banner
Lumos

Hi,Lumos

念念不忘,终有回响
HomeArchivesPortfolios关于

ACME Certificate Application

#Acme#SSL16
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document provides instructions for installing and using the `acme.sh` script for issuing SSL certificates. It includes installation commands for different Linux distributions, with specific steps for users in China. Key commands for managing certificates include: - `acme.sh --issue` to request a certificate. - `acme.sh --renew` to renew a certificate. - `acme.sh --revoke` to revoke a certificate. - `acme.sh --install-cert` to install the certificate. The document explains various methods for domain validation, including: 1. **HTTP Authentication**: Using a standalone server to listen on port 80 for validation. 2. **TLS-ALPN-01 Validation**: Using a custom TLS handshake for domains without a web server. 3. **Webroot Method**: Placing a validation file in the web server's root directory. 4. **DNS Authentication**: Adding a TXT record to the DNS for domain validation, either manually or using DNS API for automation. It also mentions supported DNS APIs for automatic validation and provides examples for using Cloudflare and DNSPod. Finally, it emphasizes the importance of using the `--install-cert` command to properly install the generated certificates on servers like Apache or Nginx.

Wiki#

Installation#

yum update ca-certificates # centos
apt install ca-certificates # debian

curl https://get.acme.sh | sh -s [email protected]
wget -O -  https://get.acme.sh | sh -s [email protected]

# For use in China
# https://github.com/acmesh-official/acme.sh/wiki/Install-in-China
git clone https://gitee.com/neilpang/acme.sh.git
cd acme.sh
./acme.sh --install -m [email protected]

source ~/.bashrc
source ~/.zshrc

Enable automatic updates

acme.sh --upgrade --auto-upgrade
acme.sh --upgrade --auto-upgrade  0 # Disable automatic updates

Common Commands#

acme.sh --help # help
acme.sh --list  # List certificates
acme.sh --upgrade # Check for updates
acme.sh --issue # Apply for a certificate
acme.sh --renew # Renew a certificate
acme.sh --revoke # Revoke a certificate
acme.sh --remove # Remove a certificate
acme.sh --install-cert # Install a certificate

Switch CA#

# Switch to letsencrypt
acme.sh --set-default-ca --server letsencrypt
# Switch to zerossl
acme.sh --set-default-ca --server zerossl

apt-get install socat

image-20241203010111740

Server · acmesh-official/acme.sh Wiki · GitHub

Certificate Application#

sh acme.sh  --issue -d renalio.eu.org  --standalone
acme.sh --issue -d rsync.157077.xyz  --standalone

HTTP Authentication#

Using Standalone Service Mode#

If no web service is running on the server and port 80 is free, acme.sh can pretend to be a web server, temporarily listening on port 80 to complete the verification:

acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com

Direct Issuance (HTTP-01 Verification)#

Your server must have a website environment deployed. (The requested domain name can be accessed normally.)
Acme automatically places a file in the root directory of your website (this file is accessible over the internet) to verify your domain ownership and complete the verification. Then the certificate can be generated.

Just specify the domain name and the root directory of the website. acme.sh will automatically generate the verification file and place it in the root directory of the website. After verification is complete, it will intelligently delete the verification file, and the entire process has no side effects.

acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/

TLS-ALPN-01 Verification#

Verify domain ownership using a custom TLS handshake on the server. This method is suitable for situations without a web server.

If you do not have a web server and port 443 is free, you can use the standalone TLS ALPN mode. acme.sh has a built-in standalone TLS network server that can listen on port 443 to issue certificates.

acme.sh --issue -d yourdomain.com --alpn
acme.sh  --issue  -d example.com  --alpn --tlsport 8443

Using Nginx Mode#

If you are using an Nginx server or reverse proxy, acme.sh can intelligently complete verification automatically from the Nginx configuration, and you do not need to specify the root directory of the website:

acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com

Using Apache Mode#

If you are using an Apache server, acme.sh can intelligently complete verification automatically from the Apache configuration, and you do not need to specify the root directory of the website:

acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com

Note: Whether using Apache or Nginx mode, acme.sh will restore to the previous state after completing verification and will not change the program's configuration itself. The benefit is that you do not have to worry about the configuration being messed up, but there is a downside: you need to configure the SSL items yourself, otherwise, you can only successfully generate the certificate, but your website will still not be able to use HTTPS normally.

DNS Authentication#

If you do not have a server and no public IP, you can complete verification with just the DNS resolution record.

