repository in /root/acme.sh/.git/
remote: Counting objects: 2697, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 2697 (delta 2), reused 0 (delta 0), pack-reused 2689
Receiving objects: 100% (2697/2697), 835.64 KiB | 21 KiB/s, done.
Resolving deltas: 100% (1252/1252), done.
[root@UCT-PRD ~]#

安装 acme.sh

[root@UCT-PRD ~]# cd acme.sh
[root@UCT-PRD acme.sh]# ls
acme.sh  deploy  dnsapi  README.md
[root@UCT-PRD acme.sh]# ./acme.sh --install
[Mon Dec 12 14:01:44 CST 2016] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Mon Dec 12 14:01:44 CST 2016] We use nc for standalone server if you use standalone mode.
[Mon Dec 12 14:01:44 CST 2016] If you don't use standalone mode, just ignore this warning.
[Mon Dec 12 14:01:44 CST 2016] Installing to /root/.acme.sh
[Mon Dec 12 14:01:44 CST 2016] Installed to /root/.acme.sh/acme.sh
[Mon Dec 12 14:01:44 CST 2016] Installing alias to '/root/.bashrc'
[Mon Dec 12 14:01:44 CST 2016] OK, Close and reopen your terminal to start using acme.sh
[Mon Dec 12 14:01:44 CST 2016] Installing alias to '/root/.cshrc'
[Mon Dec 12 14:01:44 CST 2016] Installing alias to '/root/.tcshrc'
[Mon Dec 12 14:01:44 CST 2016] Installing cron job
[Mon Dec 12 14:01:44 CST 2016] Good, bash is found, so change the shebang to use bash as prefered.
[Mon Dec 12 14:01:44 CST 2016] OK
[root@UCT-PRD acme.sh]#

acme.sh 使用

申请证书

注意：/var/www/html 目录要有写入权限

[root@UCT-PRD acme.sh]# ./acme.sh --issue -d iamtim.wang -d www.iamtim.wang -w /var/www/html
[Mon Dec 12 14:03:31 CST 2016] Registering account
[Mon Dec 12 14:03:55 CST 2016] Registered
[Mon Dec 12 14:04:07 CST 2016] Update success.
[Mon Dec 12 14:04:07 CST 2016] Creating domain key
[Mon Dec 12 14:04:07 CST 2016] Multi domain='DNS:www.iamtim.wang'
[Mon Dec 12 14:04:07 CST 2016] Getting domain auth token for each domain
[Mon Dec 12 14:04:07 CST 2016] Getting webroot for domain='iamtim.wang'
[Mon Dec 12 14:04:07 CST 2016] _w='/var/www/html'
[Mon Dec 12 14:04:07 CST 2016] Getting new-authz for domain='iamtim.wang'
[Mon Dec 12 14:04:19 CST 2016] The new-authz request is ok.
[Mon Dec 12 14:04:19 CST 2016] Getting webroot for domain='www.iamtim.wang'
[Mon Dec 12 14:04:19 CST 2016] _w='/var/www/html'
[Mon Dec 12 14:04:19 CST 2016] Getting new-authz for domain='www.iamtim.wang'
[Mon Dec 12 14:04:31 CST 2016] The new-authz request is ok.
[Mon Dec 12 14:04:31 CST 2016] Verifying:iamtim.wang
[Mon Dec 12 14:04:57 CST 2016] Success
[Mon Dec 12 14:04:57 CST 2016] Verifying:www.iamtim.wang
[Mon Dec 12 14:05:21 CST 2016] Success
[Mon Dec 12 14:05:21 CST 2016] Verify finished, start to sign.
[Mon Dec 12 14:05:33 CST 2016] Cert success.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
[Mon Dec 12 14:05:33 CST 2016] Your cert is in  /root/.acme.sh/iamtim.wang/iamtim.wang.cer
[Mon Dec 12 14:05:33 CST 2016] Your cert key is in  /root/.acme.sh/iamtim.wang/iamtim.wang.key
[Mon Dec 12 14:05:45 CST 2016] The intermediate CA cert is in  /root/.acme.sh/iamtim.wang/ca.cer
[Mon Dec 12 14:05:45 CST 2016] And the full chain certs is there:  /root/.acme.sh/iamtim.wang/fullchain.cer
[root@UCT-PRD acme.sh]#

拷贝证书到相应目录

证书申请成功后，拷贝证书到相应目录中(ssl.conf定义位置)：

[root@UCT-PRD acme.sh]# ./acme.sh --installcert -d iamtim.wang --certpath /etc/httpd/conf/iamtim.wang/cert.pem --keypath /etc/httpd/conf/iamtim.wang/key.pem --fullchainpath /etc/httpd/conf/iamtim.wang/fullchain.pem --reloadcmd "service httpd restart"
[Mon Dec 12 14:13:40 CST 2016] Installing cert to:/etc/httpd/conf/iamtim.wang/cert.pem
[Mon Dec 12 14:13:40 CST 2016] Installing key to:/etc/httpd/conf/iamtim.wang/key.pem
[Mon Dec 12 14:13:40 CST 2016] Installing full chain to:/etc/httpd/conf/iamtim.wang/fullchain.pem
[Mon Dec 12 14:13:40 CST 2016] Run Le_ReloadCmd: service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[Mon Dec 12 14:13:40 CST 2016] Reload success
[root@UCT-PRD acme.sh]#

申请通配符证书

从阿里云后台获取密钥

1 2	[root@UCT-PRD acme.sh]# export Ali_Key="ghjkghjkghjkghjkghjkghjkghjk" [root@UCT-PRD acme.sh]# export Ali_Secret="asdfasdfasdfasdfasdfasdfasdf"

申请证书

1	[root@UCT-PRD acme.sh]# ./acme.sh --issue --dns dns_ali -d iamtim.wang -d *.iamtim.wang

最后拷贝证书到相应路径，步骤参考上文。

参考

https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E