美文网首页
【SSL】用ACME 脚本申请SSL证书

【SSL】用ACME 脚本申请SSL证书

作者: Bogon | 来源:发表于2023-09-30 10:24 被阅读0次

    如果你的安装服务器位于中国大陆境内, 访问 github 可能会不成功. 所以安装可能会失败。

    安装步骤:
    根据 How-to-install#3-or-git-clone-and-install

    # git clone https://gitee.com/neilpang/acme.sh.git
    # cd acme.sh
    # ./acme.sh --install -m my@example.com
    

    2021 年 6 月 17 日更新:
    从 acme.sh v 3.0.0 开始,acme.sh 使用 Zerossl 作为默认 ca,您必须先注册帐户(一次),然后才能颁发新证书。
    具体操作步骤如下:
    1、安装 Acme 脚本之后,请先执行下面的命令(下面的邮箱为你的邮箱)

    ~/.acme.sh/acme.sh --register-account -m xxxx@xxxx.com
    

    2、其他的命令暂时没有变动

    # ./acme.sh --install -m   123456789@qq.com
    
    [Sat Sep 30 10:29:38 CST 2023] It is recommended to install socat first.
    [Sat Sep 30 10:29:38 CST 2023] We use socat for standalone server if you use standalone mode.
    [Sat Sep 30 10:29:38 CST 2023] If you don't use standalone mode, just ignore this warning.
    [Sat Sep 30 10:29:38 CST 2023] Installing to /root/.acme.sh
    [Sat Sep 30 10:29:38 CST 2023] Installed to /root/.acme.sh/acme.sh
    [Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.bashrc'
    [Sat Sep 30 10:29:38 CST 2023] OK, Close and reopen your terminal to start using acme.sh
    [Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.cshrc'
    [Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.tcshrc'
    [Sat Sep 30 10:29:38 CST 2023] Installing cron job
    [Sat Sep 30 10:29:38 CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
    [Sat Sep 30 10:29:39 CST 2023] OK
    
    
    # ~/.acme.sh/acme.sh  --issue -d  www.examplec.om    --standalone
    [Sat Sep 30 10:31:12 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
    [Sat Sep 30 10:31:12 CST 2023] Please install socat tools first.
    [Sat Sep 30 10:31:12 CST 2023] _on_before_issue.
    