Manual Verification#

This requires you to manually add a TXT resolution record to the domain to verify domain ownership.
Note that if you use manual verification, acme.sh will not be able to automatically renew the certificate, and you will need to manually add the resolution each time to verify domain ownership. If you need automatic certificate renewal, please use automatic verification (DNS API).

acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com

Then, acme.sh will generate the corresponding resolution record for you to add this TXT record in your domain management panel.
After waiting for the resolution to complete, execute the following command to regenerate the certificate:

acme.sh --renew -d mydomain.com

Note that the --renew parameter is now used here.

Automatic Verification (DNS API) (DNS-01 Verification)#

The real power of the DNS method lies in the ability to automatically add TXT records using the API provided by the domain resolution provider and delete the corresponding records after verification is complete.
acme.sh currently supports over a hundred DNS APIs.
For example, with DNSPod.cn, you need to log in to DNSPod.cn, obtain your DNSPod API Key and ID, and set them:

export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

Now we can issue wildcard certificates:

acme.sh --issue --dns dns_dp -d example.com -d *.example.com

DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be automatically retrieved when needed, without manual reconfiguration.
For more detailed DNS API usage: https://github.com/acmesh-official/acme.sh/wiki/dnsapi

Supported DNS APIs include but are not limited to:

  • dns_cf: Cloudflare
  • dns_dp: DNSPod
  • dns_cx: CloudXNS
  • dns_ali: Alibaba Cloud DNS
  • dns_aws: AWS Route 53
  • dns_gd: GoDaddy
  • dns_linode: Linode
  • dns_nsupdate: BIND DNS
  • dns_ovh: OVH
  • dns_pdns: PowerDNS
  • dns_gcore: G-Core Labs

Cloudflare Example#

Please wait…
dnsapi · acmesh-official/acme.sh Wiki · GitHub

Using Restrictive Tokens#

Multiple Zone DNS
image.png

export CF_Account_ID="763eac4f1bcebd8b5c95e9fc50d010b4"
export CF_Token="Y_jpG9AnfQmuX5Ss9M_qaNab6SQwme3HWXNDzRWs"
Using Global API Key#

image.png

export CF_Key="763eac4f1bcebd8b5c95e9fc50d010b4"
export CF_Email="[email protected]"

View Installed Certificate Information#

acme.sh --info -d example.com

Install Certificate#

After the certificate is generated, we need to copy the certificate to the corresponding Apache, Nginx, or other servers for use.
You must use --install-cert command to copy the certificate to the target file. Please do not directly use the certificate files in the ~/.acme.sh/ directory, as these files are for internal use only and the directory structure may change in the future.

Nginx Example#

acme.sh --install-cert -d example.com \
	--key-file       /path/to/keyfile/in/nginx/key.pem  \
	--fullchain-file /path/to/fullchain/nginx/cert.pem \
	--reloadcmd     "service nginx reload"

Corresponding parameters:

  • --key-file: Private key file installation address
  • --cert-file: Certificate file installation address
  • --fullchain-file: Certificate chain file installation address
  • --reloadcmd: Restart command content
server {
    listen 80;
    listen [::]:80;
    server_name www.exmaple.com;
    rewrite ^(.*)$ https://$host$1 permanent;
}

server {
    charset utf-8;
    listen       443 ssl;
    listen  [::]:443;
    server_name  www.exmaple.com;

    ssl_certificate    /etc/nginx/ssl/www.exmaple.com/fullchain.pem;
    ssl_certificate_key   /etc/nginx/ssl/www.exmaple.com/key.pem;

    location / {
        # rewrite ^/api-server/(.*)$ /$1 break;
        proxy_pass http://172.24.64.224:19999/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # location / {
    #     root   /usr/share/nginx/html;
    #     index  index.html index.htm;
    # }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

Apache Example#

acme.sh --install-cert -d example.com \
	--cert-file      /path/to/certfile/in/apache/cert.pem  \
	--key-file       /path/to/keyfile/in/apache/key.pem  \
	--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
	--reloadcmd     "service apache2 force-reload"

Update Certificate#

Currently, certificates are automatically renewed every 60 days, and you do not need to take any action.
However, you can also force the renewal of the certificate:

acme.sh --renew -d example.com --force

Revoke Certificate#

acme.sh --revoke -d dnomd343.top

Delete Certificate#

acme.sh --remove -d dnomd343.top

Links🔗#

FreeSSL#

FreeSSL.cn - A website that provides free HTTPS certificate applications

Project Address#

GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.