参考:https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
这种方法官方是不推荐的,不能自动续期(即需要手动续签)
acme.sh的DNS手动模式生成证书
应该需要一个有公网ip的机器,至少我是这样,回头我再考证一下。
2018年12月10日测试:可以在虚拟机上使用,不需要公网IP
一、安装
curl https://get.acme.sh | sh
二、确保服务器的nginx和apache没有运行,别占用80端口(DNS手动模式不需要)
三、动手
命令就一行,出现了报错,要求在dns解析里加入两行txt解析
root@david-test:~/.acme.sh# acme.sh --issue -d bombstory.com -d *.bombstory.com --dns dns-01
[Wed Dec 5 11:58:54 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Wed Dec 5 11:58:54 UTC 2018] Getting domain auth token for each domain
[Wed Dec 5 11:58:56 UTC 2018] Getting webroot for domain='bombstory.com'
[Wed Dec 5 11:58:56 UTC 2018] Getting webroot for domain='*.bombstory.com'
[Wed Dec 5 11:58:57 UTC 2018] Can not find dns api hook for: dns-01
[Wed Dec 5 11:58:57 UTC 2018] You need to add the txt record manually.
[Wed Dec 5 11:58:57 UTC 2018] Add the following TXT record:
[Wed Dec 5 11:58:57 UTC 2018] Domain: '_acme-challenge.bombstory.com'
[Wed Dec 5 11:58:57 UTC 2018] TXT value: 'nuV36UCKAvU3KiWLFkAxNIQAVahmmnC5witMoOrk7MQ'
[Wed Dec 5 11:58:57 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec 5 11:58:57 UTC 2018] so the resulting subdomain will be: _acme-challenge.bombstory.com
[Wed Dec 5 11:58:57 UTC 2018] Can not find dns api hook for: dns-01
[Wed Dec 5 11:58:57 UTC 2018] You need to add the txt record manually.
[Wed Dec 5 11:58:57 UTC 2018] Add the following TXT record:
[Wed Dec 5 11:58:57 UTC 2018] Domain: '_acme-challenge.bombstory.com'
[Wed Dec 5 11:58:57 UTC 2018] TXT value: 'HKXRN73W33CZnDCsUgXxCDDrgsn5xMagUPaMZl4yjkU'
[Wed Dec 5 11:58:57 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec 5 11:58:57 UTC 2018] so the resulting subdomain will be: _acme-challenge.bombstory.com
[Wed Dec 5 11:58:57 UTC 2018] Please add the TXT records to the domains, and re-run with --renew.
[Wed Dec 5 11:58:57 UTC 2018] Please add '--debug' or '--log' to check more details.
[Wed Dec 5 11:58:57 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
四、解析DNS
如下图:
五、稍等一会儿,再次执行命令,这次执行后面要加--renew参数
root@david-test:~/.acme.sh# acme.sh --issue -d bombstory.com -d *.bombstory.com --dns dns-01 --renew
[Wed Dec 5 12:02:09 UTC 2018] Renew: 'bombstory.com'
[Wed Dec 5 12:02:10 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Wed Dec 5 12:02:10 UTC 2018] Getting domain auth token for each domain
[Wed Dec 5 12:02:10 UTC 2018] Verifying:bombstory.com
[Wed Dec 5 12:02:14 UTC 2018] Success
[Wed Dec 5 12:02:14 UTC 2018] Verifying:*.bombstory.com
[Wed Dec 5 12:02:17 UTC 2018] Pending
[Wed Dec 5 12:02:20 UTC 2018] Success
[Wed Dec 5 12:02:20 UTC 2018] Verify finished, start to sign.
[Wed Dec 5 12:02:22 UTC 2018] Cert success.
-----BEGIN CERTIFICATE-----
......此处省略一大段无用输出......
-----END CERTIFICATE-----
[Wed Dec 5 12:02:22 UTC 2018] Your cert is in /root/.acme.sh/bombstory.com/bombstory.com.cer
[Wed Dec 5 12:02:22 UTC 2018] Your cert key is in /root/.acme.sh/bombstory.com/bombstory.com.key
[Wed Dec 5 12:02:22 UTC 2018] The intermediate CA cert is in /root/.acme.sh/bombstory.com/ca.cer
[Wed Dec 5 12:02:22 UTC 2018] And the full chain certs is there: /root/.acme.sh/bombstory.com/fullchain.cer
六、其中,需要用到的文件有两个:
一个key:/root/.acme.sh/bombstory.com/bombstory.com.key
一个证书:/root/.acme.sh/bombstory.com/fullchain.cer
2018年12月10日更新
使用DNS手动模式生成的证书续签:
一、两条DNS解析记录别删
二、该证书是4天前做的,还有85天
ops@zabbix2:~$ zabbix_get -s 127.0.0.1 -k https.remaining[bombstory.com]
85
三、手动续签:
root@david-test:~/.acme.sh# acme.sh --renew -d bombstory.com --force
[Mon Dec 10 05:14:54 UTC 2018] Renew: 'bombstory.com'
[Mon Dec 10 05:14:55 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Mon Dec 10 05:14:55 UTC 2018] Getting domain auth token for each domain
[Mon Dec 10 05:14:57 UTC 2018] Getting webroot for domain='bombstory.com'
[Mon Dec 10 05:14:57 UTC 2018] Getting webroot for domain='*.bombstory.com'
[Mon Dec 10 05:14:57 UTC 2018] bombstory.com is already verified, skip dns-01.
[Mon Dec 10 05:14:57 UTC 2018] *.bombstory.com is already verified, skip dns-01.
[Mon Dec 10 05:14:57 UTC 2018] Verify finished, start to sign.
[Mon Dec 10 05:15:00 UTC 2018] Cert success.
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
[Mon Dec 10 05:15:00 UTC 2018] Your cert is in /root/.acme.sh/bombstory.com/bombstory.com.cer
[Mon Dec 10 05:15:00 UTC 2018] Your cert key is in /root/.acme.sh/bombstory.com/bombstory.com.key
[Mon Dec 10 05:15:00 UTC 2018] The intermediate CA cert is in /root/.acme.sh/bombstory.com/ca.cer
[Mon Dec 10 05:15:00 UTC 2018] And the full chain certs is there: /root/.acme.sh/bombstory.com/fullchain.cer
root@david-test:~/.acme.sh# sz /root/.acme.sh/bombstory.com/fullchain.cer
四、替换证书文件,reload nginx
root@bombstory:/etc/nginx/ssl# ls -l
total 12
-rw-r--r-- 1 root root 1675 Dec 5 19:51 bombstory.com.key
-rw-r--r-- 1 root root 3575 Dec 10 13:15 fullchain.cer
-rw-r--r-- 1 root root 3575 Dec 5 20:02 fullchain.cerbak
root@bombstory:/etc/nginx/ssl# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@bombstory:/etc/nginx/ssl# nginx -s reload
五、再次查看,成功
ops@zabbix2:~$ zabbix_get -s 127.0.0.1 -k https.remaining[bombstory.com]
89