    
    # yum -y install  socat
    Installed:
      socat.x86_64 0:1.7.3.2-2.el7
    
    # ~/.acme.sh/acme.sh  --issue -d  www.example.om    --standalone   --debug
    [Sat Sep 30 10:33:38 CST 2023] Lets find script dir.
    [Sat Sep 30 10:33:38 CST 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Sat Sep 30 10:33:38 CST 2023] _script='/root/.acme.sh/acme.sh'
    [Sat Sep 30 10:33:38 CST 2023] _script_home='/root/.acme.sh'
    [Sat Sep 30 10:33:38 CST 2023] Using default home:/root/.acme.sh
    [Sat Sep 30 10:33:38 CST 2023] Using config home:/root/.acme.sh
    https://github.com/acmesh-official/acme.sh
    v3.0.5
    [Sat Sep 30 10:33:38 CST 2023] Running cmd: issue
    [Sat Sep 30 10:33:38 CST 2023] _main_domain='www.example.om'
    [Sat Sep 30 10:33:38 CST 2023] _alt_domains='no'
    [Sat Sep 30 10:33:38 CST 2023] Using config home:/root/.acme.sh
    [Sat Sep 30 10:33:38 CST 2023] default_acme_server
    [Sat Sep 30 10:33:38 CST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
    [Sat Sep 30 10:33:38 CST 2023] DOMAIN_PATH='/root/.acme.sh/www.example.om'
    [Sat Sep 30 10:33:38 CST 2023] Le_NextRenewTime
    [Sat Sep 30 10:33:38 CST 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
    [Sat Sep 30 10:33:38 CST 2023] _init api for server: https://acme.zerossl.com/v2/DV90
    [Sat Sep 30 10:33:38 CST 2023] GET
    [Sat Sep 30 10:33:38 CST 2023] url='https://acme.zerossl.com/v2/DV90'
    [Sat Sep 30 10:33:38 CST 2023] timeout=
    [Sat Sep 30 10:33:38 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Sat Sep 30 10:33:41 CST 2023] ret='0'
    [Sat Sep 30 10:33:41 CST 2023] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
    [Sat Sep 30 10:33:41 CST 2023] ACME_NEW_AUTHZ
    [Sat Sep 30 10:33:41 CST 2023] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
    [Sat Sep 30 10:33:41 CST 2023] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
    [Sat Sep 30 10:33:41 CST 2023] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
    [Sat Sep 30 10:33:41 CST 2023] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf'
    [Sat Sep 30 10:33:41 CST 2023] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
    [Sat Sep 30 10:33:41 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
    [Sat Sep 30 10:33:41 CST 2023] _on_before_issue
    [Sat Sep 30 10:33:41 CST 2023] _chk_main_domain='www.example.om'
    [Sat Sep 30 10:33:41 CST 2023] _chk_alt_domains
    [Sat Sep 30 10:33:41 CST 2023] Le_LocalAddress
    [Sat Sep 30 10:33:41 CST 2023] d='www.example.om'
    [Sat Sep 30 10:33:41 CST 2023] Check for domain='www.example.om'
    [Sat Sep 30 10:33:41 CST 2023] _currentRoot='no'
    [Sat Sep 30 10:33:41 CST 2023] Standalone mode.
    [Sat Sep 30 10:33:41 CST 2023] _checkport='80'
    [Sat Sep 30 10:33:41 CST 2023] _checkaddr
    [Sat Sep 30 10:33:41 CST 2023] Using: ss
    [Sat Sep 30 10:33:41 CST 2023] d
    [Sat Sep 30 10:33:41 CST 2023] _saved_account_key_hash is not changed, skip register account.
    [Sat Sep 30 10:33:41 CST 2023] Read key length:2048
    [Sat Sep 30 10:33:41 CST 2023] _createcsr
    [Sat Sep 30 10:33:41 CST 2023] Single domain='www.example.om'
    [Sat Sep 30 10:33:41 CST 2023] Getting domain auth token for each domain
    [Sat Sep 30 10:33:41 CST 2023] d
    [Sat Sep 30 10:33:41 CST 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
    [Sat Sep 30 10:33:41 CST 2023] payload='{"identifiers": [{"type":"dns","value":"www.example.om"}]}'
    [Sat Sep 30 10:33:41 CST 2023] RSA key
    [Sat Sep 30 10:33:41 CST 2023] HEAD
    [Sat Sep 30 10:33:41 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
    [Sat Sep 30 10:33:41 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
    [Sat Sep 30 10:33:43 CST 2023] _ret='0'
    [Sat Sep 30 10:33:43 CST 2023] POST
    [Sat Sep 30 10:33:43 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
    [Sat Sep 30 10:33:43 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Sat Sep 30 10:33:46 CST 2023] _ret='0'
    [Sat Sep 30 10:33:46 CST 2023] code='201'
    [Sat Sep 30 10:33:46 CST 2023] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/53dmLu4gXx9MslqI7IoHDQ'
    [Sat Sep 30 10:33:46 CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/53dmLu4gXx9MslqI7IoHDQ/finalize'
    [Sat Sep 30 10:33:46 CST 2023] url='https://acme.zerossl.com/v2/DV90/authz/3Q2O0GHlA1Mf0Wc-Yj4kjQ'
    [Sat Sep 30 10:33:46 CST 2023] payload
    [Sat Sep 30 10:33:46 CST 2023] POST
    [Sat Sep 30 10:33:46 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/authz/3Q2O0GHlA1Mf0Wc-Yj4kjQ'
    [Sat Sep 30 10:33:46 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Sat Sep 30 10:33:48 CST 2023] _ret='0'
    [Sat Sep 30 10:33:48 CST 2023] code='200'
    [Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
    [Sat Sep 30 10:33:48 CST 2023] Getting webroot for domain='www.example.om'
    [Sat Sep 30 10:33:48 CST 2023] _w='no'
    [Sat Sep 30 10:33:48 CST 2023] _currentRoot='no'
    [Sat Sep 30 10:33:48 CST 2023] entry='"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g","status":"pending","token":"adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg"'
    [Sat Sep 30 10:33:48 CST 2023] token='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg'
    [Sat Sep 30 10:33:48 CST 2023] uri='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:48 CST 2023] keyauthorization='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
