美文网首页
【SSL】用ACME 脚本申请SSL证书

【SSL】用ACME 脚本申请SSL证书

作者: Bogon | 来源:发表于2023-09-30 10:24 被阅读0次

    如果你的安装服务器位于中国大陆境内, 访问 github 可能会不成功. 所以安装可能会失败。

    安装步骤:
    根据 How-to-install#3-or-git-clone-and-install

    # git clone https://gitee.com/neilpang/acme.sh.git
# cd acme.sh
# ./acme.sh --install -m my@example.com

    2021 年 6 月 17 日更新:
    从 acme.sh v 3.0.0 开始,acme.sh 使用 Zerossl 作为默认 ca,您必须先注册帐户(一次),然后才能颁发新证书。
    具体操作步骤如下:
    1、安装 Acme 脚本之后,请先执行下面的命令(下面的邮箱为你的邮箱)

    ~/.acme.sh/acme.sh --register-account -m xxxx@xxxx.com

    2、其他的命令暂时没有变动

    # ./acme.sh --install -m   123456789@qq.com

[Sat Sep 30 10:29:38 CST 2023] It is recommended to install socat first.
[Sat Sep 30 10:29:38 CST 2023] We use socat for standalone server if you use standalone mode.
[Sat Sep 30 10:29:38 CST 2023] If you don't use standalone mode, just ignore this warning.
[Sat Sep 30 10:29:38 CST 2023] Installing to /root/.acme.sh
[Sat Sep 30 10:29:38 CST 2023] Installed to /root/.acme.sh/acme.sh
[Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.bashrc'
[Sat Sep 30 10:29:38 CST 2023] OK, Close and reopen your terminal to start using acme.sh
[Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.cshrc'
[Sat Sep 30 10:29:38 CST 2023] Installing alias to '/root/.tcshrc'
[Sat Sep 30 10:29:38 CST 2023] Installing cron job
[Sat Sep 30 10:29:38 CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Sep 30 10:29:39 CST 2023] OK


    # ~/.acme.sh/acme.sh  --issue -d  www.examplec.om    --standalone
[Sat Sep 30 10:31:12 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:31:12 CST 2023] Please install socat tools first.
[Sat Sep 30 10:31:12 CST 2023] _on_before_issue.


