CAME-SH证书安装教程
acme.sh使用教程
本篇文章介绍如何使用ame.sh快速服务器上申请并安装 SSL/TLS 证书(本教程以debian 12 为例)
Chinese | English
安装 socat
# --run--
apt install -y socat- 安装工具
socat,它是一个网络和文件传输的工具,acme.sh的 standalone 模式需要它来监听 HTTP 请求。 -y参数表示自动确认安装。
下载并安装 acme.sh
# --run--
curl https://get.acme.sh | sh正常会显示:
root@iZt4n155ju3i8jfxj1szssZ:~# curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1032 0 1032 0 0 3318 0 --:--:-- --:--:-- --:--:-- 3318
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 220k 100 220k 0 0 5814k 0 --:--:-- --:--:-- --:--:-- 5971k
[Mon 18 Nov 2024 03:25:41 PM CST] Installing from online archive.
[Mon 18 Nov 2024 03:25:41 PM CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Mon 18 Nov 2024 03:25:41 PM CST] Extracting master.tar.gz
[Mon 18 Nov 2024 03:25:41 PM CST] Installing to /root/.acme.sh
[Mon 18 Nov 2024 03:25:41 PM CST] Installed to /root/.acme.sh/acme.sh
[Mon 18 Nov 2024 03:25:41 PM CST] Installing alias to '/root/.bashrc'
[Mon 18 Nov 2024 03:25:41 PM CST] Close and reopen your terminal to start using acme.sh
[Mon 18 Nov 2024 03:25:41 PM CST] Installing cron job
36 7 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Mon 18 Nov 2024 03:25:42 PM CST] bash has been found. Changing the shebang to use bash as preferred.
[Mon 18 Nov 2024 03:25:43 PM CST] OK
[Mon 18 Nov 2024 03:25:43 PM CST] Install success!- 通过
curl从acme.sh官方站点下载脚本并直接执行。 sh会运行脚本,自动将acme.sh安装到用户主目录(~/.acme.sh)。- 安装完成后,你可以用
~/.acme.sh/acme.sh来运行工具。
注册 ACME 账号
# --run--
~/.acme.sh/acme.sh --register-account -m wapyyds@outlook.com - 这一步是用来注册一个 ACME 服务账号:
--register-account是注册标志-m wapyyds@outlook.com是注册用的邮箱,ACME 服务商会用这个邮箱联系你(如证书快到期时)。
正常会显示:
root@iZt4n155ju3i8jfxj1szssZ:~# ~/.acme.sh/acme.sh --register-account -m wapyyds@outlook.com
[Mon 18 Nov 2024 03:27:28 PM CST] Registering account: https://acme.zerossl.com/v2/DV90
[Mon 18 Nov 2024 03:27:30 PM CST] Already registered
[Mon 18 Nov 2024 03:27:30 PM CST] ACCOUNT_THUMBPRINT='LkH4f2VwvBQQlNn_ZYbXdsx455Uw8b84AIOIbkaE4maI'升级 acme.sh 工具并启用自动升级
# --run--
~/.acme.sh/acme.sh --upgrade --auto-upgrade正常会显示:
root@iZt4n155ju3i8jfxj1szssZ:~# ~/.acme.sh/acme.sh --upgrade --auto-upgrade
[Mon 18 Nov 2024 03:37:18 PM CST] Already up to date!
[Mon 18 Nov 2024 03:37:18 PM CST] Upgrade successful!- 手动升级
acme.sh到最新版本。 --auto-upgrade启用自动升级功能,以便未来能自动获取最新版本。
DNS解析认证(所有权)
# --run--
~/.acme.sh/acme.sh --issue --dns -d wapyyds.online \
--yes-I-know-dns-manual-mode-enough-go-ahead-please你将会看到:
root@iZt4n155ju3i8jfxj1szssZ:~/easyweb# ~/.acme.sh/acme.sh --issue --dns -d wapyyds.online \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon 18 Nov 2024 04:24:32 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Mon 18 Nov 2024 04:24:32 PM CST] Creating domain key
[Mon 18 Nov 2024 04:24:32 PM CST] The domain key is here: /root/.acme.sh/wapyyds.online_ecc/wapyyds.online.key
[Mon 18 Nov 2024 04:24:32 PM CST] Single domain='wapyyds.online'
[Mon 18 Nov 2024 04:24:36 PM CST] Getting webroot for domain='wapyyds.online'
[Mon 18 Nov 2024 04:24:36 PM CST] Add the following TXT record:
[Mon 18 Nov 2024 04:24:36 PM CST] Domain: '_acme-challenge.wapyyds.online'
[Mon 18 Nov 2024 04:24:36 PM CST] TXT value: 'bKAuAl2QvXYasHEslW2cbkspddDcLt-srQzImsdqpk54'
[Mon 18 Nov 2024 04:24:36 PM CST] Please make sure to prepend '_acme-challenge.' to your domain
[Mon 18 Nov 2024 04:24:36 PM CST] so that the resulting subdomain is: _acme-challenge.wapyyds.online
[Mon 18 Nov 2024 04:24:36 PM CST] Please add the TXT records to the domains, and re-run with --renew.
