如果你的安装服务器位于中国大陆境内, 访问 github 可能会不成功. 所以安装可能会失败。
安装步骤:
根据 How-to-install#3-or-git-clone-and-install
# git clone https://gitee.com/neilpang/acme.sh.git
# cd acme.sh
# ./acme.sh --install -m my@example.com
2021 年 6 月 17 日更新:
从 acme.sh v 3.0.0 开始,acme.sh 使用 Zerossl 作为默认 ca,您必须先注册帐户(一次),然后才能颁发新证书。
具体操作步骤如下:
1、安装 Acme 脚本之后,请先执行下面的命令(下面的邮箱为你的邮箱)
~/.acme.sh/acme.sh --register-account -m xxxx@xxxx.com
2、其他的命令暂时没有变动
# ./acme.sh --install -m 123456789@qq.com
[Sat Sep 30 10:29:38 CST 2023] It is recommended to install socat first.
[Sat Sep 30 10:29:38 CST 2023] We use socat for standalone server if you use standalone mode.
[Sat Sep 30 10:29:38 CST 2023] If you don't use standalone mode, just ignore this warning.
[Sat Sep 30 10:29:38 CST 2023] Installing to /root/.acme.sh
[Sat Sep 30 10:29:38 CST 2023] Installed to /root/.acme.sh/acme.sh
[Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.bashrc'
[Sat Sep 30 10:29:38 CST 2023] OK, Close and reopen your terminal to start using acme.sh
[Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.cshrc'
[Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.tcshrc'
[Sat Sep 30 10:29:38 CST 2023] Installing cron job
[Sat Sep 30 10:29:38 CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Sep 30 10:29:39 CST 2023] OK
# ~/.acme.sh/acme.sh --issue -d www.examplec.om --standalone
[Sat Sep 30 10:31:12 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:31:12 CST 2023] Please install socat tools first.
[Sat Sep 30 10:31:12 CST 2023] _on_before_issue.
# yum -y install socat
Installed:
socat.x86_64 0:1.7.3.2-2.el7
# ~/.acme.sh/acme.sh --issue -d www.example.om --standalone --debug
[Sat Sep 30 10:33:38 CST 2023] Lets find script dir.
[Sat Sep 30 10:33:38 CST 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Sep 30 10:33:38 CST 2023] _script='/root/.acme.sh/acme.sh'
[Sat Sep 30 10:33:38 CST 2023] _script_home='/root/.acme.sh'
[Sat Sep 30 10:33:38 CST 2023] Using default home:/root/.acme.sh
[Sat Sep 30 10:33:38 CST 2023] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.5
[Sat Sep 30 10:33:38 CST 2023] Running cmd: issue
[Sat Sep 30 10:33:38 CST 2023] _main_domain='www.example.om'
[Sat Sep 30 10:33:38 CST 2023] _alt_domains='no'
[Sat Sep 30 10:33:38 CST 2023] Using config home:/root/.acme.sh
[Sat Sep 30 10:33:38 CST 2023] default_acme_server
[Sat Sep 30 10:33:38 CST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sat Sep 30 10:33:38 CST 2023] DOMAIN_PATH='/root/.acme.sh/www.example.om'
[Sat Sep 30 10:33:38 CST 2023] Le_NextRenewTime
[Sat Sep 30 10:33:38 CST 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:33:38 CST 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:33:38 CST 2023] GET
[Sat Sep 30 10:33:38 CST 2023] url='https://acme.zerossl.com/v2/DV90'
[Sat Sep 30 10:33:38 CST 2023] timeout=
[Sat Sep 30 10:33:38 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Sep 30 10:33:41 CST 2023] ret='0'
[Sat Sep 30 10:33:41 CST 2023] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_AUTHZ
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Sat Sep 30 10:33:41 CST 2023] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Sat Sep 30 10:33:41 CST 2023] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf'
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Sat Sep 30 10:33:41 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:33:41 CST 2023] _on_before_issue
[Sat Sep 30 10:33:41 CST 2023] _chk_main_domain='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] _chk_alt_domains
[Sat Sep 30 10:33:41 CST 2023] Le_LocalAddress
[Sat Sep 30 10:33:41 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] Check for domain='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] _currentRoot='no'
[Sat Sep 30 10:33:41 CST 2023] Standalone mode.
[Sat Sep 30 10:33:41 CST 2023] _checkport='80'
[Sat Sep 30 10:33:41 CST 2023] _checkaddr
[Sat Sep 30 10:33:41 CST 2023] Using: ss
[Sat Sep 30 10:33:41 CST 2023] d
[Sat Sep 30 10:33:41 CST 2023] _saved_account_key_hash is not changed, skip register account.
