Use acme.sh to apply for a certificate (including pan-domain name)
Article directory
- Use acme.sh to apply for a certificate (including pan-domain name)
-
- 1 Apply for a certificate:
-
- 1.1 Apply for a certificate using DNS API (taking Alibaba Cloud DNS as an example)
- 1.2 Additional: You can also apply for a certificate in other ways
- 2 Renew the certificate:
- 3 View certificate
- 4 Install the certificate:
- 5 finally
The following mainly uses the Alibaba Cloud DNS API method to apply for a pan-domain name certificate as an example. Please practice by yourself
Installation method:
https://github.com/acmesh-official/acme.sh
Supported dns resolution providers:
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Usage details:
https://github.com/acmesh-official/acme.sh/wiki/Instructions
1 Apply for a certificate:
1.1 Apply for a certificate using DNS API (taking Alibaba Cloud DNS as an example)
[root@t-deploy-10-1-203-177:~]# export Ali_Key="LTA232343243Id4X" [root@t-deploy-10-1-203-177:~]# export Ali_Secret="lvpS238u948539u053034050JJ4pn" [root@t-deploy-10-1-203-177:~]# [root@t-deploy-10-1-203-177:~]# [root@t-deploy-10-1-203-177:~]# acme.sh --issue --dns dns_ali -d gccc.cn -d *.gccc.cn [Tuesday, October 17, 2023 14:04:36 + 07] Using CA: https://acme.zerossl.com/v2/DV90 [Tuesday, October 17, 2023 14:04:36 + 07] Create account key ok. [Tuesday, October 17, 2023 14:04:36 + 07] No EAB credentials found for ZeroSSL, let's get one [Tuesday, October 17, 2023 14:04:38 + 07] Registering account: https://acme.zerossl.com/v2/DV90 [Tuesday, October 17, 2023 14:04:42 + 07] Registered [Tuesday, October 17, 2023 14:04:42 + 07] ACCOUNT_THUMBPRINT='CaqZfrDFbArDY7XxcyjgKtFSG3EvdOdK72E_Gke' [Tuesday, October 17, 2023 14:04:42 + 07] Creating domain key [Tuesday, October 17, 2023 14:04:42 + 07] The domain key is here: /root/.acme.sh/gccc.cn_ecc/gccc.cn.key [Tuesday, October 17, 2023 14:04:42 + 07] Multi domain='DNS:gccc.cn,DNS:*.gccc.cn' [Tuesday, October 17, 2023 14:04:42 + 07] Getting domain auth token for each domain [Tuesday, October 17, 2023 14:04:49 + 07] Getting webroot for domain='gccc.cn' [Tuesday, October 17, 2023 14:04:49 + 07] Getting webroot for domain='*.gccc.cn' [Tuesday, October 17, 2023 14:04:49 + 07] Adding txt value: C9s1s10cxiYtjs9c9sTgGcihbyawv0OW5AvFcZiLs5g for domain: _acme-challenge.gccc.cn [Tuesday, October 17, 2023 14:04:54 + 07] The txt record is added: Success. [Tuesday, October 17, 2023 14:04:54 + 07] Adding txt value: Yuysn3yMTFdeAmUZZW0Rf1eiFXCCjjXfYJINwX45L60 for domain: _acme-challenge.gccc.cn [Tuesday, October 17, 2023 14:05:00 + 07] The txt record is added: Success. [Tuesday, October 17, 2023 14:05:00 + 07] Let's check each DNS record now. Sleep 20 seconds first. [Tuesday, October 17, 2023 14:05:21 + 07] You can use '--dnssleep' to disable public dns checks. [Tuesday, October 17, 2023 14:05:21 + 07] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [Tuesday, October 17, 2023 14:05:21 + 07] Checking gccc.cn for _acme-challenge.gccc.cn [Tuesday, October 17, 2023 14:05:23 + 07] Domain gccc.cn '_acme-challenge.gccc.cn' success. [Tuesday, October 17, 2023 14:05:23 + 07] Checking gccc.cn for _acme-challenge.gccc.cn [Tuesday, October 17, 2023 14:05:24 + 07] Domain gccc.cn '_acme-challenge.gccc.cn' success. [Tuesday, October 17, 2023 14:05:24 + 07] All success, let's return [Tuesday, October 17, 2023 14:05:24 + 07] Verifying: gccc.cn [Tuesday, October 17, 2023 14:05:25 + 07] Processing, The CA is processing your order, please just wait. (1/30) [Tuesday, October 17, 2023 14:05:31 + 07] Success [Tuesday, October 17, 2023 14:05:31 + 07] Verifying: *.gccc.cn [Tuesday, October 17, 2023 14:05:32 + 07] Processing, The CA is processing your order, please just wait. (1/30) [Tuesday, October 17, 2023 14:05:37 + 07] Success [Tuesday, October 17, 2023 14:05:37 + 07] Removing DNS records. [Tuesday, October 17, 2023 14:05:37 + 07] Removing txt: C9s1s10cxiYtjs9c9sTgGcihbyawv0OW5AvFcZiLs5g for domain: _acme-challenge.gccc.cn [Tuesday, October 17, 2023 14:05:44 + 07] Removed: Success [Tuesday, October 17, 2023 14:05:44 + 07] Removing txt: Yuysn3yMTFdeAmUZZW0Rf1eiFXCCjjXfYJINwX45L60 for domain: _acme-challenge.gccc.cn [Tuesday, October 17, 2023 14:05:51 + 07] Removed: Success [Tuesday, October 17, 2023 14:05:51 + 07] Verify finished, start to sign. [Tuesday, October 17, 2023 14:05:51 + 07] Lets finalize the order. [Tuesday, October 17, 2023 14:05:51 + 07] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/1ync1anZoV2eaUxXFKJ3Iw/finalize' [Tuesday, October 17, 2023 14:05:54 + 07] Order status is processing, lets sleep and retry. [Tuesday, October 17, 2023 14:05:54 + 07] Retry after: 15 [Tuesday, October 17, 2023 14:06:10 + 07] Polling order status: https://acme.zerossl.com/v2/DV90/order/1ync1anZoV2eaUxXFKJ3Iw [Tuesday, October 17, 2023 14:06:11 + 07] Downloading cert. [Tuesday, October 17, 2023 14:06:11 + 07] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/0nvnf-_7DEQA2qEN2oA8rw' [Tuesday, October 17, 2023 14:06:13 + 07] Cert success. -----BEGIN CERTIFICATE----- MIIEAzCCA4mgAwIBAgIRAMmWuGOlbvX1iuU5pu7OZs0wCgYIKoZIzj0EAwMwSzEL MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMzEwMTcwMDAwMDBaFw0yNDAx MTUyMzU5NTlaMBUxEzARBgNVBAMTCmdjLWxpZmUuY24wWTATBgcqhkjOPQIBBggq hkjOPQMBBwNCAAQ93/BwV3RV + pFKQM9kDIPI4YeAQ6h7zLYSK4cLVwPzh1RB8lht zkToUH7MAOE04MsL19ZzJOiEx0DN6ZbZkXaNo4ICgjCCAn4wHwYDVR0jBBgwFoAU D2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFHWYDlRNjglfOgD2PCNa8yoL Z6O4MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYI KwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYI KwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2Vj dGlnby5jb20vWmVyb1NTTEV220RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYB BQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggECBgorBgEE AdZ5AgQCBIHzBIHwAO4AdQBss4g/Crb7lVHCYcz1h7o0tKTNuyncaEIKn + ZnTFo6 dAAAAYs8dJBdAAAEAwBGMEQCIFKtFwFRLSSagF0crT4kHDGO/a/B9 + dSP2mG30pc 48GnAiBEVad89HKonMBYhIYKxmC8KTcO80GeOJsBE9Y/DR2OIAB1ANq2v2s/tbYi n5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABizx0kMkAAAQDAEYwRAIgBZnx + yKN Ulu5RIWHAsdAxiNomn2IzlxX2ioFSWRxrEQCIAfC/EZwCipTtR84H3XHD4wCbgSu mrtkTck6q/ + upjnDMCMGA1UdEQQcMBqCCmdjLWxpZmUuY26CDCouZ2MtbGlmZS5j bjAKBggqhkjOPQQDAwNoADBlAjBu4CII1xsZCYaT7LhS7eorKbaTqWcy3XGTaiac t49cGPe5tJquJGOvyZuh9EOn8ysCMQCwb6SzCH1jyR51F22G9Sn5QARzfP5mYrdx 