1. 服务器环境

Cenos6
openssl 3.0 参见另一篇文章 《centos6 升级openssl 1.0到3.0》

2. 下载解压

wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
tar -zxvf master.tar.gz
cd acme.sh-master/

3. 安装

[root@01 acme.sh-master]# ./acme.sh --install -m youremail
[Mon Mar 25 08:18:06 CST 2024] It is recommended to install socat first.
[Mon Mar 25 08:18:06 CST 2024] We use socat for standalone server if you use standalone mode.
[Mon Mar 25 08:18:06 CST 2024] If you don't use standalone mode, just ignore this warning.
[Mon Mar 25 08:18:06 CST 2024] Installing to /root/.acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installed to /root/.acme.sh/acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.bashrc'
[Mon Mar 25 08:18:06 CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.cshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.tcshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing cron job
[Mon Mar 25 08:18:06 CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Mar 25 08:18:08 CST 2024] OK

4. 配置

vim ~/.bashrc

创建阿里云AccessKey

https://ram.console.aliyun.com/manage/ak

系统增加环境变量

增加两行

export Ali_Key="your ali key" 
export Ali_Secret="your ali Secret "

重载.bashrc

source ~/.bashrc

5. 申请证书

[root@01 ld.so.conf.d]# acme.sh --issue --dns dns_ali -d test.domain.com
[Mon Mar 25 09:27:02 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Mar 25 09:27:02 CST 2024] Single domain='test.domain.com'
[Mon Mar 25 09:27:06 CST 2024] Getting webroot for domain='test.domain.com'
[Mon Mar 25 09:27:07 CST 2024] Adding txt value: H0QIf_L5v2fu97D1ad-TDdVAuHU7Rrb8MfVE1HCkLaw for domain:  _acme-challenge.test.domain.com
[Mon Mar 25 09:27:11 CST 2024] The txt record is added: Success.
[Mon Mar 25 09:27:11 CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Mon Mar 25 09:27:32 CST 2024] You can use '--dnssleep' to disable public dns checks.
[Mon Mar 25 09:27:32 CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Mon Mar 25 09:27:32 CST 2024] Checking test.domain.com for _acme-challenge.test.domain.com
[Mon Mar 25 09:27:33 CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Mon Mar 25 09:27:43 CST 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Mon Mar 25 09:27:43 CST 2024] Domain test.domain.com '_acme-challenge.test.domain.com' success.
[Mon Mar 25 09:27:43 CST 2024] All success, let's return
[Mon Mar 25 09:27:43 CST 2024] Verifying: test.domain.com
[Mon Mar 25 09:27:46 CST 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Mar 25 09:27:50 CST 2024] Success
[Mon Mar 25 09:27:50 CST 2024] Removing DNS records.
[Mon Mar 25 09:27:50 CST 2024] Removing txt: H0QIf_L5v2fu97D1ad-TDdVAuHU7Rrb8MfVE1HCkLaw for domain: _acme-challenge.test.domain.com
[Mon Mar 25 09:27:54 CST 2024] Removed: Success
[Mon Mar 25 09:27:54 CST 2024] Verify finished, start to sign.
[Mon Mar 25 09:27:54 CST 2024] Lets finalize the order.
[Mon Mar 25 09:27:54 CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/AMroP_uzrBnjMcEC42FJMg/finalize'
[Mon Mar 25 09:27:56 CST 2024] Order status is processing, lets sleep and retry.
[Mon Mar 25 09:27:56 CST 2024] Retry after: 15
[Mon Mar 25 09:28:12 CST 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/AMroP_uzrBnjMcEC42FJMg
[Mon Mar 25 09:28:14 CST 2024] Downloading cert.
[Mon Mar 25 09:28:14 CST 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/-80WyCt9XAYq0tmzcohEMQ'
[Mon Mar 25 09:28:15 CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIID/zCCA4WgAwIBAgIQa+ncB9WXUxC3k8zkdmxbMDAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDMyNTAwMDAwMFoXDTI0MDYy
MzIzNTk1OVowGjEYMBYGA1UEAxMPdGVzdC50cnRybXMuY29tMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEx1GzlJTNlI4HuaMrMzI40WIONTVVotVFDe+ACkOKeu6V
4H6PtS4GB6kblb7Cg9E66666666666666666666666666666wggJ2MB8GA1UdIwQY
MBaAFA9r5kvOOUeu9n6QHnnwMJGSyF+jMB0GA1UdDgQWBBRY2FpavcFLu9BZtrmH
wyTG6XnB5zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAl
MCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEw
gYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDovL3plcm9zc2wuY3J0
LnNlY3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsG
CCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYK
KwYBBAHWeQIEAgSB9ASB8QDvAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m
Z0xaOnQAAAGOczi03QAABAMARzBFAiEA3ZHF7uyO3UZ5qdQ0Yy0KIqhTMawAk0eL
Rp0DqAa2LE4CIDFEpI3/fqMoBDBqqMZFkdvcLeRRY3fGVEFuKifiVxVbAHUAO1N3
dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGOczi0iAAABAMARjBEAiAG
9UvRVHhRMoOGp9u7OKUPd0V6H/C0RcSBy2LwLJB0SQIgZi//DDc5SgJi4pomlTES
aY1ab9PJChIYs/3ueUgxAZAwGgYDVR0RBBMwEYIPdGVzdC50cnRybXMuY29tMAoG
CCqGSM49BAMDA2gAMGUCMQC3JVCNv0AgLI/3NkXgM/xKAl9Itk0OK50y1RQwEWGY
TROVwyNjYYG1LO5FdxnV+oUCMEruJn6akbXMJOV0h5JxAeXcPbxGDmMERZ2zYQEi
BTBGu6vLLwTg9vs7p9Mf+/noVQ==
-----END CERTIFICATE-----
[Mon Mar 25 09:28:15 CST 2024] Your cert is in: /root/.acme.sh/test.domain.com_ecc/test.domain.com.cer
[Mon Mar 25 09:28:15 CST 2024] Your cert key is in: /root/.acme.sh/test.domain.com_ecc/test.domain.com.key
[Mon Mar 25 09:28:15 CST 2024] The intermediate CA cert is in: /root/.acme.sh/test.domain.com_ecc/ca.cer
[Mon Mar 25 09:28:15 CST 2024] And the full chain certs is there: /root/.acme.sh/test.domain.com_ecc/fullchain.cer

