table of Contents
1. Install acme.sh
Installation is very simple, one command:
curl https://get.acme.sh | sh
Both ordinary users and root users can install and use. The installation process goes through the following steps:
1. Install acme.sh to your home directory:
~/.acme.sh/
And create a bash alias for your convenience: alias acme.sh=~/.acme.sh/acme.sh
2. Automatically create a cronjob for you, and automatically detect all certificates at 0:00 every day. If it is about to expire and need to be updated, the certificate will be automatically updated.
For more advanced installation options, please refer to: https://github.com/Neilpang/acme.sh/wiki/How-to-install
The installation process will not pollute any functions and files of the existing system, and all modifications are limited to the installation directory: ~/.acme.sh/
2. Generate Certificate
acme.sh implements all authentication protocols supported by the acme protocol. Generally, there are two ways of authentication: http and dns authentication.
1. The http method needs to place a file in the root directory of your website to verify your domain name ownership and complete the verification. Then you can generate a certificate.
acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/
Just specify the domain name, and specify the root directory of the website where the domain name is located. acme.sh will automatically generate the verification file and put it in the root directory of the website, and then automatically complete the verification. Finally, the verification file will be deleted smartly. There is nothing in the whole process side effect.
If you use an apache server, acme.sh can also intelligently complete the verification automatically from the apache configuration, you do not need to specify the website root directory:
acme.sh --issue -d mydomain.com --apache
If you use the nginx server, or anti-generation, acme.sh can also automatically complete the verification from the nginx configuration, you don't need to specify the website root directory:
acme.sh --issue -d mydomain.com --nginx
Note that whether it is in apache or nginx mode, acme.sh will return to its previous state after the verification is completed, and will not change your own configuration privately. The advantage is that you don't have to worry about the configuration being broken, there is also a disadvantage, you need Configure the ssl configuration yourself, otherwise you will only be able to successfully generate the certificate, and your website still cannot access https. But for safety, you should change the configuration manually.
If you haven't run any web service yet, and port 80 is free, then acme.sh can pretend to be a webserver and temporarily listen on port 80 to complete the verification:
acme.sh --issue -d mydomain.com --standalone
For more advanced usage, please refer to: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
2. In dns mode, add a txt resolution record to the domain name to verify the ownership of the domain name.
The dns method is actually a process in which acme.sh adds TXT records to verify ownership by calling the apis of various domain name service providers. So what needs to be considered is how to make acme.sh add records to take effect in time. By default, acme.sh will wait 120 seconds before starting. Verification, but many DNS resolutions often cannot be completed within 120 seconds, so dnspod (https://www.dnspod.cn) is recommended here.
The real power of the dns method is that the api provided by the domain name resolver can be used to automatically add the txt record to complete the verification.
acme.sh currently supports automatic integration of dozens of resolvers such as cloudflare, dnspod, cloudxns, godaddy, and ovh.
Take dnspod as an example, you need to log in to your dnspod account first, and generate your api id and api key, both are free. Then:
export DP_Id="你创建的api token的id"
export DP_Key="你创建的api token的token"
acme.sh --issue --dns dns_dp -d 你的域名 -d www.你的域名
If you want to create a certificate for each of your second-level domain names, you can use the pan-domain name certificate, change the last line of code to
acme.sh --issue --dns dns_dp -d *.你的域名 -d 你的域名In this way, all your second-level domain names and domain names themselves have obtained certificates. If the certificates are obtained successfully, the certificate storage path will be printed out on the screen
ssl_certificate Used when configuring Nginx configuration fullchain.cer
server {
listen 443 ssl;
server_name localhost;
location / {
#代理到那个服务器 这里http://hz 指的是上面upstream 中的 hz
proxy_pass http://hz;
index index.html index.htm;
}
ssl_certificate /root/.acme.sh/*.hz1202.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/*.hz1202.com/*.hz1202.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}