【有手就行】手动更新站点SSL证书

作者

昨天是2021年05月10日,直到晚上我才发现。。我站的 SSL 证书只有 3 小时就要过期了。

对于我这种懒人,肯定是选择直接在信任的第三方平台上签发啦(虽然很会玩命令也会自己搞,但就是懒)。

但是我发现。。我证书签发机构 Let’s Encrypt 对每个IP地址做出了每小时签发量的限制,而我我以往信任的也用得比较多的 FreeSSL 平台,因为服务器只有一两个 IP 地址,用户群体又比较大,一直被 Let’s Encrypt 返回又有太多的未处理证书请求。

报错信息

那么,既然没法做这个懒人,那就自己动手吧!

(正片开始)

首先,通过 Git 获取 ACME 证书签发工具。

[root@China-HongKong-Main ~]# git clone https://github.com/Neilpang/acme.sh.git
Cloning into 'acme.sh'...
remote: Enumerating objects: 13231, done.
remote: Counting objects: 100% (293/293), done.
remote: Compressing objects: 100% (172/172), done.
remote: Total 13231 (delta 161), reused 228 (delta 121), pack-reused 12938
Receiving objects: 100% (13231/13231), 5.03 MiB | 0 bytes/s, done.
Resolving deltas: 100% (7923/7923), done.
[root@China-HongKong-Main ~]#

然后进入目录查看 Git 是否完全且正确。

[root@China-HongKong-Main ~]# ll
total 604
drwxr-xr-x 7 root root   4096 May 10 23:27 acme.sh
-rwxr-xr-x 1 root root  23766 Oct 25  2019 ecs-utils-ipv6
-rw-r--r-- 1 root root  20315 Apr  1  2020 install.sh
drwxrwxr-x 7 www  www   12288 Feb 10 17:06 memcached-1.6.9
-rw-r--r-- 1 root root 556137 Dec  9 10:28 memcached-1.6.9.tar.gz
[root@China-HongKong-Main ~]# cd acme.sh/
[root@China-HongKong-Main acme.sh]# ll
total 280
-rwxr-xr-x 1 root root 211526 May 10 23:27 acme.sh
drwxr-xr-x 2 root root   4096 May 10 23:27 deploy
drwxr-xr-x 2 root root   4096 May 10 23:27 dnsapi
-rw-r--r-- 1 root root   1582 May 10 23:27 Dockerfile
-rw-r--r-- 1 root root  35149 May 10 23:27 LICENSE.md
drwxr-xr-x 2 root root   4096 May 10 23:27 notify
-rw-r--r-- 1 root root  20470 May 10 23:27 README.md
[root@China-HongKong-Main acme.sh]#

安装ACME并设定证书签发的信息。
--config-home 是下面两项输入信息的配置文件保存目录,随便输一个可用目录就可以。
--accountemail 是证书使用者的邮箱,一般输入域名信息的邮箱或者你常用的邮箱都可以。
--useragent 是用户标识,一般输入昵称或英文名即可。

[root@China-HongKong-Main acme.sh]# ./acme.sh --install  \
> --config-home /www/wwwroot/cert/acme \
> --accountemail  "你自己的邮箱" \
> --useragent  "Joe"
[Mon May 10 23:28:50 HKT 2021] It is recommended to install socat first.
[Mon May 10 23:28:50 HKT 2021] We use socat for standalone server if you use standalone mode.
[Mon May 10 23:28:50 HKT 2021] If you don't use standalone mode, just ignore this warning.
[Mon May 10 23:28:50 HKT 2021] Installing to /root/.acme.sh
[Mon May 10 23:28:50 HKT 2021] Installed to /root/.acme.sh/acme.sh
[Mon May 10 23:28:50 HKT 2021] Installing alias to '/root/.bashrc'
./acme.sh: line 2184: /root/.bashrc: Permission denied
[Mon May 10 23:28:50 HKT 2021] OK, Close and reopen your terminal to start using acme.sh
[Mon May 10 23:28:50 HKT 2021] Installing alias to '/root/.cshrc'
[Mon May 10 23:28:50 HKT 2021] Installing alias to '/root/.tcshrc'
[Mon May 10 23:28:50 HKT 2021] Installing cron job
/var/spool/cron/#tmp.China-HongKong-Main.XXXXZiDUaa: Permission denied
[Mon May 10 23:28:50 HKT 2021] Install cron job failed. You need to manually renew your certs.
[Mon May 10 23:28:50 HKT 2021] Or you can add cronjob by yourself:
[Mon May 10 23:28:50 HKT 2021] "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Mon May 10 23:28:50 HKT 2021] Good, bash is found, so change the shebang to use bash as preferred.
[Mon May 10 23:28:50 HKT 2021] OK