6. 部署证书

acme.sh --install-cert -d test.domain.com \
--key-file        /etc/ssl/test.domain.com/key.pem  \
--fullchain-file  /etc/ssl/test.domain.com/fullchain.pem \
--reloadcmd     "/usr/sbin/nginx -s reload"

让我们逐步解释这个命令：

• --install-cert 参数指示 acme.sh 工具安装证书。

• -d test.domain.com 参数指定了证书要签发的域名。

• --key-file 参数指定了私钥文件的路径，通常是 SSL 密钥文件的位置。

• --fullchain-file 参数指定了证书链文件的路径，通常是包含完整证书链的文件。

• --reloadcmd 参数指定了重新加载服务器的命令，这里使用了 Nginx 的重新加载命令。在安装证书后，acme.sh 将执行该命令来重新加载 Nginx 以应用新的证书。

您需要将 test.domain.com 替换为您自己的域名，同时确保指定的文件路径正确，并且您拥有对应的权限来执行这些操作。
其中reloadcmd是你的nginx重载命令,大家路径或者命令可能各不相同
例如

service nginx reload
systemctl reload nginx
/usr/local/web/nginx -s reload

7. nginx配置文件示例

server {
    listen 3001 ssl;
    server_name test.domain.com;
    ssl_certificate      /etc/ssl/test.domain.com/fullchain.pem;
    ssl_certificate_key  /etc/ssl/test.domain.com/key.pem;
                ssl_session_cache    shared:SSL:5m;
                ssl_session_timeout  5m;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers  HIGH:!aNULL:!MD5;
                ssl_prefer_server_ciphers  on;
        location / {
        proxy_pass http://localhost:3000; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

