申请免费的泛域名证书
申请 google 的泛域名证书,域名托管在 cloudflare
创建EAB Key和EAB Key ID
x@cloudshell:~ (quickstart-x)$ gcloud config set project project-id
Updated property [core/project].
x@cloudshell:~ (project-id)$ gcloud projects add-iam-policy-binding project-id \
--member=user:[email protected] \
--role=roles/publicca.externalAccountKeyCreator
Updated IAM policy for project [project-id].
bindings:
- members:
- user:[email protected]
role: roles/owner
- members:
- user:[email protected]
role: roles/publicca.externalAccountKeyCreator
etag: BwYLzh0_w7Q=
version: 1
x@cloudshell:~ (project-id)$ gcloud services enable publicca.googleapis.com
Operation "operations/acat.p2-project-id-c013796d-3d45-4a32-bb1d-b06fc4f2987a" finished successfully.
x@cloudshell:~ (project-id)$ gcloud publicca external-account-keys create
Created an external account key
## b64MacKey 就是 key
## keyId 就是 keyId
[b64MacKey: key
keyId: keyid]
获取 cloudflare api key
这里简单粗暴的使用 Global API Key
部署 acme
version: '3'
services:
acme:
image: neilpang/acme.sh
container_name: acme.sh
command:
- daemon
network_mode: host
pid: host
#restart: unless-stopped
restart: always
volumes:
- ./data/out:/acme.sh
# docker compose up -d
# docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
acme.sh neilpang/acme.sh "/entry.sh daemon" acme 40 minutes ago Up 40 minutes
申请证书
- 注册acme google
# docker compose exec -it acme --register-account -m [email protected] --server google --eab-kid keyId --eab-hmac-key Key
[Wed Dec 6 02:38:51 UTC 2023] Create account key ok.
[Wed Dec 6 02:38:52 UTC 2023] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Wed Dec 6 02:38:53 UTC 2023] Registered
[Wed Dec 6 02:38:53 UTC 2023] ACCOUNT_THUMBPRINT='xxxxx-M9_HOPspPHKto80I'
- 申请证书
# docker compose exec -e CF_Key="cf apikey" -e CF_Email="cf email account" -it acme --issue --server google -d 999299.xyz -d *.999299.xyz --dns dns_cf
...
[Wed Dec 6 02:44:50 UTC 2023] Your cert is in: /acme.sh/999299.xyz_ecc/999299.xyz.cer
[Wed Dec 6 02:44:50 UTC 2023] Your cert key is in: /acme.sh/999299.xyz_ecc/999299.xyz.key
[Wed Dec 6 02:44:50 UTC 2023] The intermediate CA cert is in: /acme.sh/999299.xyz_ecc/ca.cer
[Wed Dec 6 02:44:50 UTC 2023] And the full chain certs is there: /acme.sh/999299.xyz_ecc/fullchain.cer
### crt, key, 这些已经保存到本地了
# tree data/out/
data/out/
├── 999299.xyz_ecc
│ ├── 999299.xyz.cer
│ ├── 999299.xyz.conf
│ ├── 999299.xyz.csr
│ ├── 999299.xyz.csr.conf
│ ├── 999299.xyz.key
│ ├── ca.cer
│ └── fullchain.cer
├── account.conf
├── ca
│ └── dv.acme-v02.api.pki.goog
│ └── directory
│ ├── account.json
│ ├── account.key
│ └── ca.conf
└── http.header
4 directories, 12 files
...
