欢迎光临
我们一直在努力

利用dnspod接口申请Let’s Encrypt免费的ssl证书

为什么大家都喜欢Let’s Encrypt的域名ssl证书呢!相信大家肯定会说免费呀,那国内那么多免费的证书可以申请,为什么要用他们的呢,国内免费的证书你像阿里云、腾讯云一次授权期限全是一年,而Let’s Encrypt一次授权期限只有3个月,那Let’s Encrypt为啥会吸引这么多人去申请呢,其实应该最大的吸引人的地方就是他的域名证书支持通配符吧,像国内这些免费证书可没有一家是支持通配符(泛域名)的。

网上关于申请Let’s Encrypt免费的ssl证书的教程N多,有完全手工操作的,也有很多直接利用脚本操作的,一搜一大把,但很多教程我看就是相互复制粘贴,让人看的不是太明白,今天我用acme.sh的脚本配合dnspod的api管理接口去申请证书,做个详细的教程,教程最后面有我写的一个脚本调用acme.sh脚本然后利用dnspod的域名api接口去快速的申请Let’s Encrypt证书,你可以修改我写的脚本中的DNSPOD的接口信息、域名及证书的存放位置然后运行脚本快速的去申请证书,话不多说,下面看我详细的操作。

  • 首先进入root用户的根目录
cd /root
  • 下载所需要的acme.sh脚本(curl https://get.acme.sh | sh)
[root@localhost ~]# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   705  100   705    0     0    396      0  0:00:01  0:00:01 --:--:--   396
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  165k  100  165k    0     0  78453      0  0:00:02  0:00:02 --:--:-- 78463
[Sun Feb 10 18:50:30 CST 2019] Installing from online archive.
[Sun Feb 10 18:50:30 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sun Feb 10 18:50:33 CST 2019] Extracting master.tar.gz
[Sun Feb 10 18:50:33 CST 2019] It is recommended to install socat first.
[Sun Feb 10 18:50:33 CST 2019] We use socat for standalone server if you use standalone mode.
[Sun Feb 10 18:50:33 CST 2019] If you don't use standalone mode, just ignore this warning.
[Sun Feb 10 18:50:33 CST 2019] Installing to /root/.acme.sh
[Sun Feb 10 18:50:33 CST 2019] Installed to /root/.acme.sh/acme.sh
[Sun Feb 10 18:50:33 CST 2019] Installing alias to '/root/.bashrc'
[Sun Feb 10 18:50:33 CST 2019] OK, Close and reopen your terminal to start using acme.sh
[Sun Feb 10 18:50:33 CST 2019] Installing alias to '/root/.cshrc'
[Sun Feb 10 18:50:33 CST 2019] Installing alias to '/root/.tcshrc'
[Sun Feb 10 18:50:33 CST 2019] Installing cron job
no crontab for root
no crontab for root
[Sun Feb 10 18:50:33 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sun Feb 10 18:50:33 CST 2019] OK
[Sun Feb 10 18:50:33 CST 2019] Install success!
  • 登录dnspod网站开通DNS域名管理接口

申请地址:https://www.dnspod.cn/console/user/security 点击左下边的用户中心->安全设置->API Token->下方的查看-点击创建API Token,在出来的窗口填入你的Tokens名称,也就是为自己的API起个名字,然后点击确定,就会提示:创建API Token成功,然后你把显示的ID和Token全复制保存备用,

  • 设置DNSPOD的接口变量ID和token
[root@localhost ~]# export DP_Id="82136"
[root@localhost ~]# export DP_Key="7d636d0974ty4d6cd793df1261fe0179"
  • 进入acme.sh脚本目录下面
[root@localhost ~]# cd /root/.acme.sh
  • 运行申请证书指令申请证书
[root@localhost .acme.sh]# /root/.acme.sh/acme.sh --issue -d qzze.com -d *.qzze.com --dns dns_dp

上方指令说明:-d后面是要申请的域名,*.qzze.com这种属于通配符(泛域名)类型的格式的写法,另外通配符的这种格式不包括一级域名,所以后面又加了个-d qzze.com,后面的–dns dns_dp –dns意思是使用dns认证来申请证书,dns_dp为调用dnspod的DNS管理接口,申请过程看下面,有一个120秒的等待时间,是acme.sh脚本等待DNS生效所做的等待,下面是据体的申请流程。

[root@localhost .acme.sh]# /root/.acme.sh/acme.sh --issue -d qzze.com -d *.qzze.com --dns dns_dp
[Sun Feb 10 19:18:43 CST 2019] Creating domain key
[Sun Feb 10 19:18:44 CST 2019] The domain key is here: /root/.acme.sh/qzze.com/qzze.com.key
[Sun Feb 10 19:18:44 CST 2019] Multi domain='DNS:qzze.com,DNS:*.qzze.com'
[Sun Feb 10 19:18:44 CST 2019] Getting domain auth token for each domain
[Sun Feb 10 19:18:49 CST 2019] Getting webroot for domain='qzze.com'
[Sun Feb 10 19:18:49 CST 2019] Getting webroot for domain='*.qzze.com'
[Sun Feb 10 19:18:50 CST 2019] qzze.com is already verified, skip dns-01.
[Sun Feb 10 19:18:50 CST 2019] *.qzze.com is already verified, skip dns-01.
[Sun Feb 10 19:18:50 CST 2019] Verify finished, start to sign.
[Sun Feb 10 19:18:55 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgISAyeWLz0IeN1HZOE95ChWuJLOMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMTAxMDE4NThaFw0x
OTA1MTExMDE4NThaMBMxETAPBgNVBAMTCHF6emUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAoBzZKmxIfbhdjwdCIqy//NliDnqAQ2n1A3zI2seQ
50Jqydw2TDiIH6uFhpFLZtTfCF3Zgt3cp0fKsZs5GPIj1RWkBoK/aFro6W4lGnlk
Ir4wWTTovJmX5A+71TzdxhUud0lGGOIftgHvLXEoA02JBgOZF4Am6VjnDgfo/mMk
ztCowjwE/tufG0rMIKOn62tqH9l+C74St8cv1QPIoHBG/iTYGMnSyR8oLFkZODS9
a9S8gGuILNYMMMewV1fCkQC4fGuWa0VBB6g7afcV3xll8lig41yN9x1tkOKctfYu
zjOLHMEStmAHQv1RQhbqgTf8datOupqOjz0rMs2jjgjn/QIDAQABo4ICaDCCAmQw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQE8caEWY7wHNIz2D651xnC9xqdJDAfBgNV
HSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYI
KwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYI
KwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMB8G
A1UdEQQYMBaCCioucXp6ZS5jb22CCHF6emUuY29tMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAdH7agzGtMxCR
IZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFo1yG5/AAABAMARjBEAiBEtRZIer0M
2zkC3mNssNWUuo1eLq/qTGw13VrKkfD+JwIgPDTiDZ+ozOxZduma8rkLIja6E/1+
su85W6deRj7O1JUAdgBj8tvN6DvMLM8LeoQnV2szpI1hd4+9daY4scdoVEvYjQAA
AWjXIbwrAAAEAwBHMEUCIQDa6QsqRj6k42F5VPj2Bjd8fSk6LAqt3UsdTv3YHc91
7AIgf8OmTJ+WpuHhRRX8Oph+9pubZpTXEkjJd2qQ6/XMAegwDQYJKoZIhvcNAQEL
BQADggEBAJVYWtRvKQ/sudsu54HHx4RJoZDKZp8ZQevcHqzE2HcF+mlV+xgkJQCa
1UZ4ZCTS+mazPIIUXC0gTI2K/9XhxMvOzs6ELdPbtpg+d9eIQ+spkVoJXJg7aQDx
kgRNcnAA2WFVtQMuEfKiO9c+aOI5Qq0S1f/iCjtNfJrGjaFyUID7GCrP8E00Ql9u
0V9Rxiv8Z1uaSnj+pQFa0RzETojs7PWouCST8IfnSJurgAZjHyevsk8pqvXhc3z5
KYbAxvq4q1ojRMAbnapW9awPzQP7DSD+pPMGIKS0+f15GyPMl8xYtfTlfng39Jvh
pNlt5PyiBXtpw1BYLkV+3qmzlAENmG4=
-----END CERTIFICATE-----
[Sun Feb 10 19:18:55 CST 2019] Your cert is in  /root/.acme.sh/qzze.com/qzze.com.cer 
[Sun Feb 10 19:18:55 CST 2019] Your cert key is in  /root/.acme.sh/qzze.com/qzze.com.key 
[Sun Feb 10 19:18:55 CST 2019] The intermediate CA cert is in  /root/.acme.sh/qzze.com/ca.cer 
[Sun Feb 10 19:18:55 CST 2019] And the full chain certs is there:  /root/.acme.sh/qzze.com/fullchain.cer 

OK,看到上面的提示,说明申请成功了,申请成功后会在脚本目录下面生成一个域名为文件名的目录,里面有4个文件,由于我们是配置nginx服务器,所以我们只需要用到fullchain.cer和qzze.com.key这二个文件,我们用脚本去复制这二个文件到我们nginx存放ssl的目录然后重新加载nginx就可以生效了,在这里我在存放证书的目录下面存放了几个域名的证书,便于区分我把fullchain.cer复制过去进行了重命名,下面是据体指令:

