Let’s encrypt Auto Renew acme.sh

紀錄一下Linux 除了certbot 之外好用的SSL Auto Renew工具acme.sh
官方網站介紹
https://github.com/Neilpang/acme.sh
優點如下:
1.支援 DNS base驗證並結合API,目前結合DNS API請參考網址
https://github.com/Neilpang/acme.sh/tree/master/dnsapi
2.支援 File base驗證整合WebServer 設定,獲取SSL憑證
3.Auto renew
整體流程如下:
1.取得Cloudflare DNS API key
2.安裝acme.sh
3.產生證書
4.更新acme.sh
5.自帶CSR獲取SSL憑證
6.透過File base驗證

1.取得Cloudflare DNS API key
登入Cloudflare >> my profile >> View API key

2.安裝acme.sh

#curl https://get.acme.sh | sh

安裝完成後,系統自動建立crond (方便自動更新證書) & 建立 alias

3.產生證書
export cloudflare API

#export CF_Key="sdfsd70504dlkjsdf630wje"
#export CF_Email="[email protected]"

獲取證書

#acme.sh --issue --dns dns_cf -d forti-tw.imprezagt1031.idv.tw

如果FQDN 不是在同一個cloudflare帳戶下,那DNS API 金鑰也不會不同組,可以指定–accountconf 來分別建立

#acme.sh --issue --dns dns_cf -d forti-tw.imprezagt1031.idv.tw --accountconf /root/.acme.sh/account_test.conf
[Wed Apr 11 00:46:53 CST 2018] Creating domain key
[Wed Apr 11 00:46:53 CST 2018] The domain key is here: /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/forti-tw.imprezagt1031.idv.tw.key
[Wed Apr 11 00:46:53 CST 2018] Single domain='forti-tw.imprezagt1031.idv.tw'
[Wed Apr 11 00:46:53 CST 2018] Getting domain auth token for each domain
[Wed Apr 11 00:46:53 CST 2018] Getting webroot for domain='forti-tw.imprezagt1031.idv.tw'
[Wed Apr 11 00:46:53 CST 2018] Getting new-authz for domain='forti-tw.imprezagt1031.idv.tw'
[Wed Apr 11 00:46:54 CST 2018] The new-authz request is ok.
[Wed Apr 11 00:46:54 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Wed Apr 11 00:46:57 CST 2018] Adding record
[Wed Apr 11 00:46:58 CST 2018] Added, OK
[Wed Apr 11 00:46:58 CST 2018] Sleep 120 seconds for the txt records to take effect
[Wed Apr 11 00:48:59 CST 2018] Verifying:forti-tw.imprezagt1031.idv.tw
[Wed Apr 11 00:49:02 CST 2018] Success
[Wed Apr 11 00:49:02 CST 2018] Removing DNS records.
[Wed Apr 11 00:49:04 CST 2018] Verify finished, start to sign.
[Wed Apr 11 00:49:06 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgISA3w9ji3WfjDbZJc37wxXMtWsMA0GCSqGSIb3DQEBCwUA
...省略...
DyIb+SAYMTXK5a5qNZ1AOl9KD9uKpjqFFeqKc5oKMBUQskTraSV6S26KaYHG/R1a
MhzC/Jn2yLx0kBi0zKtKRo9C//UMGMH7Knzgxl+Pd6z0TD9tmOrbYBpd
-----END CERTIFICATE-----
[Wed Apr 11 00:49:06 CST 2018] Your cert is in /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/forti-tw.imprezagt1031.idv.tw.cer 
[Wed Apr 11 00:49:06 CST 2018] Your cert key is in /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/forti-tw.imprezagt1031.idv.tw.key 
[Wed Apr 11 00:49:06 CST 2018] The intermediate CA cert is in /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/ca.cer 
[Wed Apr 11 00:49:06 CST 2018] And the full chain certs is there: /root/.acme.sh/forti-tw.imprezagt1031.idv.tw/fullchain.cer

把SSL證書搬移到指定路徑

#acme.sh --installcert -d forti-tw.imprezagt1031.idv.tw --key-file /etc/nginx/ssl/domain.key --fullchain-file /etc/nginx/ssl/fullchain.cer --reloadcmd "service nginx force-reload"

4.更新acme.sh

#acme.sh --upgrade

5.自帶CSR獲取SSL憑證

#acme.sh --signcsr --csr /root/test.csr --dns dns_cf

6.透過File base驗證
讓ACME v2 Server獲取站台上.well-known/acme-challenge/亂數檔案,若能正常訪問,則能獲取SSL憑證
Ngnix設定

location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /data/wwwroot/; }

透過File Base 獲取SSL憑證命令

#acme.sh --issue -d blog.imprezagt1031.idv.tw --webroot /data/wwwroot/

7.更換CA Server

#acme.sh --set-default-ca  --server  letsencrypt
Facebook Comments