    [Sat Sep 30 10:33:48 CST 2023] dvlist='www.example.om#adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE#https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g#http-01#no'
    [Sat Sep 30 10:33:48 CST 2023] d
    [Sat Sep 30 10:33:48 CST 2023] vlist='www.example.om#adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE#https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g#http-01#no,'
    [Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
    [Sat Sep 30 10:33:48 CST 2023] ok, let's start to verify
    [Sat Sep 30 10:33:48 CST 2023] Verifying: www.example.om
    [Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
    [Sat Sep 30 10:33:48 CST 2023] keyauthorization='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
    [Sat Sep 30 10:33:48 CST 2023] uri='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:48 CST 2023] _currentRoot='no'
    [Sat Sep 30 10:33:48 CST 2023] Standalone mode server
    [Sat Sep 30 10:33:48 CST 2023] content='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
    [Sat Sep 30 10:33:48 CST 2023] ncaddr
    [Sat Sep 30 10:33:48 CST 2023] startserver: 17662
    [Sat Sep 30 10:33:48 CST 2023] Le_HTTPPort='80'
    [Sat Sep 30 10:33:48 CST 2023] Le_Listen_V4
    [Sat Sep 30 10:33:48 CST 2023] Le_Listen_V6
    [Sat Sep 30 10:33:48 CST 2023] _content_len='87'
    [Sat Sep 30 10:33:48 CST 2023] _NC='socat TCP-LISTEN:80,crlf,reuseaddr,fork'
    [Sat Sep 30 10:33:49 CST 2023] serverproc='18480'
    [Sat Sep 30 10:33:50 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:50 CST 2023] payload='{}'
    [Sat Sep 30 10:33:50 CST 2023] POST
    [Sat Sep 30 10:33:50 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:50 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Sat Sep 30 10:33:51 CST 2023] _ret='0'
    [Sat Sep 30 10:33:51 CST 2023] code='200'
    [Sat Sep 30 10:33:51 CST 2023] trigger validation code: 200
    [Sat Sep 30 10:33:51 CST 2023] Processing, The CA is processing your order, please just wait. (1/30)
    [Sat Sep 30 10:33:51 CST 2023] sleep 2 secs to verify again
    [Sat Sep 30 10:33:54 CST 2023] checking
    [Sat Sep 30 10:33:54 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:54 CST 2023] payload
    [Sat Sep 30 10:33:54 CST 2023] POST
    [Sat Sep 30 10:33:54 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:54 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Sat Sep 30 10:33:56 CST 2023] _ret='0'
    [Sat Sep 30 10:33:56 CST 2023] code='200'
    [Sat Sep 30 10:33:56 CST 2023] www.example.om:Verify error:"error":{
    [Sat Sep 30 10:33:56 CST 2023] Debug: get token url.
    [Sat Sep 30 10:33:56 CST 2023] GET
    [Sat Sep 30 10:33:56 CST 2023] url='http://www.example.om/.well-known/acme-challenge/adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg'
    [Sat Sep 30 10:33:56 CST 2023] timeout=1
    [Sat Sep 30 10:33:56 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  --connect-timeout 1'
    [Sat Sep 30 10:33:57 CST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
    [Sat Sep 30 10:33:57 CST 2023] ret='6'
    [Sat Sep 30 10:33:57 CST 2023] Skip for removelevel:
    [Sat Sep 30 10:33:57 CST 2023] pid='18480'
    [Sat Sep 30 10:33:57 CST 2023] No need to restore nginx, skip.
    [Sat Sep 30 10:33:57 CST 2023] _clearupdns
    [Sat Sep 30 10:33:57 CST 2023] dns_entries
    [Sat Sep 30 10:33:57 CST 2023] skip dns.
    [Sat Sep 30 10:33:57 CST 2023] _on_issue_err
    [Sat Sep 30 10:33:57 CST 2023] Please add '--debug' or '--log' to check more details.
    [Sat Sep 30 10:33:57 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    [Sat Sep 30 10:33:57 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:57 CST 2023] payload='{}'
    [Sat Sep 30 10:33:57 CST 2023] POST
    [Sat Sep 30 10:33:57 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
    [Sat Sep 30 10:33:57 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Sat Sep 30 10:33:58 CST 2023] _ret='0'
    [Sat Sep 30 10:33:58 CST 2023] code='200'
    [Sat Sep 30 10:33:58 CST 2023] Diagnosis versions:
    openssl:openssl
    OpenSSL 1.0.2k-fips  26 Jan 2017
    apache:
    apache doesn't exist.
    nginx:
    nginx doesn't exist.
    socat:
    socat by Gerhard Rieger and contributors - see www.dest-unreach.org
    socat version 1.7.3.2 on Aug  4 2017 04:57:10
       running on Linux version #1 SMP Tue Jun 18 16:35:19 UTC 2019, release 3.10.0-957.21.3.el7.x86_64, machine x86_64
    features:
      #define WITH_STDIO 1
      #define WITH_FDNUM 1
      #define WITH_FILE 1
      #define WITH_CREAT 1
      #define WITH_GOPEN 1
      #define WITH_TERMIOS 1
      #define WITH_PIPE 1
      #define WITH_UNIX 1
      #define WITH_ABSTRACT_UNIXSOCKET 1
      #define WITH_IP4 1
      #define WITH_IP6 1
      #define WITH_RAWIP 1
      #define WITH_GENERICSOCKET 1
      #define WITH_INTERFACE 1
      #define WITH_TCP 1
      #define WITH_UDP 1
      #define WITH_SCTP 1
      #define WITH_LISTEN 1
      #define WITH_SOCKS4 1
      #define WITH_SOCKS4A 1
      #define WITH_PROXY 1
      #define WITH_SYSTEM 1
      #define WITH_EXEC 1
      #define WITH_READLINE 1
      #define WITH_TUN 1
      #define WITH_PTY 1
      #define WITH_OPENSSL 1
      #undef WITH_FIPS
      #define WITH_LIBWRAP 1
      #define WITH_SYCLS 1
      #define WITH_FILAN 1
      #define WITH_RETRY 1
      #define WITH_MSGLEVEL 0 /*debug*/
    
