acme.sh issue SSL certificate free of charge

acme.sh overview

  • An ACME protocol client written purely in Shell (Unix shell) language.
  • Complete ACME protocol implementation. Supports ACME v1 and ACME v2 wildcard certificates
  • Simple, powerful and easy to use. You only need 3 minutes to learn it.
  • Let's Encrypt free certificate client is the simplest shell script.
  • It is written purely in Shell and does not depend on python or the official Let's Encrypt client.
  • A single script is required to automatically issue, renew, and install certificates. root/sudoer access is not required.
  • It supports use in Docker and IPv6

Install acme sh

curl https://get.acme.sh | sh

And create a bash alias for your convenience: alias acme sh=~/. acme. sh/acme. sh

Generate certificate

acme.sh implements all authentication protocols supported by acme protocol Generally, there are two authentication methods: http and dns authentication\

http mode

http needs to place a file in the root directory of your website to verify the ownership of your domain name and complete the verification Then you can generate the certificate

acme.sh  --issue  -d kubesre.com -d www.kubesre.com  --webroot  /application/nginx/html/

You only need to specify the domain name and the root directory of the website where the domain name is located acme.sh will automatically generate verification files, put them in the root directory of the website, and then automatically complete the verification Finally, it will cleverly delete the verification file The whole process has no side effects

If you use a web server, acme SH can also intelligently automatically complete verification from apache configuration. You do not need to specify the website root directory:

acme.sh --issue  -d kubesre.com   --apache

acme.sh --issue  -d kubesre.com   --nginx

dns mode

Manually dns mode, manually add a txt resolution record on the domain name to verify the ownership of the domain name

The advantage of this method is that you don't need any server or any public ip. You only need dns parsing records to complete the verification The disadvantage is that if you do not configure the Automatic DNS API at the same time, use acme SH will not be able to automatically update the certificate. You need to manually re resolve and verify the domain name ownership every time.

acme.sh  --issue  --dns   -d kubesre.com \
 --yes-I-know-dns-manual-mode-enough-go-ahead-please

Then, acme SH will generate the corresponding resolution record and display it. You just need to add this txt record in your domain name management panel

After waiting for the resolution to complete, regenerate the certificate:

acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Dec 21 17:21:23 CST 2021] Renew: 'kubesre.com'
[Tue Dec 21 17:21:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 17:21:28 CST 2021] Multi domain='DNS:kubesre.com,DNS:www.kubesre.com'
[Tue Dec 21 17:21:28 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 17:21:28 CST 2021] Verifying: kubesre.com
[Tue Dec 21 17:21:39 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 17:21:46 CST 2021] Success
[Tue Dec 21 17:21:46 CST 2021] Verifying: www.kubesre.com
[Tue Dec 21 17:21:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 17:21:58 CST 2021] Success
[Tue Dec 21 17:21:58 CST 2021] Verify finished, start to sign.
[Tue Dec 21 17:21:58 CST 2021] Lets finalize the order.
[Tue Dec 21 17:21:58 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ/finalize'
[Tue Dec 21 17:22:04 CST 2021] Order status is processing, lets sleep and retry.
[Tue Dec 21 17:22:04 CST 2021] Retry after: 15
[Tue Dec 21 17:22:20 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ
[Tue Dec 21 17:22:28 CST 2021] Downloading cert.
[Tue Dec 21 17:22:28 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/RIlS-0BCVnWMmTIzTSy69g'
[Tue Dec 21 17:22:32 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIGdjCCBF6gAwIBAgIRAOXiFOW5y1AyMNreWMhPmTAwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTEyMjEwMDAwMDBaFw0y
MjAzMjEyMzU5NTlaMBYxFDASBgNVBAMTC2t1YmVzcmUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRZurTH3SNPklcWjSvXu/fsUfz3CQUJs310
cdlTTQ2z1AC2oNLiw2JWVVPe6XXopDXiboynyMuJcfu+Yyqft3zSzmK1jtGZGt4+
wP2o8uQ8ppg9zKivk6IVY2PAyw7KoP20tgvWLkB/OeRyFERO0k/BwHeLssYunOy8
CEEPH05c0aeWBaYFRy6W5aTQ5gI9F+TxHkJMwNQ9S46Ymts1vT9NGGA21yD3nC8/
qQ9yojtSHalj95no/en+o1Gwv8LSBuiD0OrgfL/UmwjYaV60Q6ZFrb1OrkRrgRn4
cb/RCMAofzUEqE3ItwsBbo41gmI6i0uECktC9SKxMlTVG0M84wIDAQABo4ICiDCC
AoQwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFG5p
QAKZzOQ/Uk6L5d3Q7utQPbrfMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysG
AQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BT
MAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8v
emVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNp
dGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGln
by5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBGpVXrdfqRIDC1oolp9PN9
ESxBdL79SbiFq/L8cP5tRwAAAX3cTIkkAAAEAwBGMEQCIGaR8Z1cpbls5r76bwvW
cqhAmSxXofGdCwk4CG9to/UnAiBzb3AfHwRx/K1afFew+dUha8n5r4LdKpK2/idh
cTgNbQB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfdxMiOMA
AAQDAEgwRgIhAKEgFnDfhKUi9a/17W6ulKwy/JWDzW1x6GSi5wdJZUDsAiEA7jnc
2pLivTiZ189eoYQwEY+fAPLiB4Lt1MB4W3PkIk4wJwYDVR0RBCAwHoILa3ViZXNy
ZS5jb22CD3d3dy5rdWJlc3JlLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMU/wgqFc
m2yys2T5CRdGOl/dPNM9E5t2IMBMhzMVDr1czQRUgf6Yh/h7jkWihYqGxDVJSL8T
9KknzaRvUvDx3piGJLUyqPOQPrawI9N7bSz3ncIsv2cIzNWeDN9UVw54/Pxadl3/
2SGBay/hpV+miLcp/rr1WwoLnTU22djZRr1WjbPHxOIn3aI2CKVAzJfdYE3/N7rG
B+AOQnrmegKchxlV1EQN3lUy2hys0lNaohyWQs9GTeq7zFyrL5M4EFiG1fTO/rHw
YaY0doH8uv74W/vYCquaK033bvP7iOnm3JpfbDDez7QVLONemVf/SRRxVff2zgJx
F5m+XVZhPRoxohWm/AytUIqfDao37XnR9vBKJ4dIWNuyxWwfkuSA5d8i0wOFi5St
yvpeC0HWuuYBNJkX8yuFe3rYFh92TN6Qu3Rl19Z/QhysF9Yin1OunPia14bKxUnR
93hH827Sb5owYoC+3xx14WvzGtV6lov6siLBXhSNPbeaK9iQeWeRgxP7frLxuH3Z
0uHh1QJIoS7Gd1O6VHmqjkzOGuWuu92taDu53Bs+Xke6rXSILlPOMtI4aueTLkZL
AyyqGkcjv7Qhhj/VFmG4GZpRyBGGuFA5VbJ8PQsbjmMyn+8m5zF4Wy00Rt7xA99b
b4YhcvrzGJwehsPq6m0yjCbh3cCSd3vyGo0=
-----END CERTIFICATE-----
[Tue Dec 21 17:22:32 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer
[Tue Dec 21 17:22:32 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key
[Tue Dec 21 17:22:32 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer
[Tue Dec 21 17:22:32 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer

Note that the second time we use -- renew

The real strength of dns is that you can use the api provided by the domain name resolver to automatically add txt records to complete the verification

acme. At present, SH supports the automatic integration of dozens of parsers such as cloudflare, dnspod, cloudxns, godaddy and ovh

Take dnspod as an example. You need to log in to the dnspod account and generate your api id and api key for free then:

export DP_Id="kube123"

export DP_Key="sADDsdasdgdsf"

acme.sh   --issue   --dns dns_dp   -d kubesre.com  -d www.kubesre.com

The certificate will be generated automatically The api id and api key given here will be recorded automatically. You don't need to specify them again when using dnspod api in the future Just generate it directly:

acme.sh  --issue   -d  kubesre.com   --dns  dns_dp

More detailed api usage: https://github.com/Neilpang/a...

Update certificate

At present, the certificate is valid for 60 days after application

At present, acme protocol and letsencrypt CA are frequently updated, so acme SH is also updated frequently to keep in sync

# Upgrade acme.com SH to the latest version
acme.sh --upgrade

# If you don't want to upgrade manually, you can turn on automatic upgrade:
acme.sh  --upgrade  --auto-upgrade

#After that, acme SH will automatically keep updated

# You can also turn off automatic updates at any time:
acme.sh --upgrade  --auto-upgrade  0

Modify CA

The default CA will use ZeroSSL , the CA needs to be changed due to special needs. Please modify it in the following way.

You can freely use any supported CA by providing the -- server parameter:

acme.sh --issue -d kubesre.com --dns dns_cf --server letsencrypt

You can also set the default ca through -- set default ca:

acme.sh --set-default-ca --server letsencrypt

Issue certificate based on CSR

Generate csr through openssl

openssl genrsa -out kubesre.com/kubesre.com.key 4096 
openssl req -new -key kubesre.com/kubesre.com.key -out kubesre.com/kubesre.com.csr -subj "/C=CN/L=Shanghai/O=kubesre/OU=shanghai/CN=kubesre.com"

Issue certificate based on csr

acme.sh --signcsr --csr ../intermediateca.csr --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please  --server zerossl
[Tue Dec 21 20:03:11 CST 2021] Copy csr to: /root/.acme.sh/kubesre.com/kubesre.com.csr
[Tue Dec 21 20:03:15 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 20:03:15 CST 2021] Single domain='kubesre.com'
[Tue Dec 21 20:03:15 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 20:03:27 CST 2021] Getting webroot for domain='kubesre.com'
[Tue Dec 21 20:03:27 CST 2021] Add the following TXT record:
[Tue Dec 21 20:03:27 CST 2021] Domain: '_acme-challenge.kubesre.com'
[Tue Dec 21 20:03:27 CST 2021] TXT value: 'JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90'
[Tue Dec 21 20:03:27 CST 2021] Please be aware that you prepend _acme-challenge. before your domain
[Tue Dec 21 20:03:27 CST 2021] so the resulting subdomain will be: _acme-challenge.kubesre.com
[Tue Dec 21 20:03:27 CST 2021] Please add the TXT records to the domains, and re-run with --renew.
[Tue Dec 21 20:03:27 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log

Configure DNS domain name resolution TXT record and verify

dig @223.5.5.5 _acme-challenge.kubesre.com txt +short
"JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90"

Retry issuing certificate

 acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Dec 21 20:16:28 CST 2021] Renew: 'kubesre.com'
[Tue Dec 21 20:16:36 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 21 20:16:36 CST 2021] Single domain='kubesre.com'
[Tue Dec 21 20:16:36 CST 2021] Getting domain auth token for each domain
[Tue Dec 21 20:16:36 CST 2021] Verifying: kubesre.com
[Tue Dec 21 20:16:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Dec 21 20:17:02 CST 2021] Success
[Tue Dec 21 20:17:02 CST 2021] Verify finished, start to sign.
[Tue Dec 21 20:17:02 CST 2021] Lets finalize the order.
[Tue Dec 21 20:17:02 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ/finalize'
[Tue Dec 21 20:17:11 CST 2021] Order status is processing, lets sleep and retry.
[Tue Dec 21 20:17:11 CST 2021] Retry after: 15
[Tue Dec 21 20:17:27 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ
[Tue Dec 21 20:17:33 CST 2021] Downloading cert.
[Tue Dec 21 20:17:33 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/yeadYGbm-KLNqMWlqSzShg'
[Tue Dec 21 20:17:41 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIHZDCCBUygAwIBAgIQEkvN2TAkV2mdPUF1lweQ+jANBgkqhkiG9w0BAQwFADBL
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTIyMTAwMDAwMFoXDTIy
MDMyMTIzNTk1OVowFjEUMBIGA1UEAxMLa3ViZXNyZS5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQC7gsfbCde2EVerXfzi/+1pGvePusulmh2gF+vh
IpTwdIC7tpO7cZiHVjR2BsC8XYptUqWpJtuehRLqN3PI2xdpFyGMT9EKgPcIsN3a
y619t/UlskrVbAZYqfAC4613f98WhizYL6Kb6pOuwsS2rn5XeUAXuNVDcnRJ79i4
ld8Q6H+xmOSU3XqnTNqv4Yq7F+l1nVNktpozJM0MmqI6e+saN4PlaHJZJ2Zc9dTQ
4/0tkXQizwH862c+kGHdYhEit5Kx3blgEYZ9vKPNu5mKsPdPJ0XNeXzZ7T449EcI
ONY2UwwHqxeKm13hcD0hM0OzPHS3eniHf2LX/EzIcW/uQ77ynukB45ub7xWs1ado
HKGhrY+dluxuaNUc9M8PPIYubkaeh95Ohik1ovljkUbO+AYZf28Y0c4sQYaFToqR
ogbTvl7EWdQCJQppqu4h0DZIoTHYu3yIu/KdHeqmySSE/tyyLCIyuZS7oN5ZxeEh
SojLn293qWVlj5z0ZB2Ui3vourAt7HMOy0noDusG3au6y6m69wX+jKCWYglF/b48
328GzFxPxbxWnQUD/Jf5cjUE9SN9meXivrzXS1vky0qkHJwnKTiAVNNCRGFNX5Ic
yOHAsJCteY8VUyvlngjrBnLmie4kfc5zb68qtKCnCw6fejVDzVKgwVFJK0iF2t4K
7YX3ewIDAQABo4ICdzCCAnMwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWG
hqYwHQYDVR0OBBYEFMOIZYOY9egIBZ1T6jEPeRR3dROYMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ
BgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
c2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsG
AQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJT
QURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJv
c3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBG
pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3c7NwCAAAEAwBHMEUC
IQCiJFlodU8eOmcUXypehRIVsecs1QPROZq4GXFKn1H7yAIgWK6BZtJ5IxsYw6g6
4IFZ851k7tB6iGLKjIIBUcJNBxUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vH
aPCQYpYG9gAAAX3c7NvUAAAEAwBHMEUCIQCdpdc7o2ZKGVkiQhBOCgFa1D28tbRd
8czfFGWEtW+cjAIgSfPwdIcMXQ3QgQ/e14L8+R33WTApmXq4RGNyhcj91n4wFgYD
VR0RBA8wDYILa3ViZXNyZS5jb20wDQYJKoZIhvcNAQEMBQADggIBABQ69j9PcoXy
WwNo+bLcxd5J1YWhvoty6AGfPQ4dFE9uHWASzQ0rfAGYahVCWrofb3utz2OQH+T4
nTwrX+vo6xS0PizF27WqjqWvfIkQ2badRoVATLg5TCkjjGz2ztIsrRsY62VwrKjF
BWmJocA3/dKqtMbPD5fiw10HGp2/armCr26P2smheqiih1ci4AJ+rcWMVQfHEhzA
u+Sr1BnJMddhhrPoJBQzBOctYrAM/C//CwmmLI2jcF8NdBTvW0QwP1bMIfaO7spO
bggaI7RJ35gHuxE07GR+JVfss1pYEOE2j9pWPqaAbeFdfW4gAatAiR6t9g6z6cdb
wV94JXRWa1GotoMXU5U8/Oq+6OD454tuPA/CwlaPR+zO94ppJ/9YhWyXy2hqGQqm
alhajJgMVE2P9kYoZTlZIgEZyICQ0XbKMzXyq8D2leEAroVdZCo5lKkR6v1ZhL6f
YlsGwOV68rVQU03euWqTIvaSUUTXBXI1ug9z19a8a3PJlMLBDpz+e/mcsw4qMIzi
557vQv/+9xR/ZSNsW+s/RBW6gTo8nrestWBRb53pfFd4LAse+WGHEA3Kgv+Fi3ra
GJWYcA4KvGRbLZ/flUmNPyyARNfLdaAMlaDtHjQUj1pEhtSnYtwnthj3Y/eiXY9H
eg0z2wcNGmZEPG19ngYf79+xLpmmZj0F
-----END CERTIFICATE-----
[Tue Dec 21 20:17:41 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer
[Tue Dec 21 20:17:41 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key
[Tue Dec 21 20:17:41 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer
[Tue Dec 21 20:17:41 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer
[root@ops .acme.sh]# 

Click“ Read the original text "Get a better reading experience!

Keywords: Linux Operation & Maintenance

Added by michaelkirby on Sat, 25 Dec 2021 19:28:54 +0200