紀錄一下Linux 除了certbot 之外好用的SSL Auto Renew工具acme.sh
官方網站介紹
https://github.com/Neilpang/acme.sh
優點如下:
1.支援 DNS base驗證並結合API,目前結合DNS API請參考網址
https://github.com/Neilpang/acme.sh/tree/master/dnsapi
2.支援 File base驗證整合WebServer 設定,獲取SSL憑證
3.Auto renew
整體流程如下:
1.取得Cloudflare DNS API key
2.安裝acme.sh
3.產生證書
4.更新acme.sh
5.自帶CSR獲取SSL憑證
6.透過File base驗證
1.取得Cloudflare DNS API key
登入Cloudflare >> my profile >> View API key
2.安裝acme.sh
#curl https://get.acme.sh | sh
安裝完成後,系統自動建立crond (方便自動更新證書) & 建立 alias
3.產生證書
export cloudflare API
#export CF_Key="sdfsd70504dlkjsdf630wje"
#export CF_Email="xxxx@test.com"
獲取證書
#acme.sh --issue --dns dns_cf -d forti-tw.imprezagt1031.idv.tw
如果FQDN 不是在同一個cloudflare帳戶下,那DNS API 金鑰也不會不同組,可以指定–accountconf 來分別建立
#acme.sh --issue --dns dns_cf -d forti-tw.imprezagt1031.idv.tw --accountconf /root/.acme.sh/account_test.conf
[Wed Apr 11 00:46:53 CST 2018] Creating domain key [Wed Apr 11 00:46:53 CST 2018] The domain key is here: /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/forti-tw.imprezagt1031.idv.tw.key [Wed Apr 11 00:46:53 CST 2018] Single domain='forti-tw.imprezagt1031.idv.tw' [Wed Apr 11 00:46:53 CST 2018] Getting domain auth token for each domain [Wed Apr 11 00:46:53 CST 2018] Getting webroot for domain='forti-tw.imprezagt1031.idv.tw' [Wed Apr 11 00:46:53 CST 2018] Getting new-authz for domain='forti-tw.imprezagt1031.idv.tw' [Wed Apr 11 00:46:54 CST 2018] The new-authz request is ok. [Wed Apr 11 00:46:54 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh [Wed Apr 11 00:46:57 CST 2018] Adding record [Wed Apr 11 00:46:58 CST 2018] Added, OK [Wed Apr 11 00:46:58 CST 2018] Sleep 120 seconds for the txt records to take effect [Wed Apr 11 00:48:59 CST 2018] Verifying:forti-tw.imprezagt1031.idv.tw [Wed Apr 11 00:49:02 CST 2018] Success [Wed Apr 11 00:49:02 CST 2018] Removing DNS records. [Wed Apr 11 00:49:04 CST 2018] Verify finished, start to sign. [Wed Apr 11 00:49:06 CST 2018] Cert success. -----BEGIN CERTIFICATE----- MIIGJjCCBQ6gAwIBAgISA3w9ji3WfjDbZJc37wxXMtWsMA0GCSqGSIb3DQEBCwUA ...省略... DyIb+SAYMTXK5a5qNZ1AOl9KD9uKpjqFFeqKc5oKMBUQskTraSV6S26KaYHG/R1a MhzC/Jn2yLx0kBi0zKtKRo9C//UMGMH7Knzgxl+Pd6z0TD9tmOrbYBpd -----END CERTIFICATE----- [Wed Apr 11 00:49:06 CST 2018] Your cert is in /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/forti-tw.imprezagt1031.idv.tw.cer [Wed Apr 11 00:49:06 CST 2018] Your cert key is in /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/forti-tw.imprezagt1031.idv.tw.key [Wed Apr 11 00:49:06 CST 2018] The intermediate CA cert is in /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/ca.cer [Wed Apr 11 00:49:06 CST 2018] And the full chain certs is there: /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/fullchain.cer
把SSL證書搬移到指定路徑
#acme.sh --installcert -d forti-tw.imprezagt1031.idv.tw --key-file /etc/nginx/ssl/domain.key --fullchain-file /etc/nginx/ssl/fullchain.cer --reloadcmd "service nginx force-reload"
4.更新acme.sh
#acme.sh --upgrade
5.自帶CSR獲取SSL憑證
#acme.sh --signcsr --csr /root/test.csr --dns dns_cf
6.透過File base驗證
讓ACME v2 Server獲取站台上.well-known/acme-challenge/亂數檔案,若能正常訪問,則能獲取SSL憑證
Ngnix設定
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /data/wwwroot/; }
透過File Base 獲取SSL憑證命令
#acme.sh --issue -d blog.imprezagt1031.idv.tw --webroot /data/wwwroot/
7.更換CA Server
#acme.sh --set-default-ca --server letsencrypt
8.註冊zerossl
#acme.sh --register-account -m fred123@gmail.com
9.查看目前頒布的SSL情況
#acme.sh --list
10.查看針對某個SSL證書內容
#acme.sh --info -d *.zbyl9.net