# yum -y install  socat
Installed:
  socat.x86_64 0:1.7.3.2-2.el7

    # ~/.acme.sh/acme.sh  --issue -d  www.example.om    --standalone   --debug
[Sat Sep 30 10:33:38 CST 2023] Lets find script dir.
[Sat Sep 30 10:33:38 CST 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Sep 30 10:33:38 CST 2023] _script='/root/.acme.sh/acme.sh'
[Sat Sep 30 10:33:38 CST 2023] _script_home='/root/.acme.sh'
[Sat Sep 30 10:33:38 CST 2023] Using default home:/root/.acme.sh
[Sat Sep 30 10:33:38 CST 2023] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.5
[Sat Sep 30 10:33:38 CST 2023] Running cmd: issue
[Sat Sep 30 10:33:38 CST 2023] _main_domain='www.example.om'
[Sat Sep 30 10:33:38 CST 2023] _alt_domains='no'
[Sat Sep 30 10:33:38 CST 2023] Using config home:/root/.acme.sh
[Sat Sep 30 10:33:38 CST 2023] default_acme_server
[Sat Sep 30 10:33:38 CST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sat Sep 30 10:33:38 CST 2023] DOMAIN_PATH='/root/.acme.sh/www.example.om'
[Sat Sep 30 10:33:38 CST 2023] Le_NextRenewTime
[Sat Sep 30 10:33:38 CST 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:33:38 CST 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:33:38 CST 2023] GET
[Sat Sep 30 10:33:38 CST 2023] url='https://acme.zerossl.com/v2/DV90'
[Sat Sep 30 10:33:38 CST 2023] timeout=
[Sat Sep 30 10:33:38 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Sep 30 10:33:41 CST 2023] ret='0'
[Sat Sep 30 10:33:41 CST 2023] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_AUTHZ
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Sat Sep 30 10:33:41 CST 2023] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Sat Sep 30 10:33:41 CST 2023] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf'
[Sat Sep 30 10:33:41 CST 2023] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Sat Sep 30 10:33:41 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sat Sep 30 10:33:41 CST 2023] _on_before_issue
[Sat Sep 30 10:33:41 CST 2023] _chk_main_domain='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] _chk_alt_domains
[Sat Sep 30 10:33:41 CST 2023] Le_LocalAddress
[Sat Sep 30 10:33:41 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] Check for domain='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] _currentRoot='no'
[Sat Sep 30 10:33:41 CST 2023] Standalone mode.
[Sat Sep 30 10:33:41 CST 2023] _checkport='80'
[Sat Sep 30 10:33:41 CST 2023] _checkaddr
[Sat Sep 30 10:33:41 CST 2023] Using: ss
[Sat Sep 30 10:33:41 CST 2023] d
[Sat Sep 30 10:33:41 CST 2023] _saved_account_key_hash is not changed, skip register account.
[Sat Sep 30 10:33:41 CST 2023] Read key length:2048
[Sat Sep 30 10:33:41 CST 2023] _createcsr
[Sat Sep 30 10:33:41 CST 2023] Single domain='www.example.om'
[Sat Sep 30 10:33:41 CST 2023] Getting domain auth token for each domain
[Sat Sep 30 10:33:41 CST 2023] d
[Sat Sep 30 10:33:41 CST 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Sat Sep 30 10:33:41 CST 2023] payload='{"identifiers": [{"type":"dns","value":"www.example.om"}]}'
[Sat Sep 30 10:33:41 CST 2023] RSA key
[Sat Sep 30 10:33:41 CST 2023] HEAD
[Sat Sep 30 10:33:41 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Sat Sep 30 10:33:41 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Sat Sep 30 10:33:43 CST 2023] _ret='0'
[Sat Sep 30 10:33:43 CST 2023] POST
[Sat Sep 30 10:33:43 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Sat Sep 30 10:33:43 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Sep 30 10:33:46 CST 2023] _ret='0'
[Sat Sep 30 10:33:46 CST 2023] code='201'
[Sat Sep 30 10:33:46 CST 2023] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/53dmLu4gXx9MslqI7IoHDQ'
[Sat Sep 30 10:33:46 CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/53dmLu4gXx9MslqI7IoHDQ/finalize'
[Sat Sep 30 10:33:46 CST 2023] url='https://acme.zerossl.com/v2/DV90/authz/3Q2O0GHlA1Mf0Wc-Yj4kjQ'
[Sat Sep 30 10:33:46 CST 2023] payload
[Sat Sep 30 10:33:46 CST 2023] POST
[Sat Sep 30 10:33:46 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/authz/3Q2O0GHlA1Mf0Wc-Yj4kjQ'
[Sat Sep 30 10:33:46 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Sep 30 10:33:48 CST 2023] _ret='0'
[Sat Sep 30 10:33:48 CST 2023] code='200'
[Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] Getting webroot for domain='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] _w='no'
[Sat Sep 30 10:33:48 CST 2023] _currentRoot='no'
[Sat Sep 30 10:33:48 CST 2023] entry='"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g","status":"pending","token":"adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg"'