## 完整的证书信息,可惜只有 3 个月,好在会自动 renew
# openssl x509 -in data/out/999299.xyz_ecc/999299.xyz.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
48:70:69:a9:13:28:a8:4d:0e:4c:a3:29:0c:80:30:1c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
Validity
Not Before: Dec 6 01:44:46 2023 GMT
Not After : Mar 5 01:44:45 2024 GMT
Subject: CN = 999299.xyz
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:92:5b:20:5c:c5:f3:86:b6:60:50:86:7e:ea:fc:
e5:64:62:e7:73:a6:4a:73:81:78:42:81:f0:9c:1a:
ff:fa:89:43:a5:2c:18:17:9b:20:78:a6:31:99:d6:
64:db:42:c6:18:4d:63:44:6b:fa:96:da:eb:89:71:
ab:fe:0e:e9:92
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
2F:33:A7:62:B2:84:1D:6C:78:0E:27:C5:D7:07:78:5C:1F:0C:39:CA
X509v3 Authority Key Identifier:
keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/s/gts1p5/d3IFRR0Tyjk
CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der
X509v3 Subject Alternative Name:
DNS:999299.xyz, DNS:*.999299.xyz
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.11129.2.5.3
X509v3 CRL Distribution Points:
Full Name:
URI:http://crls.pki.goog/gts1p5/_vogQrEf4S0.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Dec 6 02:44:47.089 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:5A:7E:A7:90:A5:50:D4:34:3F:AB:49:7E:
BF:DA:41:41:B7:56:DD:21:AC:4F:4A:FD:BB:E7:09:9C:
9C:D3:2C:6A:02:20:73:BB:E4:CF:AC:F4:3D:5E:72:F8:
F5:F4:13:31:F0:9B:DB:11:A3:8D:B9:4A:37:A7:A4:5B:
6B:35:51:8F:45:E6
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E2:BF:D6:1E:DE:2F:2F:07:A0:D6:4E:6D:37:A7:DC:
65:43:B0:C6:B5:2E:A2:DA:B7:8A:F8:9A:6D:F5:17:D8
Timestamp : Dec 6 02:44:47.058 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:52:A1:0C:5F:65:2A:01:CB:5E:06:48:D8:
C1:5C:69:54:18:61:D1:78:81:BB:3C:12:4A:81:FF:DA:
86:D8:0A:58:02:20:09:FD:E5:4D:81:86:1B:5F:A2:9E:
97:73:08:54:31:26:97:0E:4C:A8:1C:51:AE:08:C9:6E:
EA:E6:C7:BD:7D:D4
Signature Algorithm: sha256WithRSAEncryption
2f:0a:7e:a1:67:01:d8:97:15:3b:6e:63:0c:3b:77:71:db:68:
01:b2:af:3d:d4:a2:53:c2:b0:46:90:f5:92:85:e2:5c:4b:cb:
15:a3:9d:a5:2c:e4:69:77:67:7d:8a:0a:c0:ec:88:0b:93:f9:
8e:bc:4c:03:06:03:93:c3:f9:36:64:f3:39:ae:af:c6:4c:59:
03:dd:04:58:39:ae:da:3e:8e:61:49:4e:ea:23:fb:b0:62:19:
24:42:b7:92:96:97:ec:0c:f0:91:d9:02:be:ac:39:fa:0d:a4:
25:b6:ca:da:03:40:b1:f1:8a:25:ed:93:ef:be:56:b9:d0:ba:
8d:27:3c:a4:c3:2a:06:ae:5b:57:fd:71:91:a0:10:27:49:c6:
91:9d:05:77:8d:1a:40:e9:9d:cf:e7:cb:cb:01:69:8d:41:53:
d8:02:e5:4f:31:b2:b8:64:f8:c8:95:2e:f5:ad:b9:1d:5a:8b:
1a:b4:e0:1e:a9:f3:01:85:e1:58:28:6e:dc:3d:50:fb:c8:b8:
3a:62:71:ef:14:a0:7e:a0:fa:8c:a7:0d:1c:49:1a:36:05:6e:
f4:4f:ac:d9:f3:bf:bc:28:9e:b7:23:67:f0:ab:06:10:6c:f7:
6e:29:5a:2a:f7:03:59:99:d5:96:89:9a:6e:b7:91:91:79:b2:
85:f6:fd:56
## 同时也会自动 renew 证书
# docker compose exec -i acme crontab -l
17 5 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/acme.sh" > /proc/1/fd/1 2>/proc/1/fd/2