# 证书相关文件格式
- 证书 (Certificate) -
.cer、.crt - 私钥 (Private Key) -
.key - 证书签名请求 (Certificate signing request) -
.csr - 证书吊销列表 (Certificate Revocation List) -
.crl
以上除了 .crl 均可以使用这两种编码方式,从而有这样的后缀:
- base64 编码 -
.pem - 二进制编码 (少见) -
.der
为了给我们的网页应用使用 https 协议,我们需要得到有效的第三方认证的证书以及对应的私钥。
CA,certificate authority。证书局,用于制作、认证证书的第三方机构
# 安装
安装 acme.sh :https://github.com/acmesh-official/acme.sh
curl https://get.acme.sh | sh -s email=username@example.com |
但是需要🪜,所以国内等效的做法是:
git clone --depth 1 https://github.com/acmesh-official/acme.sh.git | |
cd acme.sh | |
./acme.sh --install -m username@example.com |
替换 username@example.com 为自己的邮箱,用来接收上游证书的邮件通知
目前探索了三种方法,最推荐第三种方法,直接接入运营商的 API ,需要 issue 时只需要一行指令实现,非常方便。
# 方法一
请求注册,并将返回结果写到 acme-dns.challenges
curl -s -X POST https://auth.acme-dns.io/register | python3 -m json.tool > acme-dns.challenges;cat acme-dns.challenges |
导出用户名、密码、子域名等结果
export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')" | |
export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')" | |
export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')" | |
echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')" |
同时增加 cname 记录来完成挑战:
申请 ssl 证书:
~/.acme.sh/acme.sh --issue --dns dns_acmedns -d vm.fuusen.space --dnssleep 300 |
结果:
root@proxmox:~# ~/.acme.sh/acme.sh --issue --dns dns_acmedns -d vm.fuusen.space --dnssleep 300 | |
[Sun Mar 10 12:19:48 PM CST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory | |
[Sun Mar 10 12:19:48 PM CST 2024] Creating domain key | |
[Sun Mar 10 12:19:48 PM CST 2024] The domain key is here: /root/.acme.sh/vm.fuusen.space_ecc/vm.fuusen.space.key | |
[Sun Mar 10 12:19:48 PM CST 2024] Single domain='vm.fuusen.space' | |
[Sun Mar 10 12:19:51 PM CST 2024] Getting webroot for domain='vm.fuusen.space' | |
[Sun Mar 10 12:19:51 PM CST 2024] Adding txt value: JE6AGlpWVR5S192edUoStf3_OXAG9UR_cwnKIGGIL9U for domain: _acme-challenge.vm.fuusen.space | |
[Sun Mar 10 12:19:51 PM CST 2024] Using acme-dns | |
[Sun Mar 10 12:19:52 PM CST 2024] The txt record is added: Success. | |
[Sun Mar 10 12:19:52 PM CST 2024] Sleep 300 seconds for the txt records to take effect | |
[Sun Mar 10 12:24:53 PM CST 2024] Verifying: vm.fuusen.space | |
[Sun Mar 10 12:24:54 PM CST 2024] Pending, The CA is processing your order, please just wait. (1/30) | |
[Sun Mar 10 12:24:58 PM CST 2024] Success | |
[Sun Mar 10 12:24:58 PM CST 2024] Removing DNS records. | |
[Sun Mar 10 12:24:58 PM CST 2024] Removing txt: JE6AGlpWVR5S192edUoStf3_OXAG9UR_cwnKIGGIL9U for domain: _acme-challenge.vm.fuusen.space | |
[Sun Mar 10 12:24:58 PM CST 2024] Using acme-dns | |
[Sun Mar 10 12:24:58 PM CST 2024] Removed: Success | |
[Sun Mar 10 12:24:58 PM CST 2024] Verify finished, start to sign. | |
[Sun Mar 10 12:24:58 PM CST 2024] Lets finalize the order. | |
[Sun Mar 10 12:24:58 PM CST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1610913557/251061640687' | |
[Sun Mar 10 12:24:59 PM CST 2024] Downloading cert. | |
[Sun Mar 10 12:24:59 PM CST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03567f6bc53bd6e36d65f5b8f094bfb91eaa' | |
[Sun Mar 10 12:25:00 PM CST 2024] Cert success. | |
-----BEGIN CERTIFICATE----- | |
MIIEHzCCAwegAwIBAgISA1Z/a8U71uNtZfW48JS/uR6qMA0GCSqGSIb3DQEBCwUA | |
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD | |
EwJSMzAeFw0yNDAzMTAwMzI0NTlaFw0yNDA2MDgwMzI0NThaMBoxGDAWBgNVBAMT | |