[Sat Sep 30 10:33:41 CST 2023] Read key length:2048
[Sat Sep 30 10:33:41 CST 2023] _createcsr
[Sat Sep 30 10:33:41 CST 2023] Single domain='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] Getting domain auth token for each domain
[Sat Sep 30 10:33:41 CST 2023] d
[Sat Sep 30 10:33:41 CST 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Sat Sep 30 10:33:41 CST 2023] payload='{"identifiers": [{"type":"dns","value":"www.example.om"}]}'
[Sat Sep 30 10:33:41 CST 2023] RSA key
[Sat Sep 30 10:33:41 CST 2023] HEAD
[Sat Sep 30 10:33:41 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Sat Sep 30 10:33:41 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g -I '
[Sat Sep 30 10:33:43 CST 2023] _ret='0'
[Sat Sep 30 10:33:43 CST 2023] POST
[Sat Sep 30 10:33:43 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Sat Sep 30 10:33:43 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Sep 30 10:33:46 CST 2023] _ret='0'
[Sat Sep 30 10:33:46 CST 2023] code='201'
[Sat Sep 30 10:33:46 CST 2023] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/53dmLu4gXx9MslqI7IoHDQ'
[Sat Sep 30 10:33:46 CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/53dmLu4gXx9MslqI7IoHDQ/finalize'
[Sat Sep 30 10:33:46 CST 2023] url='https://acme.zerossl.com/v2/DV90/authz/3Q2O0GHlA1Mf0Wc-Yj4kjQ'
[Sat Sep 30 10:33:46 CST 2023] payload
[Sat Sep 30 10:33:46 CST 2023] POST
[Sat Sep 30 10:33:46 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/authz/3Q2O0GHlA1Mf0Wc-Yj4kjQ'
[Sat Sep 30 10:33:46 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Sep 30 10:33:48 CST 2023] _ret='0'
[Sat Sep 30 10:33:48 CST 2023] code='200'
[Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] Getting webroot for domain='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] _w='no'
[Sat Sep 30 10:33:48 CST 2023] _currentRoot='no'
[Sat Sep 30 10:33:48 CST 2023] entry='"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g","status":"pending","token":"adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg"'
[Sat Sep 30 10:33:48 CST 2023] token='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg'
[Sat Sep 30 10:33:48 CST 2023] uri='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:48 CST 2023] keyauthorization='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
[Sat Sep 30 10:33:48 CST 2023] dvlist='www.example.om#adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE#https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g#http-01#no'
[Sat Sep 30 10:33:48 CST 2023] d
[Sat Sep 30 10:33:48 CST 2023] vlist='www.example.om#adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE#https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g#http-01#no,'
[Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] ok, let's start to verify
[Sat Sep 30 10:33:48 CST 2023] Verifying: www.example.om
[Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] keyauthorization='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
[Sat Sep 30 10:33:48 CST 2023] uri='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:48 CST 2023] _currentRoot='no'
[Sat Sep 30 10:33:48 CST 2023] Standalone mode server
[Sat Sep 30 10:33:48 CST 2023] content='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
[Sat Sep 30 10:33:48 CST 2023] ncaddr
[Sat Sep 30 10:33:48 CST 2023] startserver: 17662
[Sat Sep 30 10:33:48 CST 2023] Le_HTTPPort='80'
[Sat Sep 30 10:33:48 CST 2023] Le_Listen_V4
[Sat Sep 30 10:33:48 CST 2023] Le_Listen_V6
[Sat Sep 30 10:33:48 CST 2023] _content_len='87'
[Sat Sep 30 10:33:48 CST 2023] _NC='socat TCP-LISTEN:80,crlf,reuseaddr,fork'
[Sat Sep 30 10:33:49 CST 2023] serverproc='18480'
[Sat Sep 30 10:33:50 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:50 CST 2023] payload='{}'
[Sat Sep 30 10:33:50 CST 2023] POST
[Sat Sep 30 10:33:50 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:50 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Sep 30 10:33:51 CST 2023] _ret='0'
[Sat Sep 30 10:33:51 CST 2023] code='200'
[Sat Sep 30 10:33:51 CST 2023] trigger validation code: 200
[Sat Sep 30 10:33:51 CST 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sat Sep 30 10:33:51 CST 2023] sleep 2 secs to verify again
[Sat Sep 30 10:33:54 CST 2023] checking
[Sat Sep 30 10:33:54 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:54 CST 2023] payload
[Sat Sep 30 10:33:54 CST 2023] POST
[Sat Sep 30 10:33:54 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:54 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Sep 30 10:33:56 CST 2023] _ret='0'
[Sat Sep 30 10:33:56 CST 2023] code='200'
[Sat Sep 30 10:33:56 CST 2023] www.example.om:Verify error:"error":{
[Sat Sep 30 10:33:56 CST 2023] Debug: get token url.
[Sat Sep 30 10:33:56 CST 2023] GET
[Sat Sep 30 10:33:56 CST 2023] url='http://www.example.om/.well-known/acme-challenge/adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg'
[Sat Sep 30 10:33:56 CST 2023] timeout=1
[Sat Sep 30 10:33:56 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g --connect-timeout 1'
[Sat Sep 30 10:33:57 CST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Sat Sep 30 10:33:57 CST 2023] ret='6'
[Sat Sep 30 10:33:57 CST 2023] Skip for removelevel:
[Sat Sep 30 10:33:57 CST 2023] pid='18480'
[Sat Sep 30 10:33:57 CST 2023] No need to restore nginx, skip.