0UqKYgayJnzrUoknCDES9YWxx8IsTgQ= -----END CERTIFICATE----- [Tuesday, October 17, 2023 14:06:13 + 07] Your cert is in: /root/.acme.sh/gccc.cn_ecc/gccc.cn.cer [Tuesday, October 17, 2023 14:06:13 + 07] Your cert key is in: /root/.acme.sh/gccc.cn_ecc/gccc.cn.key [Tuesday, October 17, 2023 14:06:13 + 07] The intermediate CA cert is in: /root/.acme.sh/gccc.cn_ecc/ca.cer [Tuesday, October 17, 2023 14:06:13 + 07] And the full chain certs is there: /root/.acme.sh/gccc.cn_ecc/fullchain.cer
1.2 Additional: You can also apply for a certificate in other ways
# A. Use the specified webroot directory method: acme.sh --issue -d mydomain.com --webroot /wwwroot/mydomain.com/ acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /wwwroot/www.mydomain.com/ #-- Specify multiple domain names # B. Use automatic search for webroot directory: acme.sh --issue -d www.mydomain.com --nginx # C. Use independent mode (generally used in the initialization phase when there is no web service) # If you have not run any web service and port 80 is free, then acme.sh can also pretend to be a webserver and temporarily listen on port 80 to complete the verification: acme.sh --issue -d mydomain.com --standalone # D. Use manual dns method acme.sh --issue --dns -d mydomain.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please #Add the specified txt record, wait for the parsing to complete, and then regenerate the certificate: acme.sh --renew -d mydomain.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please # Note: This method cannot automatically renew the certificate.
2 Renew certificate:
acme.sh --renew --dns dns_ali -d gccc.cn -d *.gccc.cn
Automatically created scheduled tasks will be automatically renewed. This should not be necessary.
This is the automatically created scheduled task:
36 20 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
3 View certificate
[root@t-deploy-10-1-203-177:~]# acme.sh --list Main_Domain KeyLength SAN_Domains CA Created Renew gccc.cn "ec-256" *.gccc.cn ZeroSSL.com 2023-10-17T07:06:13Z 2023-12-15T07:06:13Z
4 Install certificate:
[root@t-deploy-10-1-203-177:~]# mkdir /srv/certs/gccc.cn [root@t-deploy-10-1-203-177:~]# [root@t-deploy-10-1-203-177:~]# acme.sh --install-cert -d gccc.cn -d *.gccc.cn --key-file /srv/certs/gccc. cn/gccc.cn.key --cert-file /srv/certs/gccc.cn/gccc.cn.cer --fullchain-file /srv/certs/gccc.cn/gccc.cn-fullchain.cer --reloadcmd "scp -r /srv/certs/gccc.cn [email protected]:/srv/certs/" [Tuesday, October 17, 2023 15:03:17 + 07] The domain 'gccc.cn' seems to have a ECC cert already, lets use ecc cert. [Tuesday, October 17, 2023 15:03:17 + 07] Installing cert to: /srv/certs/gccc.cn/gccc.cn.cer [Tuesday, October 17, 2023 15:03:17 + 07] Installing key to: /srv/certs/gccc.cn/gccc.cn.key [Tuesday, October 17, 2023 15:03:17 + 07] Installing full chain to: /srv/certs/gccc.cn/gccc.cn-fullchain.cer [Tuesday, October 17, 2023 15:03:17 + 07] Run reload cmd: scp -r /srv/certs/gccc.cn [email protected]:/srv/certs/ gccc.cn.cer 100% 1452 1.2MB/s 00:00 gccc.cn-fullchain.cer 100% 4120 4.7MB/s 00:00 gccc.cn.key 100% 227 262.3KB/s 00:00 [Tuesday, October 17, 2023 15:03:17 + 07] Reload success
5 Finally
Love you!