[Mon 18 Nov 2024 04:24:36 PM CST] Please add '--debug' or '--log' to see more information.
[Mon 18 Nov 2024 04:24:36 PM CST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh- 域名解析类型为:
TXT值为bKAuAl2QvXYasHEslW2cbkspddDcLt-srQzImsdqpk54
强制申请证书
# --run--
~/.acme.sh/acme.sh --force --issue -d zzblog.wapyyds.online --standalone--force强制重新申请证书,即使现有证书尚未过期。--issue是申请证书的命令。-d zzblog.wapyyds.online指定需要申请证书的域名。--standalone表示使用独立模式,acme.sh会在本地启动一个临时的 HTTP 服务器(80端口),以完成 ACME 验证流程。
Warning
这将意味着80端口的服务需要暂停运行,而且确保你的域名已经解析好ip了。如果你没有注意到,你将会看到这样的错误显示!
root@iZt4n155ju3i8jfxj1szssZ:~# ~/.acme.sh/acme.sh --force --issue -d zzblog.wapyyds.online --standalone[Mon 18 Nov 2024 03:38:13 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Mon 18 Nov 2024 03:38:13 PM CST] Standalone mode.
[Mon 18 Nov 2024 03:38:13 PM CST] LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=101256,fd=6),("nginx",pid=45275,fd=6))
[Mon 18 Nov 2024 03:38:13 PM CST] tcp port 80 is already used by (("nginx",pid=101256,fd=6),("nginx",pid=45275,fd=6))
[Mon 18 Nov 2024 03:38:13 PM CST] Please stop it first
[Mon 18 Nov 2024 03:38:13 PM CST] _on_before_issue.停止80端口的服务
- 我这里是nginx服务(你需要注意你的服务是什么)
# --run--
service nginx stop如果一切顺利,你将会看到:
root@iZt4n155ju3i8jfxj1szssZ:~# ~/.acme.sh/acme.sh --force --issue -d zzblog.wapyyds.online --standalone[Mon 18 Nov 2024 03:42:29 PM CST] Using CA: https://acme.zerossl.com/v2/DV90
[Mon 18 Nov 2024 03:42:29 PM CST] Standalone mode.
[Mon 18 Nov 2024 03:42:29 PM CST] Creating domain key
[Mon 18 Nov 2024 03:42:29 PM CST] The domain key is here: /root/.acme.sh/zzblog.wapyyds.online_ecc/zzblog.wapyyds.online.key
[Mon 18 Nov 2024 03:42:29 PM CST] Single domain='zzblog.wapyyds.online'
[Mon 18 Nov 2024 03:42:33 PM CST] Getting webroot for domain='zzblog.wapyyds.online'
[Mon 18 Nov 2024 03:42:34 PM CST] Verifying: zzblog.wapyyds.online
[Mon 18 Nov 2024 03:42:34 PM CST] Standalone mode server
[Mon 18 Nov 2024 03:42:36 PM CST] Processing. The CA is processing your order, please wait. (1/30)
[Mon 18 Nov 2024 03:42:40 PM CST] Success
[Mon 18 Nov 2024 03:42:40 PM CST] Verification finished, beginning signing.
[Mon 18 Nov 2024 03:42:40 PM CST] Let's finalize the order.
[Mon 18 Nov 2024 03:42:40 PM CST] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/qJZAnE58aVtA432HHcrHSQ/finalize'
[Mon 18 Nov 2024 03:42:42 PM CST] Order status is 'processing', let's sleep and retry.
[Mon 18 Nov 2024 03:42:42 PM CST] Sleeping for 15 seconds then retrying
[Mon 18 Nov 2024 03:42:58 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/qJZAnE58aVtA432HHcrHSQ
[Mon 18 Nov 2024 03:42:59 PM CST] Downloading cert.
[Mon 18 Nov 2024 03:42:59 PM CST] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/Z22FLXM9dRHmyRt9pmXRfA'
[Mon 18 Nov 2024 03:43:00 PM CST] Cert success.
