acme.sh overview
- An ACME protocol client written purely in Shell (Unix shell) language.
- Complete ACME protocol implementation. Supports ACME v1 and ACME v2 wildcard certificates
- Simple, powerful and easy to use. You only need 3 minutes to learn it.
- Let's Encrypt free certificate client is the simplest shell script.
- It is written purely in Shell and does not depend on python or the official Let's Encrypt client.
- A single script is required to automatically issue, renew, and install certificates. root/sudoer access is not required.
- It supports use in Docker and IPv6
Install acme sh
curl https://get.acme.sh | sh
And create a bash alias for your convenience: alias acme sh=~/. acme. sh/acme. sh
Generate certificate
acme.sh implements all authentication protocols supported by acme protocol Generally, there are two authentication methods: http and dns authentication\
http mode
http needs to place a file in the root directory of your website to verify the ownership of your domain name and complete the verification Then you can generate the certificate
acme.sh --issue -d kubesre.com -d www.kubesre.com --webroot /application/nginx/html/
You only need to specify the domain name and the root directory of the website where the domain name is located acme.sh will automatically generate verification files, put them in the root directory of the website, and then automatically complete the verification Finally, it will cleverly delete the verification file The whole process has no side effects
If you use a web server, acme SH can also intelligently automatically complete verification from apache configuration. You do not need to specify the website root directory:
acme.sh --issue -d kubesre.com --apache acme.sh --issue -d kubesre.com --nginx
dns mode
Manually dns mode, manually add a txt resolution record on the domain name to verify the ownership of the domain name
The advantage of this method is that you don't need any server or any public ip. You only need dns parsing records to complete the verification The disadvantage is that if you do not configure the Automatic DNS API at the same time, use acme SH will not be able to automatically update the certificate. You need to manually re resolve and verify the domain name ownership every time.
acme.sh --issue --dns -d kubesre.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
Then, acme SH will generate the corresponding resolution record and display it. You just need to add this txt record in your domain name management panel
After waiting for the resolution to complete, regenerate the certificate:
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please [Tue Dec 21 17:21:23 CST 2021] Renew: 'kubesre.com' [Tue Dec 21 17:21:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Dec 21 17:21:28 CST 2021] Multi domain='DNS:kubesre.com,DNS:www.kubesre.com' [Tue Dec 21 17:21:28 CST 2021] Getting domain auth token for each domain [Tue Dec 21 17:21:28 CST 2021] Verifying: kubesre.com [Tue Dec 21 17:21:39 CST 2021] Processing, The CA is processing your order, please just wait. (1/30) [Tue Dec 21 17:21:46 CST 2021] Success [Tue Dec 21 17:21:46 CST 2021] Verifying: www.kubesre.com [Tue Dec 21 17:21:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30) [Tue Dec 21 17:21:58 CST 2021] Success [Tue Dec 21 17:21:58 CST 2021] Verify finished, start to sign. [Tue Dec 21 17:21:58 CST 2021] Lets finalize the order. [Tue Dec 21 17:21:58 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ/finalize' [Tue Dec 21 17:22:04 CST 2021] Order status is processing, lets sleep and retry. [Tue Dec 21 17:22:04 CST 2021] Retry after: 15 [Tue Dec 21 17:22:20 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/5RzPnQTU0MBIaZgvOqiSkQ [Tue Dec 21 17:22:28 CST 2021] Downloading cert. [Tue Dec 21 17:22:28 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/RIlS-0BCVnWMmTIzTSy69g' [Tue Dec 21 17:22:32 CST 2021] Cert success. -----BEGIN CERTIFICATE----- MIIGdjCCBF6gAwIBAgIRAOXiFOW5y1AyMNreWMhPmTAwDQYJKoZIhvcNAQEMBQAw SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTEyMjEwMDAwMDBaFw0y MjAzMjEyMzU5NTlaMBYxFDASBgNVBAMTC2t1YmVzcmUuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRZurTH3SNPklcWjSvXu/fsUfz3CQUJs310 cdlTTQ2z1AC2oNLiw2JWVVPe6XXopDXiboynyMuJcfu+Yyqft3zSzmK1jtGZGt4+ wP2o8uQ8ppg9zKivk6IVY2PAyw7KoP20tgvWLkB/OeRyFERO0k/BwHeLssYunOy8 CEEPH05c0aeWBaYFRy6W5aTQ5gI9F+TxHkJMwNQ9S46Ymts1vT9NGGA21yD3nC8/ qQ9yojtSHalj95no/en+o1Gwv8LSBuiD0OrgfL/UmwjYaV60Q6ZFrb1OrkRrgRn4 cb/RCMAofzUEqE3ItwsBbo41gmI6i0uECktC9SKxMlTVG0M84wIDAQABo4ICiDCC AoQwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYEFG5p QAKZzOQ/Uk6L5d3Q7utQPbrfMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysG AQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BT MAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8v emVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3VyZVNp dGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGln by5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBGpVXrdfqRIDC1oolp9PN9 ESxBdL79SbiFq/L8cP5tRwAAAX3cTIkkAAAEAwBGMEQCIGaR8Z1cpbls5r76bwvW cqhAmSxXofGdCwk4CG9to/UnAiBzb3AfHwRx/K1afFew+dUha8n5r4LdKpK2/idh cTgNbQB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfdxMiOMA AAQDAEgwRgIhAKEgFnDfhKUi9a/17W6ulKwy/JWDzW1x6GSi5wdJZUDsAiEA7jnc 2pLivTiZ189eoYQwEY+fAPLiB4Lt1MB4W3PkIk4wJwYDVR0RBCAwHoILa3ViZXNy ZS5jb22CD3d3dy5rdWJlc3JlLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMU/wgqFc m2yys2T5CRdGOl/dPNM9E5t2IMBMhzMVDr1czQRUgf6Yh/h7jkWihYqGxDVJSL8T 9KknzaRvUvDx3piGJLUyqPOQPrawI9N7bSz3ncIsv2cIzNWeDN9UVw54/Pxadl3/ 2SGBay/hpV+miLcp/rr1WwoLnTU22djZRr1WjbPHxOIn3aI2CKVAzJfdYE3/N7rG B+AOQnrmegKchxlV1EQN3lUy2hys0lNaohyWQs9GTeq7zFyrL5M4EFiG1fTO/rHw YaY0doH8uv74W/vYCquaK033bvP7iOnm3JpfbDDez7QVLONemVf/SRRxVff2zgJx F5m+XVZhPRoxohWm/AytUIqfDao37XnR9vBKJ4dIWNuyxWwfkuSA5d8i0wOFi5St yvpeC0HWuuYBNJkX8yuFe3rYFh92TN6Qu3Rl19Z/QhysF9Yin1OunPia14bKxUnR 93hH827Sb5owYoC+3xx14WvzGtV6lov6siLBXhSNPbeaK9iQeWeRgxP7frLxuH3Z 0uHh1QJIoS7Gd1O6VHmqjkzOGuWuu92taDu53Bs+Xke6rXSILlPOMtI4aueTLkZL AyyqGkcjv7Qhhj/VFmG4GZpRyBGGuFA5VbJ8PQsbjmMyn+8m5zF4Wy00Rt7xA99b b4YhcvrzGJwehsPq6m0yjCbh3cCSd3vyGo0= -----END CERTIFICATE----- [Tue Dec 21 17:22:32 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer [Tue Dec 21 17:22:32 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key [Tue Dec 21 17:22:32 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer [Tue Dec 21 17:22:32 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer
Note that the second time we use -- renew
The real strength of dns is that you can use the api provided by the domain name resolver to automatically add txt records to complete the verification
acme. At present, SH supports the automatic integration of dozens of parsers such as cloudflare, dnspod, cloudxns, godaddy and ovh
Take dnspod as an example. You need to log in to the dnspod account and generate your api id and api key for free then:
export DP_Id="kube123" export DP_Key="sADDsdasdgdsf" acme.sh --issue --dns dns_dp -d kubesre.com -d www.kubesre.com
The certificate will be generated automatically The api id and api key given here will be recorded automatically. You don't need to specify them again when using dnspod api in the future Just generate it directly:
acme.sh --issue -d kubesre.com --dns dns_dp
More detailed api usage: https://github.com/Neilpang/a...
Update certificate
At present, the certificate is valid for 60 days after application
At present, acme protocol and letsencrypt CA are frequently updated, so acme SH is also updated frequently to keep in sync
# Upgrade acme.com SH to the latest version acme.sh --upgrade # If you don't want to upgrade manually, you can turn on automatic upgrade: acme.sh --upgrade --auto-upgrade #After that, acme SH will automatically keep updated # You can also turn off automatic updates at any time: acme.sh --upgrade --auto-upgrade 0
Modify CA
The default CA will use ZeroSSL , the CA needs to be changed due to special needs. Please modify it in the following way.