2021年11月更新:由于 ACME 官方使用 ZeroSSL 替代 Let's Encrypt 更新一段需要的 Register 过程。

[root@China-HongKong-Main acme.sh]#./acme.sh --register-account -m 你自己的邮箱
[Mon Nov  1 10:34:37 HKT 2021] No EAB credentials found for ZeroSSL, let's get one
[Mon Nov  1 10:34:38 HKT 2021] Registering account: https://acme.zerossl.com/v2/DV90
[Mon Nov  1 10:34:41 HKT 2021] Registered
[Mon Nov  1 10:34:41 HKT 2021] ACCOUNT_THUMBPRINT='H--属于你自己的一串密钥'

当看到 OK 的时候,就说明完成了。

然后就到了签发证书的环节,输入验证方式(一般使用TXT解析记录验证)和需要签发的域名(可以多个域名并且包含通配符),注意这里使用 --issue 进行操作。

[root@China-HongKong-Main acme.sh]# ./acme.sh --issue --dns -d '*.bilibili.nl' -d bilibili.nl -d '*.shentianshu.com' -d shentianshu.com -d '*.shentianshu.net' -d shentianshu.net
[Mon May 10 23:32:02 HKT 2021] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
[root@China-HongKong-Main acme.sh]#

好像有点不对?确实,因为我是懒人,肯定是也懒得折腾阿里云之类域名服务商的 API 了(虽然也会但就是懒),然而 ACME 默认就是用服务商 API 解析进行操作的,所以就报错退出了;手动进行解析 ACME 也是接受的,只不过要多加上 --yes-I-know-dns-manual-mode-enough-go-ahead-please 参数,如下操作。

