c4rt1y

acme 快速创建https证书

2018-02-10 Linux, https, letsencrypt

0x01 介绍

Let's Encrypt是一个于2015年三季度推出的数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的SSL/TLS证书。
Let's Encrypt由互联网安全研究小组(缩写ISRG)提供服务。主要赞助商包括电子前哨基金会、Mozilla基金会、Akamai以及思科。2015年4月9日,ISRG与Linux基金会宣布合作。
acme.sh 实现了 acme 协议, 可以从 let‘s encrypt 生成免费的证书,它拥有特点:
一个纯粹用Shell(Unix shell)语言编写的ACME协议客户端。
完整的ACME协议实施。 支持ACME v1和ACME v2 支持ACME v2通配符证书
简单,功能强大且易于使用。
Let's Encrypt免费证书客户端最简单的shell脚本。
纯粹用Shell编写,不依赖于python或官方的Let's Encrypt客户端。
只需一个脚本即可自动颁发,续订和安装证书。 不需要root/sudoer访问权限。
支持ipv4与ipv6

0x02 操作

[root@k8s-master /]# curl  https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  190k  100  190k    0     0   6249      0  0:00:31  0:00:31 --:--:-- 12443
[Sat Feb 10 20:52:41 CST 2018] Installing from online archive.
[Sat Feb 10 20:52:41 CST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Feb 10 20:52:51 CST 2018] Extracting master.tar.gz
[Sat Feb 10 20:52:51 CST 2018] It is recommended to install socat first.
[Sat Feb 10 20:52:51 CST 2018] We use socat for standalone server if you use standalone mode.
[Sat Feb 10 20:52:51 CST 2018] If you don't use standalone mode, just ignore this warning.
[Sat Feb 10 20:52:51 CST 2018] Installing to /root/.acme.sh
[Sat Feb 10 20:52:51 CST 2018] Installed to /root/.acme.sh/acme.sh
[Sat Feb 10 20:52:51 CST 2018] Installing alias to '/root/.bashrc'
[Sat Feb 10 20:52:51 CST 2018] OK, Close and reopen your terminal to start using acme.sh
[Sat Feb 10 20:52:51 CST 2018] Installing alias to '/root/.cshrc'
[Sat Feb 10 20:52:51 CST 2018] Installing alias to '/root/.tcshrc'
[Sat Feb 10 20:52:51 CST 2018] Installing cron job
[Sat Feb 10 20:52:51 CST 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Feb 10 20:52:52 CST 2018] OK
[Sat Feb 10 20:52:52 CST 2018] Install success!

# 我这里对阿里云的进行演示,首先要存在token,具体内容查看该地址 https://github.com/Neilpang/acme.sh/wiki/dnsapi
[root@k8s-master /]# export Ali_Key='*************'

[root@k8s-master /]# export Ali_Secret="***********************"

[root@k8s-master /]# ~/.acme.sh/acme.sh --log --issue --dns dns_ali -d cd8.me -d *.cd8.me
[Sat Feb 10 20:53:34 CST 2018] Create account key ok.
[Sat Feb 10 20:53:34 CST 2018] Registering account
[Sat Feb 10 20:53:36 CST 2018] Registered
[Sat Feb 10 20:53:36 CST 2018] ACCOUNT_THUMBPRINT='c1EbQJC6YFoFw2itux3uK76oJgrj5-XDHCXH20WY8TM'
[Sat Feb 10 20:53:36 CST 2018] Creating domain key
[Sat Feb 10 20:53:36 CST 2018] The domain key is here: /root/.acme.sh/cd8.me/cd8.me.key
[Sat Feb 10 20:53:36 CST 2018] Multi domain='DNS:cd8.me,DNS:*.cd8.me'
[Sat Feb 10 20:53:36 CST 2018] Getting domain auth token for each domain
[Sat Feb 10 20:53:44 CST 2018] Getting webroot for domain='cd8.me'
[Sat Feb 10 20:53:44 CST 2018] Getting webroot for domain='*.cd8.me'
[Sat Feb 10 20:53:45 CST 2018] Adding txt value: 2Wzr7LXq8enlHmicInF3bxgagWnlFAEGfh2zYaehq5c for domain:  _acme-challenge.cd8.me
[Sat Feb 10 20:53:47 CST 2018] The txt record is added: Success.
[Sat Feb 10 20:53:47 CST 2018] Adding txt value: uoBJogTvFUi6Gddd2pisj4e1jygpgKLdjmtt79hAWTU for domain:  _acme-challenge.cd8.me
[Sat Feb 10 20:53:48 CST 2018] The txt record is added: Success.
[Sat Feb 10 20:53:48 CST 2018] Let's check each dns records now. Sleep 20 seconds first.
[Sat Feb 10 20:54:09 CST 2018] Checking cd8.me for _acme-challenge.cd8.me
[Sat Feb 10 20:54:12 CST 2018] Domain cd8.me '_acme-challenge.cd8.me' success.
[Sat Feb 10 20:54:10 CST 2018] Checking cd8.me for _acme-challenge.cd8.me
[Sat Feb 10 20:54:18 CST 2018] Domain cd8.me '_acme-challenge.cd8.me' success.
[Sat Feb 10 20:54:18 CST 2018] All success, let's return
[Sat Feb 10 20:54:19 CST 2018] Verifying: cd8.me
[Sat Feb 10 20:54:24 CST 2018] Success
[Sat Feb 10 20:54:24 CST 2018] Verifying: *.cd8.me
[Sat Feb 10 20:54:29 CST 2018] Success
[Sat Feb 10 20:54:29 CST 2018] Removing DNS records.
[Sat Feb 10 20:54:29 CST 2018] Removing txt: 2Wzr7LXq8enlHmicInF3bxgagWnlFAEGfh2zYaehq5c for domain: _acme-challenge.cd8.me
[Sat Feb 10 20:54:32 CST 2018] Removed: Success
[Sat Feb 10 20:54:32 CST 2018] Removing txt: uoBJogTvFUi6Gddd2pisj4e1jygpgKLdjmtt79hAWTU for domain: _acme-challenge.cd8.me
[Sat Feb 10 20:54:34 CST 2018] Removed: Success
[Sat Feb 10 20:54:34 CST 2018] Verify finished, start to sign.
[Sat Feb 10 20:54:34 CST 2018] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/71692451/1503237526
[Sat Feb 10 20:54:36 CST 2018] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0418a1b0afd22667adae9021f104be0b94eb
[Sat Feb 10 20:54:39 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIFTzCCBDegAwIBAgISBBihsK/SJmetrpAh8TS+C5TrMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTExMTMxMTU0MzZaFw0y
MDAyMTExMTU0MzZaMBExDzANBgNVBAMTBmNkOC5tZTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOEvLCkKjM12LvbSErDJYxsh7EiEl1SAq5bvct+AS09k
19lC+8a6XUn8h85UvaT7NyocPUzQ+GkzZgYnyYGrFw1vrB4wTbd4e9Z6gw6KJIX6
GsS5IoPSm3wQqo9W5yZgLpPg80/YGKHb4lRgRr+Ab5OvUWVOVeMx6ZnYJXYTlH4D
jphT4D9ZuF69RWRIRq4O72tGEKc20scPpll2CpgEi+K5DKI8dvwd753WSat1tJKk
hYXIcwKysoCF8lu4QiqSgdnOXGpcaYm5GUsEwtIpPcX+sw7kC2z3FMKCjQqNAEu2
EVWV5rCOovASbck4wwoj3a/g7L7Dx5xDE3+zVORXwusCAwEAAaOCAmYwggJiMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUSEKtafYFGIqFgPg8zdU+BeTLKrgwHwYDVR0j
BBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsG
AQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsG
AQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAbBgNV
HREEFDASgggqLmNkOC5tZYIGY2Q4Lm1lMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYA8JWkWfIA0YJAEC0vk4iO
rUv+HUfjmeHQNKawqKqOsnMAAAFuZNR3lAAABAMARzBFAiEAxL3427IOegJ/U6VQ
JNGrltjk1DW62qHKosYok8oIOJYCIHjwCQiCQQDyWGNoGlyjI50J9tNxFF8XnqwN
20F2oYk0AHcAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFuZNR3
hgAABAMASDBGAiEA4Fc1Vb0ZfL2i8M5Eo1wmtGy6FoxWHUdqzjpVkdi8ExsCIQCn
tZLwzQJzcC65gsS/e3pG79qqGbGSstlv9Bh8Qi+EMjANBgkqhkiG9w0BAQsFAAOC
AQEAVPtQMCXoSYglU2++ueQIRp19qQoIJrE4t7WtoKXdRoiJW0pBbnQ2qogoKyiO
hh+w0riLvO1wWYZgPfSFdXb9tIb8tohPtCYWY77QOWbcjYJem0pLAK9GOp0midf+
rCL3ZAUVG52NawXDXQu/Z7eFSwweGWlxaH/qAasuNCl4dm0EUIDdKI3jCvIWY2j5
wrZT18ofFlEVa4kuLYDq6uUdP1ylYqHSOslxIN92+bEGgty3//Fe2K71J62hsmkT
2C7D9i/1JUMRBtvKuFFHHQ7kndeUnJJOllqYBN2yBQfpXHh0ThzZ5E0BbbICISzO
q1EoWNN1DAXMgIQ5Q3zlXsf9Cw==
-----END CERTIFICATE-----
[Sat Feb 10 20:54:39 CST 2018] Your cert is in  /root/.acme.sh/cd8.me/cd8.me.cer
[Sat Feb 10 20:54:39 CST 2018] Your cert key is in  /root/.acme.sh/cd8.me/cd8.me.key
[Sat Feb 10 20:54:39 CST 2018] The intermediate CA cert is in  /root/.acme.sh/cd8.me/ca.cer
[Sat Feb 10 20:54:39 CST 2018] And the full chain certs is there:  /root/.acme.sh/cd8.me/fullchain.cer

## 核心文件为 /root/.acme.sh/cd8.me/cd8.me.key 和 /root/.acme.sh/cd8.me/fullchain.cer ,修改名字,丢到nginx服务器,配置即可访问

cd8-me

# 这里还存在一个问题,免费证书的周期为90天,所以需要60-80一换,或者采取直接安装
acme.sh  --installcert  -d  cd8.me -d *.cd8.me   --key-file   /etc/nginx/ssl/<domain>.key --fullchain-file /etc/nginx/ssl/fullchain.cer --reloadcmd  "service nginx force-reload"

## 这里记住由于默认reload不会刷新证书信息,所以需要强制reload,然后将该内容加入到cron里面

0x03.资料来源

https://letsencrypt.org/
https://www.cnblogs.com/clsn/p/10040334.html
https://github.com/Neilpang/acme.sh
GoTop