D3ZtLmZ1dXNlbi5zcGFjZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEbT5BcQ | |
x14Rc9EqGps5dTQ9Jl5ywvrWAVJmQFtmbIBAileSa+/KYuYeSmjuDAyjj99to2KM | |
R9fVK6j4fYDycCOjggIQMIICDDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI | |
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBo67Zs5 | |
olZHLkCkGTQK/ZFVQJwvMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLG | |
MFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iu | |
b3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQT | |
MBGCD3ZtLmZ1dXNlbi5zcGFjZTATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisG | |
AQQB1nkCBAIEgfQEgfEA7wB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h | |
+tQXAAABjiabW4kAAAQDAEYwRAIgehF+9/VI/MC8IvkLbFTpa82IP1zXOpZFvW1U | |
D77cdCYCIAy+z2hwinQtpc4up40bhNx4+h1JujS7DDgyNwsfdGaCAHYA7s3QZNXb | |
Gs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGOJptbiQAABAMARzBFAiAy8u5B | |
ZN0V23ZzMJ1dViQ4bfXWJyxs42W93GIpmJRkPAIhAOfoZmJpDW02uZV667vTZWqF | |
zmGJfM3njf+XQnnARF3dMA0GCSqGSIb3DQEBCwUAA4IBAQAxiO0OOA/tVqDfoQne | |
JrlX1wB+aYmTHeqwfxBE+Q0Mu0irGtX9K4XyhQR06edLKw1fXY2dH+iYKvscsE91 | |
iGhs0nSrAqKIi3VLLgvEFrTEW7C8Pftgt4Hbx89LvION7MgXXHe62L4JvrTkQ/Y4 | |
sRa6vt48bDkDspQ1BQrT589SiXMUsNOE947mbaViR3cbg2oQd+XxLJaAb1ZoSNd0 | |
Lvs/j5u67r30C5QnSEGxChR/6c9V9+aw07yttoD6M8iA7LA736pPjWAM8hvQ+cQa | |
wAWyDU1Ub89KJx5Pv+nvbNCRT1TjoqmhPxYSxsDTYAjUTV9sBbxvcUdG7w+6tUwX | |
6b9m | |
-----END CERTIFICATE----- | |
[Sun Mar 10 12:25:00 PM CST 2024] Your cert is in: /root/.acme.sh/vm.fuusen.space_ecc/vm.fuusen.space.cer | |
[Sun Mar 10 12:25:00 PM CST 2024] Your cert key is in: /root/.acme.sh/vm.fuusen.space_ecc/vm.fuusen.space.key | |
[Sun Mar 10 12:25:00 PM CST 2024] The intermediate CA cert is in: /root/.acme.sh/vm.fuusen.space_ecc/ca.cer | |
[Sun Mar 10 12:25:00 PM CST 2024] And the full chain certs is there: /root/.acme.sh/vm.fuusen.space_ecc/fullchain.cer |
# 方法二
推荐使用 Let's Encrypt 作为上游 CA :
acme.sh --set-default-ca --server letsencrypt |
使用 Nginx ,在 /etc/nginx/conf.d/ 中新建一个配置文件 letsencrypt.conf (名字随意),内容如下:
server { | |
listen 80; | |
listen [::]:80; | |
server_name example1.com; | |
server_name example2.com; | |
location /.well-known/acme-challenge { | |
root /var/www/letsencrypt; | |
} | |
location / { | |
rewrite ^/(.*)$ https://$host/$1 permanent; | |
} | |
} |
运行:
acme.sh --issue -d md.fuusen.space -d tex.fuusen.space -w /var/www/letsencrypt --debug |
reference:
- https://u.sb/acme-sh-ssl/
# 方法三
用运营商的 API ,自动添加 txt 记录完成挑战。参考:https://github.com/acmesh-official/acme.sh/wiki/dnsapi2
首先第一次需要设置 API ,具体需要看不同的运营商。
export ...=... |
然后 issue 之后会自动保存所设置的 API 。
执行指令:
acme.sh --issue --dns [dns_your_server] -d example.com |
似乎也可以一次性批量 issue 多个 cert ,但是我实际测试却只得到了同时 issue 时的第一个域名的证书,可能是还存在 bug 。
这样方法得到的证书文件在 ~/.acme.sh/example.com_ecc/ 如下:
├── ca.cer | |
├── fullchain.cer | |
├── example.com.cer | |
├── example.com.conf | |
├── example.com.csr | |
├── example.com.csr.conf | |
└── example.com.key |
其中:
fullchain.cer是对应的证书文件example.com.key是对应的密钥文件
Nginx 配置:
server { | |
...... | |
ssl_certificate /home/lsy/.acme.sh/example.com_ecc/fullchain.cer; | |
ssl_certificate_key /home/lsy/.acme.sh/example.com_ecc/example.com.key; | |
...... | |
} |
⚠️ 注意如果 curl 网页时出现如下报错:
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number |
说明 http /https 的协议配置有问题,出现了本来该用 https 却用了 http ,或反之的情况。