You can freely use any supported CA by providing the -- server parameter:
acme.sh --issue -d kubesre.com --dns dns_cf --server letsencrypt
You can also set the default ca through -- set default ca:
acme.sh --set-default-ca --server letsencrypt
Issue certificate based on CSR
Generate csr through openssl
openssl genrsa -out kubesre.com/kubesre.com.key 4096 openssl req -new -key kubesre.com/kubesre.com.key -out kubesre.com/kubesre.com.csr -subj "/C=CN/L=Shanghai/O=kubesre/OU=shanghai/CN=kubesre.com"
Issue certificate based on csr
acme.sh --signcsr --csr ../intermediateca.csr --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --server zerossl [Tue Dec 21 20:03:11 CST 2021] Copy csr to: /root/.acme.sh/kubesre.com/kubesre.com.csr [Tue Dec 21 20:03:15 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Dec 21 20:03:15 CST 2021] Single domain='kubesre.com' [Tue Dec 21 20:03:15 CST 2021] Getting domain auth token for each domain [Tue Dec 21 20:03:27 CST 2021] Getting webroot for domain='kubesre.com' [Tue Dec 21 20:03:27 CST 2021] Add the following TXT record: [Tue Dec 21 20:03:27 CST 2021] Domain: '_acme-challenge.kubesre.com' [Tue Dec 21 20:03:27 CST 2021] TXT value: 'JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90' [Tue Dec 21 20:03:27 CST 2021] Please be aware that you prepend _acme-challenge. before your domain [Tue Dec 21 20:03:27 CST 2021] so the resulting subdomain will be: _acme-challenge.kubesre.com [Tue Dec 21 20:03:27 CST 2021] Please add the TXT records to the domains, and re-run with --renew. [Tue Dec 21 20:03:27 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
Configure DNS domain name resolution TXT record and verify
dig @223.5.5.5 _acme-challenge.kubesre.com txt +short "JIuDsu6k_4xnvRZbwnkWqEIXJ17hjVHGXchrgvydC90"
Retry issuing certificate
acme.sh --renew -d kubesre.com --yes-I-know-dns-manual-mode-enough-go-ahead-please [Tue Dec 21 20:16:28 CST 2021] Renew: 'kubesre.com' [Tue Dec 21 20:16:36 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Tue Dec 21 20:16:36 CST 2021] Single domain='kubesre.com' [Tue Dec 21 20:16:36 CST 2021] Getting domain auth token for each domain [Tue Dec 21 20:16:36 CST 2021] Verifying: kubesre.com [Tue Dec 21 20:16:51 CST 2021] Processing, The CA is processing your order, please just wait. (1/30) [Tue Dec 21 20:17:02 CST 2021] Success [Tue Dec 21 20:17:02 CST 2021] Verify finished, start to sign. [Tue Dec 21 20:17:02 CST 2021] Lets finalize the order. [Tue Dec 21 20:17:02 CST 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ/finalize' [Tue Dec 21 20:17:11 CST 2021] Order status is processing, lets sleep and retry. [Tue Dec 21 20:17:11 CST 2021] Retry after: 15 [Tue Dec 21 20:17:27 CST 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/OszJC-V5ka_7WYpupZ4mkQ [Tue Dec 21 20:17:33 CST 2021] Downloading cert. [Tue Dec 21 20:17:33 CST 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/yeadYGbm-KLNqMWlqSzShg' [Tue Dec 21 20:17:41 CST 2021] Cert success. -----BEGIN