[root@localhost .acme.sh]# /root/.acme.sh/acme.sh --installcert -d qzze.com --keypath /usr/local/nginx/conf/ssl/qzze.com.key --fullchainpath /usr/local/nginx/conf/ssl/fullchain.cer
[Sun Feb 10 19:28:31 CST 2019] Installing key to:/usr/local/nginx/conf/ssl/qzze.com.key
[Sun Feb 10 19:28:31 CST 2019] Installing full chain to:/usr/local/nginx/conf/ssl/fullchain.cer
[root@localhost .acme.sh]# mv /usr/local/nginx/conf/ssl/fullchain.cer /usr/local/nginx/conf/ssl/qzze.com.fullchain.cer

证书复制过去后,配置nginx调用证书就可以,证书路径一定不要错了,配置完证书,一定要重新加载nginx的配置文件,另外后期证书更新后也要重新加载nginx配置文件才可以生效的,nginx配置ssl详细的过程请看我的另一篇文章,wordpress-配置nginx服务器支持SSL

由于Let’s Encrypt证书一次授权期限只有90天,所以acme.sh脚本自动加入了corntab定时自动更新证书的功能,不过我不喜欢这一功能(为什么不喜欢,也许是因为我不知道用脚本复制证书过去后fullchain.cer怎么重命名,呵呵,不知道脚本有没有这功能,有时间再研究吧),所以在授权完后,我直接把acme.sh脚本直接卸载了。卸载acme.sh命令如下:

[root@localhost .acme.sh]# acme.sh --uninstall #卸载命令
[Sun Feb 10 19:55:18 CST 2019] Removing cron job
[Sun Feb 10 19:55:18 CST 2019] LE_WORKING_DIR='/root/.acme.sh'
[Sun Feb 10 19:55:18 CST 2019] Uninstalling alias from: '/root/.bashrc'
[Sun Feb 10 19:55:18 CST 2019] Uninstalling alias from: '/root/.cshrc'
[Sun Feb 10 19:55:18 CST 2019] Uninstalling alias from: '/root/.cshrc'
[Sun Feb 10 19:55:18 CST 2019] The keys and certs are in "/root/.acme.sh", you can remove them by yourself.
[root@localhost .acme.sh]# rm -rf /root/.acme.sh #卸载后删除acme.sh脚本目录

Let’s Encrypt证书的有效期限是90天,那么你需要在到期前重新证书才可以,acme.sh脚本原本功能是有定期更新证书的功能的,我们在安装完证书后,就把脚本给卸载了,那么证书到期我们怎么更新证书呢,我的想法是每次都下载最新的脚本文件,然后按上面的流程重新申请,把上面的流程写成一个脚本定时运行,用脚本来调用acme.sh完成证书的更新(当然,首次申请也可以直接用下面的脚本来的,只不过脚本申请完证书后,你需要修改你的nginx配置来调用证书文件然后重新加载配置文件),把这段脚本加入crontab定时任务中,

#!/bin/sh
cd /root
curl https://get.acme.sh | sh
export DP_Id="dnspod api ID"
export DP_Key="dnspod api token"
/root/.acme.sh/acme.sh --issue -d qzze.com -d *.qzze.com --dns dns_dp
#证书存放位置:/usr/local/nginx/conf/ssl/ 目录要存在。
/root/.acme.sh/acme.sh --installcert -d qzze.com --keypath /usr/local/nginx/conf/ssl/qzze.com.key --fullchainpath /usr/local/nginx/conf/ssl/fullchain.cer
mv /usr/local/nginx/conf/ssl/fullchain.cer /usr/local/nginx/conf/ssl/qzze.com.fullchain.cer
/usr/local/nginx/sbin/nginx -s reload
unset DP_Id
unset DP_Key
/root/.acme.sh/acme.sh --uninstall
rm -rf /root/.acme.sh
  • 把上面的代码复制,保存为/root/ssl/ssl.sh文件,注意修改成自己的域名还有自己的dnspod接口信息及自己的域名证书的存放位置,然后给予运行权限:
chmod +x /root/ssl/ssl.sh
  • 添加crontab定时运行,偶数月的1日0时0分更新脚本。
vi /etc/crontab
#末尾添加,偶数月的1号0点更新证书
0 0 1 */2 * root /root/ssl/ssl.sh
赞(0) 打赏
转载请注明出处:爱编程 » 利用dnspod接口申请Let’s Encrypt免费的ssl证书
分享到: 更多

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

爱编程、一个运维兼程序员的博客!

联系我们

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