前言
前面写过一个在云服务器上布署SSL证书的文《IT基础设施:在CentOS7中为nginx布署免费SSL证书》,使用certbot的时候,它会自动检测应用配置,找到应用所在的目录,使用文件进行域名的所有权验证。但是,如果我在家里没有80端口的情况下布署应用,就没办法完成这个验证了,今天在路由器里的插件中偶然得知了acme.sh,可以通过域名解析服务的API,通过添加DNS完成域名所有权验证。
关键词
- Let's Encrypt
- HTTPS
- 没有80
- DNS验证
环境
- CentOS 7 x64
- 家庭宽带内网
过程
以下我们以阿里的解析服务为例:
1、先到阿里控制台,找到自己的Access_Key和Access_Secret。
2、下载acme.sh
curl https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh
下面设置一下变量,将引号里的内容改为你自己的Key与Secret
export Ali_Key="11111111"
export Ali_Secret="2222222222222222222222222222"
申请泛域名证书
acme.sh --issue --dns dns_ali -d *.blackice.me -d blackice.me
等待程序执行完成
[Tue Feb 19 22:50:12 CST 2019] Multi domain='DNS:*.blackice.me,DNS:blackice.me'
[Tue Feb 19 22:50:12 CST 2019] Getting domain auth token for each domain
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='*.blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:23 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:25 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Tue Feb 19 22:50:46 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:49 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:49 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:51 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:51 CST 2019] All success, let's return
[Tue Feb 19 22:50:51 CST 2019] Verifying: *.blackice.me
[Tue Feb 19 22:50:55 CST 2019] Success
[Tue Feb 19 22:50:55 CST 2019] Verifying: blackice.me
[Tue Feb 19 22:50:58 CST 2019] Success
[Tue Feb 19 22:50:58 CST 2019] Removing DNS records.
[Tue Feb 19 22:51:05 CST 2019] Verify finished, start to sign.
[Tue Feb 19 22:53:35 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
#这里会显示证书文本#
-----END CERTIFICATE-----
[Tue Feb 19 22:53:35 CST 2019] Your cert is in /root/.acme.sh/*.blackice.me/*.blackice.me.cer
[Tue Feb 19 22:53:35 CST 2019] Your cert key is in /root/.acme.sh/*.blackice.me/*.blackice.me.key
[Tue Feb 19 22:53:35 CST 2019] The intermediate CA cert is in /root/.acme.sh/*.blackice.me/ca.cer
[Tue Feb 19 22:53:35 CST 2019] And the full chain certs is there: /root/.acme.sh/*.blackice.me/fullchain.cer
网友评论