[Sat Sep 30 10:33:48 CST 2023] token='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg'
[Sat Sep 30 10:33:48 CST 2023] uri='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:48 CST 2023] keyauthorization='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
[Sat Sep 30 10:33:48 CST 2023] dvlist='www.example.om#adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE#https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g#http-01#no'
[Sat Sep 30 10:33:48 CST 2023] d
[Sat Sep 30 10:33:48 CST 2023] vlist='www.example.om#adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE#https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g#http-01#no,'
[Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] ok, let's start to verify
[Sat Sep 30 10:33:48 CST 2023] Verifying: www.example.om
[Sat Sep 30 10:33:48 CST 2023] d='www.example.om'
[Sat Sep 30 10:33:48 CST 2023] keyauthorization='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
[Sat Sep 30 10:33:48 CST 2023] uri='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:48 CST 2023] _currentRoot='no'
[Sat Sep 30 10:33:48 CST 2023] Standalone mode server
[Sat Sep 30 10:33:48 CST 2023] content='adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg.duvfJ4sR9oODbWImDwc59B2ORLluJyAbAIdGRrFD_VE'
[Sat Sep 30 10:33:48 CST 2023] ncaddr
[Sat Sep 30 10:33:48 CST 2023] startserver: 17662
[Sat Sep 30 10:33:48 CST 2023] Le_HTTPPort='80'
[Sat Sep 30 10:33:48 CST 2023] Le_Listen_V4
[Sat Sep 30 10:33:48 CST 2023] Le_Listen_V6
[Sat Sep 30 10:33:48 CST 2023] _content_len='87'
[Sat Sep 30 10:33:48 CST 2023] _NC='socat TCP-LISTEN:80,crlf,reuseaddr,fork'
[Sat Sep 30 10:33:49 CST 2023] serverproc='18480'
[Sat Sep 30 10:33:50 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:50 CST 2023] payload='{}'
[Sat Sep 30 10:33:50 CST 2023] POST
[Sat Sep 30 10:33:50 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:50 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Sep 30 10:33:51 CST 2023] _ret='0'
[Sat Sep 30 10:33:51 CST 2023] code='200'
[Sat Sep 30 10:33:51 CST 2023] trigger validation code: 200
[Sat Sep 30 10:33:51 CST 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sat Sep 30 10:33:51 CST 2023] sleep 2 secs to verify again
[Sat Sep 30 10:33:54 CST 2023] checking
[Sat Sep 30 10:33:54 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:54 CST 2023] payload
[Sat Sep 30 10:33:54 CST 2023] POST
[Sat Sep 30 10:33:54 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:54 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Sep 30 10:33:56 CST 2023] _ret='0'
[Sat Sep 30 10:33:56 CST 2023] code='200'
[Sat Sep 30 10:33:56 CST 2023] www.example.om:Verify error:"error":{
[Sat Sep 30 10:33:56 CST 2023] Debug: get token url.
[Sat Sep 30 10:33:56 CST 2023] GET
[Sat Sep 30 10:33:56 CST 2023] url='http://www.example.om/.well-known/acme-challenge/adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg'
[Sat Sep 30 10:33:56 CST 2023] timeout=1
[Sat Sep 30 10:33:56 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  --connect-timeout 1'
[Sat Sep 30 10:33:57 CST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Sat Sep 30 10:33:57 CST 2023] ret='6'
[Sat Sep 30 10:33:57 CST 2023] Skip for removelevel:
[Sat Sep 30 10:33:57 CST 2023] pid='18480'
[Sat Sep 30 10:33:57 CST 2023] No need to restore nginx, skip.
[Sat Sep 30 10:33:57 CST 2023] _clearupdns
[Sat Sep 30 10:33:57 CST 2023] dns_entries
[Sat Sep 30 10:33:57 CST 2023] skip dns.
[Sat Sep 30 10:33:57 CST 2023] _on_issue_err
[Sat Sep 30 10:33:57 CST 2023] Please add '--debug' or '--log' to check more details.
[Sat Sep 30 10:33:57 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Sat Sep 30 10:33:57 CST 2023] url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:57 CST 2023] payload='{}'
[Sat Sep 30 10:33:57 CST 2023] POST
[Sat Sep 30 10:33:57 CST 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/L7s41Px-IByBhuoFeGkD5g'
[Sat Sep 30 10:33:57 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Sep 30 10:33:58 CST 2023] _ret='0'
[Sat Sep 30 10:33:58 CST 2023] code='200'
[Sat Sep 30 10:33:58 CST 2023] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips  26 Jan 2017
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.2 on Aug  4 2017 04:57:10
   running on Linux version #1 SMP Tue Jun 18 16:35:19 UTC 2019, release 3.10.0-957.21.3.el7.x86_64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

