生成Let's Encrypt免费证书

安装acme.sh

bash

root@secure-pony-4:~# acme.sh  --issue  -d deepin.tv --nginx
[Fri Jan 20 04:57:12 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Jan 20 04:57:13 UTC 2023] Create account key ok.
[Fri Jan 20 04:57:13 UTC 2023] No EAB credentials found for ZeroSSL, let's get one
[Fri Jan 20 04:57:13 UTC 2023] acme.sh is using ZeroSSL as default CA now.
[Fri Jan 20 04:57:13 UTC 2023] Please update your account with an email address first.
[Fri Jan 20 04:57:13 UTC 2023] acme.sh --register-account -m my@example.com
[Fri Jan 20 04:57:13 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Fri Jan 20 04:57:13 UTC 2023] Please add '--debug' or '--log' to check more details.
[Fri Jan 20 04:57:13 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

可以看到提示邮箱没有配置:Please update your account with an email address first.

bash

curl https://get.acme.sh | sh -s email=emailAddr

执行后,日志如下:

ba

[Fri Jan 20 05:03:17 UTC 2023] Installing from online archive.
[Fri Jan 20 05:03:17 UTC 2023] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Fri Jan 20 05:03:18 UTC 2023] Extracting master.tar.gz
[Fri Jan 20 05:03:18 UTC 2023] It is recommended to install socat first.
[Fri Jan 20 05:03:18 UTC 2023] We use socat for standalone server if you use standalone mode.
[Fri Jan 20 05:03:18 UTC 2023] If you don't use standalone mode, just ignore this warning.
[Fri Jan 20 05:03:18 UTC 2023] Installing to /root/.acme.sh
[Fri Jan 20 05:03:18 UTC 2023] Installed to /root/.acme.sh/acme.sh
[Fri Jan 20 05:03:18 UTC 2023] Installing alias to '/root/.bashrc'
[Fri Jan 20 05:03:18 UTC 2023] OK, Close and reopen your terminal to start using acme.sh
[Fri Jan 20 05:03:18 UTC 2023] Installing cron job
18 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Fri Jan 20 05:03:18 UTC 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Fri Jan 20 05:03:19 UTC 2023] OK
[Fri Jan 20 05:03:19 UTC 2023] Install success!
root@secure-pony-4:~# acme.sh  --issue  -d deepin.tv  --nginx
[Fri Jan 20 05:03:42 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Jan 20 05:03:42 UTC 2023] No EAB credentials found for ZeroSSL, let's get one
[Fri Jan 20 05:03:45 UTC 2023] Registering account: https://acme.zerossl.com/v2/DV90
[Fri Jan 20 05:03:50 UTC 2023] Registered
[Fri Jan 20 05:03:50 UTC 2023] ACCOUNT_THUMBPRINT='PcdRtlFcp_SkXLECutgjwTjGMGLwrS9LNmWfgu5lKjE'
[Fri Jan 20 05:03:50 UTC 2023] Creating domain key
[Fri Jan 20 05:03:51 UTC 2023] The domain key is here: /root/.acme.sh/deepin.tv/deepin.tv.key
[Fri Jan 20 05:03:51 UTC 2023] Single domain='deepin.tv'
[Fri Jan 20 05:03:51 UTC 2023] Getting domain auth token for each domain
[Fri Jan 20 05:03:56 UTC 2023] Getting webroot for domain='deepin.tv'
[Fri Jan 20 05:03:57 UTC 2023] Verifying: deepin.tv
[Fri Jan 20 05:03:57 UTC 2023] Nginx mode for domain:deepin.tv
[Fri Jan 20 05:03:57 UTC 2023] Can not find conf file for domain deepin.tv
[Fri Jan 20 05:03:57 UTC 2023] Please add '--debug' or '--log' to check more details.
[Fri Jan 20 05:03:57 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

提示 nginx中没有配置name 为deepin.tv。再去nginx配置文件中修改,再次执行

ba

root@secure-pony-4:/etc/nginx# acme.sh  --issue  -d deepin.tv  --nginx
[Fri Jan 20 05:05:46 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Jan 20 05:05:46 UTC 2023] Single domain='deepin.tv'
[Fri Jan 20 05:05:47 UTC 2023] Getting domain auth token for each domain
[Fri Jan 20 05:05:54 UTC 2023] Getting webroot for domain='deepin.tv'
[Fri Jan 20 05:05:54 UTC 2023] Verifying: deepin.tv
[Fri Jan 20 05:05:54 UTC 2023] Nginx mode for domain:deepin.tv
[Fri Jan 20 05:05:54 UTC 2023] Found conf file: /etc/nginx/nginx.conf
[Fri Jan 20 05:05:54 UTC 2023] Backup /etc/nginx/nginx.conf to /root/.acme.sh/deepin.tv/backup/deepin.tv.nginx.conf
[Fri Jan 20 05:05:54 UTC 2023] Check the nginx conf before setting up.
[Fri Jan 20 05:05:54 UTC 2023] OK, Set up nginx config file
[Fri Jan 20 05:05:54 UTC 2023] nginx conf is done, let's check it again.
[Fri Jan 20 05:05:54 UTC 2023] Reload nginx
......
......
[Fri Jan 20 05:06:29 UTC 2023] Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[Fri Jan 20 05:06:29 UTC 2023] Your cert is in: /root/.acme.sh/deepin.tv/deepin.tv.cer
[Fri Jan 20 05:06:29 UTC 2023] Your cert key is in: /root/.acme.sh/deepin.tv/deepin.tv.key
[Fri Jan 20 05:06:29 UTC 2023] The intermediate CA cert is in: /root/.acme.sh/deepin.tv/ca.cer
[Fri Jan 20 05:06:29 UTC 2023] And the full chain certs is there: /root/.acme.sh/deepin.tv/fullchain.cer

安装证书

bash

acme.sh --install-cert -d deepin.tv -d *.deepin.tv \
--key-file  /root/.acme.sh/deepin.tv/deepin.tv.key  \
--fullchain-file /root/.acme.sh/deepin.tv/fullchain.cer \       
--reloadcmd  "service nginx force-reload"

nginx

user  root;
worker_processes  1;
error_log  /var/log/nginx/error.log  info;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen 443 ssl;
        server_name  deepin.tv;
        ssl_certificate /root/.acme.sh/deepin.tv/fullchain.cer;
        ssl_certificate_key /root/.acme.sh/deepin.tv/deepin.tv.key;
        location / {
            root   /home/gitblog/projects/blog;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

    #监听80端口,并重定向到443
    server{
        listen 80;
        server_name deepin.tv;
        rewrite ^/(.*)$ https://deepin.tv:443/$1 permanent;
    }
}

bash

acme.sh --renew -d deepin.tv --force

安装 acme.sh 时会自动创建一个 cronjob,每天定期检查所有证书,如果证书需要更新会自动更新证书。 通过 crontab -l 查看 crontab 任务:

bash

 46 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

bash

acme.sh --upgrade

# 保持自动升级
acme.sh  --upgrade  --auto-upgrade