阿里云CentOS通过acme.sh配置免费通配符SSL证书

安装

安装很简单, 一个命令:

1
curl  https://get.acme.sh | sh

并创建 一个 bash 的 alias, 方便你的使用:

1
alias acme.sh=~/.acme.sh/acme.sh

配置对应域名解析API(以阿里云为例)

https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md

获取阿里云API key:
https://usercenter.console.aliyun.com/#/manage/ak
得到:
AccessKeyID:*****隐藏敏感信息****
AccessKeySecret:*****隐藏敏感信息****

1
2
export Ali_Key="*****隐藏敏感信息****"
export Ali_Secret="*****隐藏敏感信息****"

生成证书

1
acme.sh --issue --dns dns_ali -d jeepeng.com -d *.jeepeng.com

这里给出的 Ali_KeyAli_Secret会被自动记录在 ~/.acme.sh/account.conf 文件中,到时候会自动调用.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[Mon Oct 29 12:13:44 CST 2018] Registering account
[Mon Oct 29 12:13:46 CST 2018] Registered
[Mon Oct 29 12:13:46 CST 2018] ACCOUNT_THUMBPRINT='*****隐藏敏感信息****'
[Mon Oct 29 12:13:46 CST 2018] Creating domain key
[Mon Oct 29 12:13:46 CST 2018] The domain key is here: /root/.acme.sh/jeepeng.com/jeepeng.com.key
[Mon Oct 29 12:13:46 CST 2018] Multi domain='DNS:jeepeng.com,DNS:*.jeepeng.com'
[Mon Oct 29 12:13:46 CST 2018] Getting domain auth token for each domain
[Mon Oct 29 12:13:48 CST 2018] Getting webroot for domain='jeepeng.com'
[Mon Oct 29 12:13:48 CST 2018] Getting webroot for domain='*.jeepeng.com'
[Mon Oct 29 12:13:48 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Mon Oct 29 12:13:50 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Mon Oct 29 12:13:52 CST 2018] Sleep 120 seconds for the txt records to take effect
[Mon Oct 29 12:15:54 CST 2018] Verifying:jeepeng.com
[Mon Oct 29 12:15:57 CST 2018] Success
[Mon Oct 29 12:15:57 CST 2018] Verifying:*.jeepeng.com
[Mon Oct 29 12:16:00 CST 2018] Success
[Mon Oct 29 12:16:00 CST 2018] Removing DNS records.
[Mon Oct 29 12:16:06 CST 2018] Verify finished, start to sign.
[Mon Oct 29 12:16:09 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
*****************隐藏敏感信息*******************
-----END CERTIFICATE-----
[Mon Oct 29 12:16:09 CST 2018] Your cert is in /root/.acme.sh/jeepeng.com/jeepeng.com.cer
[Mon Oct 29 12:16:09 CST 2018] Your cert key is in /root/.acme.sh/jeepeng.com/jeepeng.com.key
[Mon Oct 29 12:16:09 CST 2018] The intermediate CA cert is in /root/.acme.sh/jeepeng.com/ca.cer
[Mon Oct 29 12:16:09 CST 2018] And the full chain certs is there: /root/.acme.sh/jeepeng.com/fullchain.cer

Copy 证书

1
2
3
4
acme.sh  --installcert  -d  jeepeng.com   \
--key-file /etc/nginx/ssl/jeepeng.com.key \
--fullchain-file /etc/nginx/ssl/jeepeng.com.fullchain.cer \
--reloadcmd "service nginx force-reload"

配置nginx

1
2
ssl_certificate /etc/nginx/ssl/jeepeng.com.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/jeepeng.com.key;