8. 自动续签域名证书

部署证书后acme会自动增加续签计划任务

[root@01 ]# crontab -l
6 18 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

查看已安装证书信息

 acme.sh --info -d op.trtrms.com

如果需要修改reloadcmd
参考https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E

附录

更多说明参看github acme项目
https://github.com/acmesh-official/acme.sh

English

Installing acme on CentOS 6 for automatic issuance and renewal of certificates using AliDNS

1. Server Environment

CentOS 6
OpenSSL 3.0 (Refer to another article "Upgrade OpenSSL 1.0 to 3.0 on CentOS 6")

2. Download and Extract

wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
tar -zxvf master.tar.gz
cd acme.sh-master/

3. Installation

[root@01 acme.sh-master]# ./acme.sh --install -m youremail
[Mon Mar 25 08:18:06 CST 2024] It is recommended to install socat first.
[Mon Mar 25 08:18:06 CST 2024] We use socat for standalone server if you use standalone mode.
[Mon Mar 25 08:18:06 CST 2024] If you don't use standalone mode, just ignore this warning.
[Mon Mar 25 08:18:06 CST 2024] Installing to /root/.acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installed to /root/.acme.sh/acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.bashrc'
[Mon Mar 25 08:18:06 CST 2024] OK, Close and reopen your terminal to start using acme.sh
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.cshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing alias to '/root/.tcshrc'
[Mon Mar 25 08:18:06 CST 2024] Installing cron job
[Mon Mar 25 08:18:06 CST 2024] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Mar 25 08:18:08 CST 2024] OK

4. Configuration

vim ~/.bashrc

Add two lines

export Ali_Key="your ali key" 
export Ali_Secret="your ali Secret "

Reload .bashrc

source ~/.bashrc

5. Apply for Certificate

[root@01 ld.so.conf.d]# acme.sh --issue --dns dns_ali -d test.domain.com
[Mon Mar 25 09:27:02 CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Mar 25 09:27:02 CST 2024] Single domain='test.domain.com'
[Mon Mar 25 09:27:06 CST 2024] Getting webroot for domain='test.domain.com'
[Mon Mar 25 09:27:07 CST 2024] Adding txt value: H0QIf_L5v2fu97D1ad-TDdVAuHU7Rrb8MfVE1HCkLaw for domain:  _acme-challenge.test.domain.com
[Mon Mar 25 09:27:11 CST 2024] The txt record is added: Success.
[Mon Mar 25 09:27:11 CST 2024] Let's check each DNS record now. Sleep 20 seconds first.
...

6. Deploy Certificate

acme.sh --install-cert -d test.domain.com \
--key-file        /etc/ssl/test.domain.com/key.pem  \
--fullchain-file  /etc/ssl/test.domain.com/fullchain.pem \
--reloadcmd     "/usr/sbin/nginx -s reload"

Replace test.domain.com with your domain name and ensure the specified file paths are correct, and you have the corresponding permissions. The reloadcmd is your nginx reload command, paths or commands may vary for everyone.

7. Nginx Configuration File Example

server {
    listen 3001 ssl;
    server_name test.domain.com;
    ssl_certificate      /etc/ssl/test.domain.com/fullchain.pem;
    ssl_certificate_key  /etc/ssl/test.domain.com/key.pem;
                ssl_session_cache    shared:SSL:5m;
                ssl_session_timeout  5m;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers  HIGH:!aNULL:!MD5;
                ssl_prefer_server_ciphers  on;
        location / {
        proxy_pass http://localhost:3000; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

8. Automatic Renewal of Domain Certificates

After deploying the certificate, acme will automatically add a renewal cron job.

[root@01 ]# crontab -l
6 18 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Appendix
For more information, refer to the GitHub acme project:
https://github.com/acmesh-official/acme.sh