    # cd  /root/acme.sh

# ./acme.sh  --server letsencrypt  --install -m  123456789@qq.com

# ~/.acme.sh/acme.sh  --server letsencrypt   --issue  -d  www.example.com   --webroot  /usr/local/openresty/nginx/html --log
[2023年 10月 01日 星期日 10:17:59 CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[2023年 10月 01日 星期日 10:17:59 CST] Registering account: https://acme-v02.api.letsencrypt.org/directory
[2023年 10月 01日 星期日 10:18:01 CST] Registered
[2023年 10月 01日 星期日 10:18:01 CST] ACCOUNT_THUMBPRINT='njQlFGCzNfaW0xDclJYvFZmj8aXec3flx33mF-XMqLI'
[2023年 10月 01日 星期日 10:18:01 CST] Single domain='www.example.com'
[2023年 10月 01日 星期日 10:18:02 CST] Getting domain auth token for each domain
[2023年 10月 01日 星期日 10:18:04 CST] Getting webroot for domain='www.example.com'
[2023年 10月 01日 星期日 10:18:04 CST] Verifying: www.example.com
[2023年 10月 01日 星期日 10:18:05 CST] Pending, The CA is processing your order, please just wait. (1/30)
[2023年 10月 01日 星期日 10:18:09 CST] Pending, The CA is processing your order, please just wait. (2/30)
[2023年 10月 01日 星期日 10:18:13 CST] Pending, The CA is processing your order, please just wait. (3/30)
[2023年 10月 01日 星期日 10:18:17 CST] Pending, The CA is processing your order, please just wait. (4/30)
[2023年 10月 01日 星期日 10:18:21 CST] Pending, The CA is processing your order, please just wait. (5/30)
[2023年 10月 01日 星期日 10:18:24 CST] Pending, The CA is processing your order, please just wait. (6/30)
[2023年 10月 01日 星期日 10:18:28 CST] Pending, The CA is processing your order, please just wait. (7/30)
[2023年 10月 01日 星期日 10:18:32 CST] Pending, The CA is processing your order, please just wait. (8/30)
[2023年 10月 01日 星期日 10:18:36 CST] www.example.com:Verify error:DNS problem: query timed out looking up A for www.example.com; DNS problem: query timed out looking up AAAA for www.example.com
[2023年 10月 01日 星期日 10:18:36 CST] Please check log file for more details: /root/.acme.sh/acme.sh.log

    要求在本机解析 www.example.com 的公网ip,如果是解析再内网,不行!!!

    # nslookup  www.example.com
Server:         10.1.1.3
Address:        10.1.1.3#53

www.example.com   canonical name = proxy.example.com.
Name:   proxy.example.com
Address: 10.1.16.8

    Let’s Encrypt 会要去访问 http://www.example.om/.well-known/acme-challenge/adq27D0yt9KX2gxC45PD3DXKhm0AZjy_40ypr8l7oKg

    通过 ACME 协议向 Let’s Encrypt 证明自己的域名所有权的过程就叫做 Challenge (验证),目前有三种 Challenge 的方式:

    • HTTP-01
    • DNS-01
    • TLS-SNI-01 (已禁用)
    • TLS-ALPN-01

    HTTP-01 是目前最常见的验证方式,但是该验证方式需要通过 80 端口开放一个路径给 Let’s Encrypt 访问它提供的 token 来验证你的域名所有权,因此在 80 端口被封锁的情况下这个验证方式是不现实的。 类似的, TLS-ALPN-01 需要通过 443 端口访问来验证。

    参考

    Let’s Encrypt 验证方式
    https://letsencrypt.org/zh-cn/docs/challenge-types

    相关文章

      网友评论

          本文标题:【SSL】用ACME 脚本申请SSL证书

          本文链接:https://www.haomeiwen.com/subject/tberbdtx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|【SSL】用ACME 脚本申请SSL证书|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!