[Sat Sep 30 10:33:57 CST 2023] _clearupdns
[Sat Sep 30 10:33:57 CST 2023] dns_entries
[Sat Sep 30 10:33:57 CST 2023] skip dns.
[Sat Sep 30 10:33:57 CST 2023] _on_issue_err
[Sat Sep 30 10:33:57 CST 2023] Please add '--debug' or '--log' to check more details.
[Sat Sep 30 10:33:57 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Sat Sep 30 10:33:57 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:57 CST 2023] payload='{}'
[Sat Sep 30 10:33:57 CST 2023] POST
[Sat Sep 30 10:33:57 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:57 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Sat Sep 30 10:33:58 CST 2023] _ret='0'
[Sat Sep 30 10:33:58 CST 2023] code='200'
[Sat Sep 30 10:33:58 CST 2023] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.2 on Aug 4 2017 04:57:10
running on Linux version #1 SMP Tue Jun 18 16:35:19 UTC 2019, release 3.10.0-957.21.3.el7.x86_64, machine x86_64
features:
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_UNIX 1
#define WITH_ABSTRACT_UNIXSOCKET 1
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#define WITH_INTERFACE 1
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#define WITH_LISTEN 1
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_EXEC 1
#define WITH_READLINE 1
#define WITH_TUN 1
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#define WITH_LIBWRAP 1
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /*debug*/
# cd /root/acme.sh
# ./acme.sh --server letsencrypt --install -m 123456789@qq.com
# ~/.acme.sh/acme.sh --server letsencrypt --issue -d www.example.com --webroot /usr/local/openresty/nginx/html --log
[2023年 10月 01日 星期日 10:17:59 CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[2023年 10月 01日 星期日 10:17:59 CST] Registering account: https://acme-v02.api.letsencrypt.org/directory
[2023年 10月 01日 星期日 10:18:01 CST] Registered
[2023年 10月 01日 星期日 10:18:01 CST] ACCOUNT_THUMBPRINT='njQlFGCzNfaW0xDclJYvFZmj8aXec3flx33mF-XMqLI'
[2023年 10月 01日 星期日 10:18:01 CST] Single domain='www.example.com'
[2023年 10月 01日 星期日 10:18:02 CST] Getting domain auth token for each domain
[2023年 10月 01日 星期日 10:18:04 CST] Getting webroot for domain='www.example.com'
[2023年 10月 01日 星期日 10:18:04 CST] Verifying: www.example.com
[2023年 10月 01日 星期日 10:18:05 CST] Pending, The CA is processing your order, please just wait. (1/30)
[2023年 10月 01日 星期日 10:18:09 CST] Pending, The CA is processing your order, please just wait. (2/30)
[2023年 10月 01日 星期日 10:18:13 CST] Pending, The CA is processing your order, please just wait. (3/30)
[2023年 10月 01日 星期日 10:18:17 CST] Pending, The CA is processing your order, please just wait. (4/30)
[2023年 10月 01日 星期日 10:18:21 CST] Pending, The CA is processing your order, please just wait. (5/30)
[2023年 10月 01日 星期日 10:18:24 CST] Pending, The CA is processing your order, please just wait. (6/30)
[2023年 10月 01日 星期日 10:18:28 CST] Pending, The CA is processing your order, please just wait. (7/30)
[2023年 10月 01日 星期日 10:18:32 CST] Pending, The CA is processing your order, please just wait. (8/30)
[2023年 10月 01日 星期日 10:18:36 CST] www.example.com:Verify error:DNS problem: query timed out looking up A for www.example.com; DNS problem: query timed out looking up AAAA for www.example.com
[2023年 10月 01日 星期日 10:18:36 CST] Please check log file for more details: /root/.acme.sh/acme.sh.log
要求在本机解析 www.example.com 的公网ip,如果是解析再内网,不行!!!
# nslookup www.example.com
Server: 10.1.1.3
Address: 10.1.1.3#53
www.example.com canonical name = proxy.example.com.
Name: proxy.example.com
Address: 10.1.16.8
Let’s Encrypt 会要去访问 http://www.example.om/.well-known/acme-challenge/adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg
通过 ACME 协议向 Let’s Encrypt 证明自己的域名所有权的过程就叫做 Challenge (验证),目前有三种 Challenge 的方式:
- HTTP-01
- DNS-01
- TLS-SNI-01 (已禁用)
- TLS-ALPN-01
HTTP-01 是目前最常见的验证方式,但是该验证方式需要通过 80 端口开放一个路径给 Let’s Encrypt 访问它提供的 token 来验证你的域名所有权,因此在 80 端口被封锁的情况下这个验证方式是不现实的。 类似的, TLS-ALPN-01 需要通过 443 端口访问来验证。
参考
Let’s Encrypt 验证方式
https://letsencrypt.org/zh-cn/docs/challenge-types
网友评论