[root@China-HongKong-Main acme.sh]# ./acme.sh --issue --dns -d '*.bilibili.nl' -d bilibili.nl -d '*.shentianshu.com' -d shentianshu.com -d '*.shentianshu.net' -d shentianshu.net \
> --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 10 23:35:01 HKT 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon May 10 23:35:01 HKT 2021] Create account key ok.
[Mon May 10 23:35:01 HKT 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Mon May 10 23:35:03 HKT 2021] Registered
[Mon May 10 23:35:03 HKT 2021] ACCOUNT_THUMBPRINT='hXu2T364venQ78PGitedg93_BK0lKnHK4FFXBfFv2jM'
[Mon May 10 23:35:03 HKT 2021] Creating domain key
[Mon May 10 23:35:03 HKT 2021] The domain key is here: /root/.acme.sh/*.bilibili.nl/*.bilibili.nl.key
[Mon May 10 23:35:03 HKT 2021] Multi domain='DNS:*.bilibili.nl,DNS:bilibili.nl,DNS:*.shentianshu.com,DNS:shentianshu.com,DNS:*.shentianshu.org,DNS:shentianshu.org'
[Mon May 10 23:35:03 HKT 2021] Getting domain auth token for each domain
[Mon May 10 23:35:09 HKT 2021] Getting webroot for domain='*.bilibili.nl'
[Mon May 10 23:35:09 HKT 2021] Getting webroot for domain='bilibili.nl'
[Mon May 10 23:35:09 HKT 2021] Getting webroot for domain='*.shentianshu.com'
[Mon May 10 23:35:09 HKT 2021] Getting webroot for domain='shentianshu.com'
[Mon May 10 23:35:09 HKT 2021] Getting webroot for domain='*.shentianshu.org'
[Mon May 10 23:35:09 HKT 2021] Getting webroot for domain='shentianshu.org'
[Mon May 10 23:35:09 HKT 2021] Add the following TXT record:
[Mon May 10 23:35:09 HKT 2021] Domain: '_acme-challenge.bilibili.nl'
[Mon May 10 23:35:09 HKT 2021] TXT value: '需要的解析记录'
[Mon May 10 23:35:09 HKT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 10 23:35:09 HKT 2021] so the resulting subdomain will be: _acme-challenge.bilibili.nl
[Mon May 10 23:35:09 HKT 2021] Add the following TXT record:
[Mon May 10 23:35:09 HKT 2021] Domain: '_acme-challenge.bilibili.nl'
[Mon May 10 23:35:09 HKT 2021] TXT value: '需要的解析记录'
[Mon May 10 23:35:09 HKT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 10 23:35:09 HKT 2021] so the resulting subdomain will be: _acme-challenge.bilibili.nl
[Mon May 10 23:35:10 HKT 2021] Add the following TXT record:
[Mon May 10 23:35:10 HKT 2021] Domain: '_acme-challenge.shentianshu.com'
[Mon May 10 23:35:10 HKT 2021] TXT value: '需要的解析记录'
[Mon May 10 23:35:10 HKT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 10 23:35:10 HKT 2021] so the resulting subdomain will be: _acme-challenge.shentianshu.com
[Mon May 10 23:35:10 HKT 2021] Add the following TXT record:
[Mon May 10 23:35:10 HKT 2021] Domain: '_acme-challenge.shentianshu.com'
[Mon May 10 23:35:10 HKT 2021] TXT value: '需要的解析记录'
[Mon May 10 23:35:10 HKT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 10 23:35:10 HKT 2021] so the resulting subdomain will be: _acme-challenge.shentianshu.com
[Mon May 10 23:35:10 HKT 2021] Add the following TXT record:
[Mon May 10 23:35:10 HKT 2021] Domain: '_acme-challenge.shentianshu.net'
[Mon May 10 23:35:10 HKT 2021] TXT value: '需要的解析记录'
[Mon May 10 23:35:10 HKT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 10 23:35:10 HKT 2021] so the resulting subdomain will be: _acme-challenge.shentianshu.org
[Mon May 10 23:35:10 HKT 2021] Add the following TXT record:
[Mon May 10 23:35:10 HKT 2021] Domain: '_acme-challenge.shentianshu.net'
[Mon May 10 23:35:10 HKT 2021] TXT value: '需要的解析记录'
[Mon May 10 23:35:10 HKT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 10 23:35:10 HKT 2021] so the resulting subdomain will be: _acme-challenge.shentianshu.org
[Mon May 10 23:35:10 HKT 2021] Please add the TXT records to the domains, and re-run with --renew.
[Mon May 10 23:35:10 HKT 2021] Please add '--debug' or '--log' to check more details.
[Mon May 10 23:35:10 HKT 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[root@China-HongKong-Main acme.sh]#

签发证书的请求已经向 Let’s Encrypt 提交成功了!并且也返回了需要进行验证的解析记录,此刻去域名注册商或解析服务商那里把解析添加进去就可以了(签发完成后记得把记录删掉)。