    # cd  /root/acme.sh
    
    # ./acme.sh  --server letsencrypt  --install -m  123456789@qq.com
    
    # ~/.acme.sh/acme.sh  --server letsencrypt   --issue  -d  www.example.com   --webroot  /usr/local/openresty/nginx/html --log
    [2023年 10月 01日 星期日 10:17:59 CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [2023年 10月 01日 星期日 10:17:59 CST] Registering account: https://acme-v02.api.letsencrypt.org/directory
    [2023年 10月 01日 星期日 10:18:01 CST] Registered
    [2023年 10月 01日 星期日 10:18:01 CST] ACCOUNT_THUMBPRINT='njQlFGCzNfaW0xDclJYvFZmj8aXec3flx33mF-XMqLI'
    [2023年 10月 01日 星期日 10:18:01 CST] Single domain='www.example.com'
    [2023年 10月 01日 星期日 10:18:02 CST] Getting domain auth token for each domain
    [2023年 10月 01日 星期日 10:18:04 CST] Getting webroot for domain='www.example.com'
    [2023年 10月 01日 星期日 10:18:04 CST] Verifying: www.example.com
    [2023年 10月 01日 星期日 10:18:05 CST] Pending, The CA is processing your order, please just wait. (1/30)
    [2023年 10月 01日 星期日 10:18:09 CST] Pending, The CA is processing your order, please just wait. (2/30)
    [2023年 10月 01日 星期日 10:18:13 CST] Pending, The CA is processing your order, please just wait. (3/30)
    [2023年 10月 01日 星期日 10:18:17 CST] Pending, The CA is processing your order, please just wait. (4/30)
    [2023年 10月 01日 星期日 10:18:21 CST] Pending, The CA is processing your order, please just wait. (5/30)
    [2023年 10月 01日 星期日 10:18:24 CST] Pending, The CA is processing your order, please just wait. (6/30)
    [2023年 10月 01日 星期日 10:18:28 CST] Pending, The CA is processing your order, please just wait. (7/30)
    [2023年 10月 01日 星期日 10:18:32 CST] Pending, The CA is processing your order, please just wait. (8/30)
    [2023年 10月 01日 星期日 10:18:36 CST] www.example.com:Verify error:DNS problem: query timed out looking up A for www.example.com; DNS problem: query timed out looking up AAAA for www.example.com
    [2023年 10月 01日 星期日 10:18:36 CST] Please check log file for more details: /root/.acme.sh/acme.sh.log
    

    要求在本机解析 www.example.com 的公网ip,如果是解析再内网,不行!!!

    # nslookup  www.example.com
    Server:         10.1.1.3
    Address:        10.1.1.3#53
    
    www.example.com   canonical name = proxy.example.com.
    Name:   proxy.example.com
    Address: 10.1.16.8
    

    Let’s Encrypt 会要去访问 http://www.example.om/.well-known/acme-challenge/adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg

    通过 ACME 协议向 Let’s Encrypt 证明自己的域名所有权的过程就叫做 Challenge (验证),目前有三种 Challenge 的方式:

    • HTTP-01
    • DNS-01
    • TLS-SNI-01 (已禁用)
    • TLS-ALPN-01

    HTTP-01 是目前最常见的验证方式,但是该验证方式需要通过 80 端口开放一个路径给 Let’s Encrypt 访问它提供的 token 来验证你的域名所有权,因此在 80 端口被封锁的情况下这个验证方式是不现实的。 类似的, TLS-ALPN-01 需要通过 443 端口访问来验证。

    参考

    Let’s Encrypt 验证方式
    https://letsencrypt.org/zh-cn/docs/challenge-types

    相关文章

      网友评论

          本文标题:【SSL】用ACME 脚本申请SSL证书

          本文链接:https://www.haomeiwen.com/subject/tberbdtx.html