-----BEGIN CERTIFICATE-----
MIIEDTCCA5OgAwIBAgIRAP0LVdE2urP5pnQwuP/0Lk8wCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDExMTgwMDAwMDBaFw0yNTAy
MTYyMzU5NTlaMCAxHjAcBgNVBAMTFXp6YmxvZy53YXB5eWRzLm9ubGluZTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABCu0+GQC6bQmJmwHnVXLfuomkcn8WNpuqGm1
G2uD/SzD2H5bws2HPX4slabZe2hNMisj1VLe6oUWmsR3JsTrtkejggKBMIICfTAf
BgNVHSMEGDAWgBQPa+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4EFgQUVbFRDyMn
JXrFJAtp3UxaHuqFF5gwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGy
MQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYG
Z4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6Ly96ZXJv
c3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2VjdXJlU2l0ZUNB
LmNydDArBggrBgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0aWdvLmNv
bTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AM8RVu7VLnyv84db2Wkum+kacWdK
sBfsrAHSW3fOzDsIAAABkz45U7cAAAQDAEcwRQIhANy77qTq1JqR5iKHUVQH7qIC
kWslmg9b4VPQW91j+cB7AiByc/xVRtDACapuluiKqNdqWQoWk3HTWYCbWLMpp9ng
5AB2AMz7D2qFcQll/pWbU87pnswi6YVcDasNtql+VMD+TA2wAAABkz45U3gAAAQD
AEcwRQIhAIgfDuoMDjBgpFyw7lLemZNhcgsEjmYdvPG9Grz8Edm0AiBHZm/+QzEJ
bGAZsah8P8dZZOSb8d4y2De1x5qPlQBMUjAgBgNVHREEGTAXghV6emJsb2cud2Fw
eXlkcy5vbmxpbmUwCgYIKoZIzj0EAwMDaAAwZQIwDdWnTHaY2OHKRLrnyq8kUsQz
+w7BMLeNdm8s7+kFsCKWdVu3FMWGbBaxeEiLd8ZCAjEAgURk0UwrvoYp/URBclJu
Qe2Vs/l28o1HfI7AS4O33fI3NmoNET4s5svRTiVv5Wh5
-----END CERTIFICATE-----
[Mon 18 Nov 2024 03:43:00 PM CST] Your cert is in: /root/.acme.sh/zzblog.wapyyds.online_ecc/zzblog.wapyyds.online.cer
[Mon 18 Nov 2024 03:43:00 PM CST] Your cert key is in: /root/.acme.sh/zzblog.wapyyds.online_ecc/zzblog.wapyyds.online.key
[Mon 18 Nov 2024 03:43:00 PM CST] The intermediate CA cert is in: /root/.acme.sh/zzblog.wapyyds.online_ecc/ca.cer
[Mon 18 Nov 2024 03:43:00 PM CST] And the full-chain cert is in: /root/.acme.sh/zzblog.wapyyds.online_ecc/fullchain.cer安装证书
# --run--
~/.acme.sh/acme.sh --installcert -d zzblog.wapyyds.online --key-file /root/easyweb/private.key --fullchain-file /root/easyweb/cert.crt- 将生成的证书安装到指定路径:
--key-file /root/easyweb/private.key是生成的私钥文件存储路径。--fullchain-file /root/easyweb/cert.crt是生成的证书链文件存储路径。
- 这些证书文件可用于配置 Web 服务器(如 Nginx 或 Apache)以启用 HTTPS。
如果全部都没问题,你将看到:
root@iZt4n155ju3i8jfxj1szssZ:~# ~/.acme.sh/acme.sh --installcert -d zzblog.wapyyds.online --key-file /root/easyweb/private.key --fullchain-file /root/easyweb/cert.crt
[Mon 18 Nov 2024 03:44:24 PM CST] The domain 'zzblog.wapyyds.online' seems to already have an ECC cert, let's use it.
[Mon 18 Nov 2024 03:44:24 PM CST] Installing key to: /root/easyweb/private.key
[Mon 18 Nov 2024 03:44:24 PM CST] Installing full chain to: /root/easyweb/cert.crt完整流程概述
- 安装必要工具(
socat)。 - 安装并注册
acme.sh。 - 使用
acme.sh向 ACME 服务商(通常是 Let's Encrypt)申请证书。 - 将证书安装到指定路径,供 Web 服务器使用。
Important
申请的证书默认有效期为 90 天,acme.sh 会自动处理续期。
如果你希望手动触发续期,可以运行:
# --run--
~/.acme.sh/acme.sh --renew -d zzblog.wapyyds.online如果你看到这里,恭喜你又学会了一个小技能!
我的个人网站 仔仔引导页, 当然还有我的个人blog ZZのBlog.
赞助: