ACME,实现SSL证书自由
站长
· 阅读数 15
众所周知,各大云计算厂商都只提供了有限数量的SSL证书服务(一个账号20个左右),而当下网站安全要求已经成为标配。那么如何实现SSL证书自由,是运维的必修课之一。
有些网站提供免费的证书服务,无论是云计算厂商还是其他三方,甚至根证书服务商,很多都需要人工操作,或配置复杂的API供调用。如果每年只维护少量的网站,那还好。但如果要处理几十上百个甚至上千个域名,就显得力不从心了。此时,要么支付一定的费用,购买通用证书,要么就得选用一款“自动武器”来应对这项工作。
ACME 和 acme.sh
什么是ACME协议?自动化证书管理环境(ACME)是用于自动验证X.509证书的域验证,安装和管理的标准协议。 ACME协议由Internet安全研究小组设计,并在 IETF RFC 8555。 作为具有许多可用的客户端实现的文档齐全的开放标准,ACME被广泛用作企业证书自动化解决方案。[1]
acme.sh[2] 是用纯shell脚本开发基于ACME协议的证书管理工具。支持cron自动任务更新证书的有效期。支持主流的云计算厂商的自账号配置。
安装
推荐直接用源码方式下载安装:
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m my@example.com
运行后,会将程序的源代码复制到主目录下的.acme.sh隐藏文件夹下,创建命令快捷定义并将更新证书的每日任务加入到cron中。
[Tue Mar 7 09:54:12 CST 2023] It is recommended to install socat first.
[Tue Mar 7 09:54:12 CST 2023] We use socat for standalone server if you use standalone mode.
[Tue Mar 7 09:54:12 CST 2023] If you don't use standalone mode, just ignore this warning.
[Tue Mar 7 09:54:12 CST 2023] Installing to /root/.acme.sh
[Tue Mar 7 09:54:13 CST 2023] Installed to /root/.acme.sh/acme.sh
[Tue Mar 7 09:54:13 CST 2023] Installing alias to '/root/.zshrc'
[Tue Mar 7 09:54:13 CST 2023] OK, Close and reopen your terminal to start using acme.sh
[Tue Mar 7 09:54:15 CST 2023] Installing cron job
[Tue Mar 7 09:54:15 CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Mar 7 09:54:17 CST 2023] OK
acme.sh -h
用于获取工具的帮助信息。
申请证书
申请证书必填写两项参数,分别是:证书的域名和域名所有权的验证方式。这里以阿里云为例,执行申请之前,需要先配置Ali_Key和Ali_Secret信息到系统环境变量中(从阿里云的子账号管理中获取)。执行命令:
acme.sh --issue --dns dns_ali -d mail.example.com
输出
[Tue Mar 7 10:38:22 CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Mar 7 10:38:22 CST 2023] Create account key ok.
[Tue Mar 7 10:38:22 CST 2023] No EAB credentials found for ZeroSSL, let's get one
[Tue Mar 7 10:38:24 CST 2023] Registering account: https://acme.zerossl.com/v2/DV90
[Tue Mar 7 10:38:26 CST 2023] Registered
[Tue Mar 7 10:38:27 CST 2023] ACCOUNT_THUMBPRINT='pTXJ3c8'
[Tue Mar 7 10:38:27 CST 2023] Creating domain key
[Tue Mar 7 10:38:27 CST 2023] The domain key is here: /root/.acme.sh/example.com_ecc/example.com.key
[Tue Mar 7 10:38:27 CST 2023] Single domain='example.com'
[Tue Mar 7 10:38:27 CST 2023] Getting domain auth token for each domain
[Tue Mar 7 10:38:30 CST 2023] Getting webroot for domain='example.com'
[Tue Mar 7 10:38:30 CST 2023] Adding txt value: qDNg76Mm1C8FJITL64cJ69Oe2emwp8AJNDnkYjjhOiU for domain: _acme-challenge.example.com
[Tue Mar 7 10:38:33 CST 2023] The txt record is added: Success.
[Tue Mar 7 10:38:33 CST 2023] Let's check each DNS record now. Sleep 20 seconds first.
[Tue Mar 7 10:38:54 CST 2023] You can use '--dnssleep' to disable public dns checks.
[Tue Mar 7 10:38:54 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Tue Mar 7 10:38:54 CST 2023] Checking example.com for _acme-challenge.example.com
[Tue Mar 7 10:38:55 CST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Mar 7 10:39:05 CST 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Tue Mar 7 10:39:05 CST 2023] Domain example.com '_acme-challenge.example.com' success.
[Tue Mar 7 10:39:05 CST 2023] All success, let's return
[Tue Mar 7 10:39:05 CST 2023] Verifying: example.com
[Tue Mar 7 10:39:07 CST 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Mar 7 10:39:11 CST 2023] Success
[Tue Mar 7 10:39:11 CST 2023] Removing DNS records.
[Tue Mar 7 10:39:11 CST 2023] Removing txt: qDNg76DnkYjjhOiU for domain: _acme-challenge.example.com
[Tue Mar 7 10:39:15 CST 2023] Removed: Success
[Tue Mar 7 10:39:15 CST 2023] Verify finished, start to sign.
[Tue Mar 7 10:39:15 CST 2023] Lets finalize the order.
[Tue Mar 7 10:39:15 CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/QnPXhCZxsgOJA/finalize'
[Tue Mar 7 10:39:17 CST 2023] Order status is processing, lets sleep and retry.
[Tue Mar 7 10:39:17 CST 2023] Retry after: 15
[Tue Mar 7 10:39:33 CST 2023] Polling order status: https://acme.zerossl.com/v2/DV90/order/QnPXhJA
[Tue Mar 7 10:39:34 CST 2023] Downloading cert.
[Tue Mar 7 10:39:34 CST 2023] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/Mcrw'
[Tue Mar 7 10:39:35 CST 2023] Cert success.
-----BEGIN CERTIFICATE-----
MIIECzCCA5CgAwIBAgIRAMzIIIPK2wI36zgGVAydGYgwCgYIKoZIzj0EAwMwSzEL
……
h741P2NrnfJXiUEvJFxshAHpuH1A5clXvmkuE/B7Vw==
-----END CERTIFICATE-----
[Tue Mar 7 10:39:35 CST 2023] Your cert is in: /root/.acme.sh/example.com_ecc/example.cer
[Tue Mar 7 10:39:35 CST 2023] Your cert key is in: /root/.acme.sh/example.com_ecc/example.com.key
[Tue Mar 7 10:39:35 CST 2023] The intermediate CA cert is in: /root/.acme.sh/example.com_ecc/ca.cer
[Tue Mar 7 10:39:35 CST 2023] And the full chain certs is there: /root/.acme.sh/example.com_ecc/fullchain.cer
脚本的大致流程过程是:用阿里云的子账号创建一个授权的txt类型的域名,然后等待验证域名所有权,通过后下载签发的证书,保存到~/.acme.sh/域名_ecc目录下。有时候会因为网络问题,申请失败,换个时间段,多试几次(也没别的办法)。
发布证书
当证书下载完成后,不同的Web服务程序,有不同的配置方式,这里以nginx为例,将key和pem文件复制到nginx的cert目录中
acme.sh --install-cert -d mail.example.com \
--key-file /etc/nginx/cert/mail.example.com.key \
--fullchain-file /etc/nginx/cert/mail.example.com.pem
重启nginx 后可以看到证书已经生效。
其他
虽然用acme.sh申请的证书只有三个月的有效期,但是好在可以用脚本自动运行,可以无限续命。
添加cron任务,每3个月的最后一天,执行安装证书的任务,并且重启nginx服务。
参考
转载自:https://juejin.cn/post/7207617774633648184