Nginx 配置 https 访问：SSL 免费证书申请并自动更新（完整命令篇）

阿里云 SSL 免费证书有效期从以前的一年调整为三个月，使用起来比较麻烦。
本文记录了在 CentOS 7.9 如何使用 acme.sh 完成免费证书的申请以及自动更新过程，再也不必为 SSL 证书过期而烦恼了。

acme.sh 是一个开源的纯shell 脚本编写的acme 客户端，可自动申请更新https 证书。 相比其他工具，acme.sh 更轻量，主要表现在： 只是一个脚本，无需编译安装。 无侵入性，不会更改任何web server 的配置。

# 安装 acme
[root@webf ~]# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1032    0  1032    0     0    197      0 --:--:--  0:00:05 --:--:--   218
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  217k  100  217k    0     0  14749      0  0:00:15  0:00:15 --:--:--  9779
[Wed Mar 20 09:30:32 CST 2024] Installing from online archive.
[Wed Mar 20 09:30:32 CST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Wed Mar 20 09:30:34 CST 2024] Extracting master.tar.gz
[Wed Mar 20 09:30:34 CST 2024] Installing to /root/.acme.sh
[Wed Mar 20 09:30:34 CST 2024] Installed to /root/.acme.sh/acme.sh
[Wed Mar 20 09:30:34 CST 2024] Installing alias to '/root/.bashrc'
[Wed Mar 20 09:30:34 CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Wed Mar 20 09:30:34 CST 2024] Installing alias to '/root/.cshrc'
[Wed Mar 20 09:30:34 CST 2024] Installing alias to '/root/.tcshrc'
[Wed Mar 20 09:30:35 CST 2024] Installing cron job
58 7 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Wed Mar 20 09:30:35 CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Mar 20 09:30:36 CST 2024] OK
[Wed Mar 20 09:30:36 CST 2024] Install success!

# 手动申请泛域名证书
[root@webf ~]# ~/.acme.sh/acme.sh --issue --force -d *.xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Mar 20 10:01:25 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Mar 20 10:01:25 CST 2024] Creating domain key
[Wed Mar 20 10:01:25 CST 2024] The domain key is here: /root/.acme.sh/*.xxx.com_ecc/*.xxx.com.key
[Wed Mar 20 10:01:25 CST 2024] Single domain='*.xxx.com'
[Wed Mar 20 10:01:29 CST 2024] Getting webroot for domain='*.xxx.com'
[Wed Mar 20 10:01:29 CST 2024] Add the following TXT record:
[Wed Mar 20 10:01:29 CST 2024] Domain: '_acme-challenge.xxx.com'
[Wed Mar 20 10:01:29 CST 2024] TXT value: 'TgxdGIWCS7GheIj14BnCDcJA1zI6HMpqMrxYePV9_Yk'
[Wed Mar 20 10:01:29 CST 2024] Please be aware that you prepend _acme-challenge. before your domain
[Wed Mar 20 10:01:29 CST 2024] so the resulting subdomain will be: _acme-challenge.xxx.com
[Wed Mar 20 10:01:29 CST 2024] Please add the TXT records to the domains, and re-run with --renew.
[Wed Mar 20 10:01:29 CST 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log

在 xxx.com 域名解析中设置 TXT 记录：_acme-challenge.xxx.com，值为上面生成的：TgxdGIWCS7GheIj14BnCDcJA1zI6HMpqMrxYePV9_Yk

完整命令：https://www.laobingbiji.com/page/202403201143160000000010672815.html

通过以上操作，SSL 证书已申请并设置了定时任务自动更新，Nginx 中配置SSL证书参考：

Nginx 配置文件 nginx.conf（SSL证书）