CERTIFICATE----- MIIHZDCCBUygAwIBAgIQEkvN2TAkV2mdPUF1lweQ+jANBgkqhkiG9w0BAQwFADBL MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTIyMTAwMDAwMFoXDTIy MDMyMTIzNTk1OVowFjEUMBIGA1UEAxMLa3ViZXNyZS5jb20wggIiMA0GCSqGSIb3 DQEBAQUAA4ICDwAwggIKAoICAQC7gsfbCde2EVerXfzi/+1pGvePusulmh2gF+vh IpTwdIC7tpO7cZiHVjR2BsC8XYptUqWpJtuehRLqN3PI2xdpFyGMT9EKgPcIsN3a y619t/UlskrVbAZYqfAC4613f98WhizYL6Kb6pOuwsS2rn5XeUAXuNVDcnRJ79i4 ld8Q6H+xmOSU3XqnTNqv4Yq7F+l1nVNktpozJM0MmqI6e+saN4PlaHJZJ2Zc9dTQ 4/0tkXQizwH862c+kGHdYhEit5Kx3blgEYZ9vKPNu5mKsPdPJ0XNeXzZ7T449EcI ONY2UwwHqxeKm13hcD0hM0OzPHS3eniHf2LX/EzIcW/uQ77ynukB45ub7xWs1ado HKGhrY+dluxuaNUc9M8PPIYubkaeh95Ohik1ovljkUbO+AYZf28Y0c4sQYaFToqR ogbTvl7EWdQCJQppqu4h0DZIoTHYu3yIu/KdHeqmySSE/tyyLCIyuZS7oN5ZxeEh SojLn293qWVlj5z0ZB2Ui3vourAt7HMOy0noDusG3au6y6m69wX+jKCWYglF/b48 328GzFxPxbxWnQUD/Jf5cjUE9SN9meXivrzXS1vky0qkHJwnKTiAVNNCRGFNX5Ic yOHAsJCteY8VUyvlngjrBnLmie4kfc5zb68qtKCnCw6fejVDzVKgwVFJK0iF2t4K 7YX3ewIDAQABo4ICdzCCAnMwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWG hqYwHQYDVR0OBBYEFMOIZYOY9egIBZ1T6jEPeRR3dROYMA4GA1UdDwEB/wQEAwIF oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ BgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v c2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsG AQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJT QURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJv c3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBG pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAX3c7NwCAAAEAwBHMEUC IQCiJFlodU8eOmcUXypehRIVsecs1QPROZq4GXFKn1H7yAIgWK6BZtJ5IxsYw6g6 4IFZ851k7tB6iGLKjIIBUcJNBxUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vH aPCQYpYG9gAAAX3c7NvUAAAEAwBHMEUCIQCdpdc7o2ZKGVkiQhBOCgFa1D28tbRd 8czfFGWEtW+cjAIgSfPwdIcMXQ3QgQ/e14L8+R33WTApmXq4RGNyhcj91n4wFgYD VR0RBA8wDYILa3ViZXNyZS5jb20wDQYJKoZIhvcNAQEMBQADggIBABQ69j9PcoXy WwNo+bLcxd5J1YWhvoty6AGfPQ4dFE9uHWASzQ0rfAGYahVCWrofb3utz2OQH+T4 nTwrX+vo6xS0PizF27WqjqWvfIkQ2badRoVATLg5TCkjjGz2ztIsrRsY62VwrKjF BWmJocA3/dKqtMbPD5fiw10HGp2/armCr26P2smheqiih1ci4AJ+rcWMVQfHEhzA u+Sr1BnJMddhhrPoJBQzBOctYrAM/C//CwmmLI2jcF8NdBTvW0QwP1bMIfaO7spO bggaI7RJ35gHuxE07GR+JVfss1pYEOE2j9pWPqaAbeFdfW4gAatAiR6t9g6z6cdb wV94JXRWa1GotoMXU5U8/Oq+6OD454tuPA/CwlaPR+zO94ppJ/9YhWyXy2hqGQqm alhajJgMVE2P9kYoZTlZIgEZyICQ0XbKMzXyq8D2leEAroVdZCo5lKkR6v1ZhL6f YlsGwOV68rVQU03euWqTIvaSUUTXBXI1ug9z19a8a3PJlMLBDpz+e/mcsw4qMIzi 557vQv/+9xR/ZSNsW+s/RBW6gTo8nrestWBRb53pfFd4LAse+WGHEA3Kgv+Fi3ra GJWYcA4KvGRbLZ/flUmNPyyARNfLdaAMlaDtHjQUj1pEhtSnYtwnthj3Y/eiXY9H eg0z2wcNGmZEPG19ngYf79+xLpmmZj0F -----END CERTIFICATE----- [Tue Dec 21 20:17:41 CST 2021] Your cert is in: /root/.acme.sh/kubesre.com/kubesre.com.cer [Tue Dec 21 20:17:41 CST 2021] Your cert key is in: /root/.acme.sh/kubesre.com/kubesre.com.key [Tue Dec 21 20:17:41 CST 2021] The intermediate CA cert is in: /root/.acme.sh/kubesre.com/ca.cer [Tue Dec 21 20:17:41 CST 2021] And the full chain certs is there: /root/.acme.sh/kubesre.com/fullchain.cer [root@ops .acme.sh]#
Click“ Read the original text "Get a better reading experience!