在添加完解析后,将 --issue 改为 --renew 执行,如下操作。

[root@China-HongKong-Main acme.sh]# ./acme.sh --renew --dns -d '*.bilibili.nl' -d bilibili.nl -d '*.shentianshu.com' -d shentianshu.com -d '*.shentianshu.org' -d shentianshu.org \
> --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 10 23:50:50 HKT 2021] Renew: '*.bilibili.nl'
[Mon May 10 23:50:51 HKT 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon May 10 23:50:51 HKT 2021] Multi domain='DNS:*.bilibili.nl,DNS:bilibili.nl,DNS:*.shentianshu.com,DNS:shentianshu.com,DNS:*.shentianshu.org,DNS:shentianshu.org'
[Mon May 10 23:50:51 HKT 2021] Getting domain auth token for each domain
[Mon May 10 23:50:51 HKT 2021] Verifying: *.bilibili.nl
[Mon May 10 23:50:56 HKT 2021] Pending
[Mon May 10 23:50:59 HKT 2021] Success
[Mon May 10 23:50:59 HKT 2021] bilibili.nl is already verified, skip dns-01.
[Mon May 10 23:50:59 HKT 2021] Verifying: *.shentianshu.com
[Mon May 10 23:51:02 HKT 2021] Success
[Mon May 10 23:51:02 HKT 2021] Verifying: shentianshu.com
[Mon May 10 23:51:06 HKT 2021] Success
[Mon May 10 23:51:06 HKT 2021] Verifying: *.shentianshu.net
[Mon May 10 23:51:10 HKT 2021] Success
[Mon May 10 23:51:10 HKT 2021] Verifying: shentianshu.net
[Mon May 10 23:51:13 HKT 2021] Success
[Mon May 10 23:51:13 HKT 2021] Verify finished, start to sign.
[Mon May 10 23:51:13 HKT 2021] Lets finalize the order.
[Mon May 10 23:51:13 HKT 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/122986017/9609215434'
[Mon May 10 23:51:15 HKT 2021] Downloading cert.
[Mon May 10 23:51:15 HKT 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/045e324f0d43405cc017125d935a019e7fcb'
[Mon May 10 23:51:16 HKT 2021] Cert success.
-----BEGIN CERTIFICATE-----
证书
-----END CERTIFICATE-----
[Mon May 10 23:51:16 HKT 2021] Your cert is in  /root/.acme.sh/*.bilibili.nl/*.bilibili.nl.cer 
[Mon May 10 23:51:16 HKT 2021] Your cert key is in  /root/.acme.sh/*.bilibili.nl/*.bilibili.nl.key 
[Mon May 10 23:51:16 HKT 2021] The intermediate CA cert is in  /root/.acme.sh/*.bilibili.nl/ca.cer 
[Mon May 10 23:51:16 HKT 2021] And the full chain certs is there:  /root/.acme.sh/*.bilibili.nl/fullchain.cer 
[root@China-HongKong-Main acme.sh]#

注意执行成功是会直接弹出证书的噢,可能会有被刷屏的感觉(雾)。

至此,证书就已经签发成功了,进入到证书下发的目录里,查看并部署,即手动更新证书完成!

[root@China-HongKong-Main acme.sh]# cd ../.acme.sh/\*.bilibili.nl/
[root@China-HongKong-Main *.bilibili.nl]# ll
total 32
-rw-r--r-- 1 root root 1956 May 10 23:51 *.bilibili.nl.cer
-rw-r--r-- 1 root root  687 May 10 23:51 *.bilibili.nl.conf
-rw-r--r-- 1 root root 1090 May 10 23:50 *.bilibili.nl.csr
-rw-r--r-- 1 root root  308 May 10 23:50 *.bilibili.nl.csr.conf
-rw-r--r-- 1 root root 1679 May 10 23:35 *.bilibili.nl.key
-rw-r--r-- 1 root root 3751 May 10 23:51 ca.cer
-rw-r--r-- 1 root root 5707 May 10 23:51 fullchain.cer
[root@China-HongKong-Main *.bilibili.nl]#

其中 *.bilibili.nl.key 是证书的 key 文件。
其中 fullchain.cer 是证书全文(主pem文件)。

在 Apache HTTPD 或 NGINX 的配置文件中指明绝对路径到证书文件即可。
若使用的是面板,使用 cat 命令查看,然后复制到你所使用的面板中即可。

手动更新完成~成功~

Tip – 下次更新证书的时候,记得要先保持 ACME 最新版本,如下操作检查并更新。

acme.sh --upgrade

发表评论