前言

前面写过一个在云服务器上布署SSL证书的文《IT基础设施：在CentOS7中为nginx布署免费SSL证书》，使用certbot的时候，它会自动检测应用配置，找到应用所在的目录，使用文件进行域名的所有权验证。但是，如果我在家里没有80端口的情况下布署应用，就没办法完成这个验证了，今天在路由器里的插件中偶然得知了acme.sh，可以通过域名解析服务的API，通过添加DNS完成域名所有权验证。

关键词

Let's Encrypt
HTTPS
没有80
DNS验证

环境

CentOS 7 x64
家庭宽带内网

过程

以下我们以阿里的解析服务为例：

1、先到阿里控制台，找到自己的Access_Key和Access_Secret。

2、下载acme.sh

curl  https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh

下面设置一下变量，将引号里的内容改为你自己的Key与Secret

export Ali_Key="11111111"
export Ali_Secret="2222222222222222222222222222"

申请泛域名证书

acme.sh --issue --dns dns_ali -d *.blackice.me -d blackice.me

等待程序执行完成

[Tue Feb 19 22:50:12 CST 2019] Multi domain='DNS:*.blackice.me,DNS:blackice.me'
[Tue Feb 19 22:50:12 CST 2019] Getting domain auth token for each domain
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='*.blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:23 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:25 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Tue Feb 19 22:50:46 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:49 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:49 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:51 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:51 CST 2019] All success, let's return
[Tue Feb 19 22:50:51 CST 2019] Verifying: *.blackice.me
[Tue Feb 19 22:50:55 CST 2019] Success
[Tue Feb 19 22:50:55 CST 2019] Verifying: blackice.me
[Tue Feb 19 22:50:58 CST 2019] Success
[Tue Feb 19 22:50:58 CST 2019] Removing DNS records.
[Tue Feb 19 22:51:05 CST 2019] Verify finished, start to sign.
[Tue Feb 19 22:53:35 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
#这里会显示证书文本#
-----END CERTIFICATE-----
[Tue Feb 19 22:53:35 CST 2019] Your cert is in  /root/.acme.sh/*.blackice.me/*.blackice.me.cer 
[Tue Feb 19 22:53:35 CST 2019] Your cert key is in  /root/.acme.sh/*.blackice.me/*.blackice.me.key 
[Tue Feb 19 22:53:35 CST 2019] The intermediate CA cert is in  /root/.acme.sh/*.blackice.me/ca.cer 
[Tue Feb 19 22:53:35 CST 2019] And the full chain certs is there:  /root/.acme.sh/*.blackice.me/fullchain.cer

补充：

如果无法自动创建DNS，则可以使用手工创建的方式

1、运行命令，生成记录值

acme.sh --issue -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

下面的示例中 Txt Value部分就是记录值，这里申请了几个域名，就要添加几个记录值。

[root@GitServer home]# acme.sh --issue -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 27 06:01:46 CST 2019] Multi domain='DNS:*.xxx.com,xxx.com'
[Mon May 27 06:01:46 CST 2019] Getting domain auth token for each domain
[Mon May 27 06:01:54 CST 2019] Getting webroot for domain='*.xxx.com'
[Mon May 27 06:01:54 CST 2019] Getting webroot for domain='xxx.com'
[Mon May 27 06:01:54 CST 2019] Add the following TXT record:
[Mon May 27 06:01:54 CST 2019] Domain: '_acme-challenge.xxx.com'
[Mon May 27 06:01:54 CST 2019] TXT value: '4BMosUI7G-3TgWLLwrIbh4ykOA8oe9m77bXl_CiRevo'
[Mon May 27 06:01:54 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 27 06:01:54 CST 2019] so the resulting subdomain will be: _acme-challenge.xxx.com
[Mon May 27 06:01:55 CST 2019] Add the following TXT record:
[Mon May 27 06:01:55 CST 2019] Domain: '_acme-challenge.xxx.com'
[Mon May 27 06:01:55 CST 2019] TXT value: 'YZjDJKNgRCYnO8wl7gkGjUk8o-iosMWrVRFCmW2gtNI'
[Mon May 27 06:01:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 27 06:01:55 CST 2019] so the resulting subdomain will be: _acme-challenge.xxx.com
[Mon May 27 06:01:55 CST 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon May 27 06:01:55 CST 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log

2、到控制台创建TXT解析记录

3、重新运行命令获取证书

acme.sh --renew -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

验证通过后颁发证书

[root@GitServer home]# acme.sh --renew -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 27 06:08:58 CST 2019] Renew: '*.xxx.com'
[Mon May 27 06:08:59 CST 2019] Multi domain='DNS:*.xxx.com,DNS:xxx.com'
[Mon May 27 06:08:59 CST 2019] Getting domain auth token for each domain
[Mon May 27 06:08:59 CST 2019] *.xxx.com is already verified, skip dns-01.
[Mon May 27 06:08:59 CST 2019] Verifying: xxx.com
[Mon May 27 06:09:06 CST 2019] Success
[Mon May 27 06:09:06 CST 2019] Verify finished, start to sign.
[Mon May 27 06:09:06 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/23423234432/234234
[Mon May 27 06:09:11 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/2342341234214
[Mon May 27 06:09:15 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
...证书内容
-----END CERTIFICATE-----
[Mon May 27 06:09:15 CST 2019] Your cert is in  /root/.acme.sh/*.xxx.com/*.xxx.com.cer 
[Mon May 27 06:09:15 CST 2019] Your cert key is in  /root/.acme.sh/*.xxx.com/*.xxx.com.key 
[Mon May 27 06:09:15 CST 2019] The intermediate CA cert is in  /root/.acme.sh/*.xxx.com/ca.cer 
[Mon May 27 06:09:15 CST 2019] And the full chain certs is there:  /root/.acme.sh/*.xxx.com/fullchain.cer

补充：IIS或Azure需要pfx格式的证书，在Linux运行下列命令，输入两次密码即可将crt和key合并为pfx.

openssl pkcs12 -export -out xxx.com.pfx -inkey xxx.com.key -in xxx.com.crt

IT基础设施：使用acme.sh申请免费泛域名证书

前言

关键词

环境

过程

你可能感兴趣的:(IT基础设施：使用acme.sh申请免费泛域名证书)