热门标签
热门文章
- 1利用list快速的模糊搜索_list
两个字段模糊查询 - 2Hbase在集群中启动时碰到的问题
- 3python学习 第八章习题_python第八章作业(初级)
- 4CORS跨域资源共享漏洞的复现、分析、利用及修复过程_cors漏洞
- 5GoLang 读取CSV文件_golang csv
- 6二本Java小菜鸟9面字节跳动却被秒成渣渣,发誓玩命复习三个月,定要挺进Alibaba!
- 7自然语言处理在推荐系统中的应用
- 82023网络安全面试题(附答案)+面试经验_7、请求头中哪些有可能造成危害的?
- 9JavaScript数据结构之栈结构_js中能使用的栈结构
- 10Python获取本机IP地址的几种方式~转_python可以获取ipc段的方法
当前位置: article > 正文
acme + acme-dns + google domains 签发泛域名证书_acme 证书 go服务
作者:凡人多烦事01 | 2024-06-08 09:41:33
赞
踩
acme 证书 go服务
acme + acme-dns + (google domains 或 cloudflare) 签发泛域名证书
1. acme.sh
# 下载
curl https://get.acme.sh | sh -s email=my@example.com
# 让 acme.sh 命令生效
. .bashrc
# 开启 acme.sh 的自动升级
acme.sh --upgrade --auto-upgrade
- 1
- 2
- 3
- 4
- 5
- 6
2. 搭建acme-dns服务 或者 跳过本步骤直接使用 https://auth.acme-dns.io
# 1. 安装 git clone https://github.com/joohoi/acme-dns cd acme-dns export GOPATH=/tmp/acme-dns go build # go 1.13 以上 # 2. 编辑 vim config.cfg 1. listen = "服务器对外IP:53" 或 ":53" 2. domain = "auth.你的域名" 3. nsname = "auth.你的域名" 4. records: 将所有的 `auth.example.org` 替换为 `auth.你的域名`, 将 `198.51.100.1` 替换为 `你的服务器IP`. 5. connection = "{当前路径}/acme-dns.db" 6. ip = "127.0.0.1" 7. port = "4433" # 不要和当前服务器其他端口冲突 8. tls = "none" # 3. 编辑acme-dns.service vim acme-dns.service 注释掉[service]中的 # User=acme-dns # Group=acme-dns 修改 ExecStart = {当前路径}/acme-dns -c {当前路径}/config.cfg # 4. 安装为服务 cp acme-dns.service /etc/systemd/system/ systemctl daemon-reload systemctl enable acme-dns --now
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
3. 使用 acme-dns
export ACMEDNS_BASE_URL="http://127.0.0.1:4433" curl -s -X POST ${ACMEDNS_BASE_URL}/register | python -m json.tool > acme-dns.challenges;cat acme-dns.challenges # 响应 { "username": "5c4738ad-2c94-4de8-80a8-182d2a86ede3", "password": "vfZm70ZO6k5FCYTwjpby_HQ_ebwLkWErb0RK-HuT", "fulldomain": "d487f8fa-2ecb-4de2-ba29-3a17c7ec1a9a.auth.你的域名", # 如果跳过步骤2 "你的域名" 会是 "acme-dns.io" "subdomain": "d487f8fa-2ecb-4de2-ba29-3a17c7ec1a9a", "allowfrom": [] } export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')" export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')" export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')" echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')" # 验证 curl -s -X POST \ -H "X-Api-User: $ACMEDNS_USERNAME" \ -H "X-Api-Key: $ACMEDNS_PASSWORD" \ -d "{\"subdomain\": \"$ACMEDNS_SUBDOMAIN\", \"txt\": \"___validation_token_received_from_the_ca___\"}" \ $ACMEDNS_BASE_URL/update|python -m json.tool # 看下结果是不是如下 { "txt": "___validation_token_received_from_the_ca___" } # 是的话 acme-dns 已经正常了
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
4. 添加自定义记录
ns.auth A xxx.xxx.xxx.xxx
auth NS ns.auth.example.org
_acme-challenge CNAME FULLDOMAIN(步骤3中的 fulldomain)
- 1
- 2
- 3
例:
4. 签发证书
# 如果已经签发过证书需要加 '--force' 参数 acme.sh --issue --dns dns_acmedns -d example.org -d *.example.org (你自己的域名) # 输出大概如下 [Fri Sep 9 07:45:45 PM CST 2022] Using CA: https://acme.zerossl.com/v2/DV90 [Fri Sep 9 07:45:45 PM CST 2022] Single domain='*.example.org' [Fri Sep 9 07:45:45 PM CST 2022] Getting domain auth token for each domain [Fri Sep 9 07:46:14 PM CST 2022] Getting webroot for domain='*.example.org' [Fri Sep 9 07:46:14 PM CST 2022] Adding txt value: fSuElrGOngpmxIjNYIQ_m1RFoF8eMeqESecoe00-Ebo for domain: _acme-challenge.example.org [Fri Sep 9 07:46:14 PM CST 2022] Using acme-dns [Fri Sep 9 07:46:16 PM CST 2022] The txt record is added: Success. [Fri Sep 9 07:46:16 PM CST 2022] Let's check each DNS record now. Sleep 20 seconds first. [Fri Sep 9 07:46:37 PM CST 2022] You can use '--dnssleep' to disable public dns checks. [Fri Sep 9 07:46:37 PM CST 2022] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [Fri Sep 9 07:46:37 PM CST 2022] Checking example.org for _acme-challenge.example.org [Fri Sep 9 07:46:38 PM CST 2022] Domain example.org '_acme-challenge.example.org' success. [Fri Sep 9 07:46:38 PM CST 2022] All success, let's return [Fri Sep 9 07:46:38 PM CST 2022] Verifying: *.example.org [Fri Sep 9 07:46:45 PM CST 2022] Processing, The CA is processing your order, please just wait. (1/30) [Fri Sep 9 07:46:56 PM CST 2022] Success [Fri Sep 9 07:46:56 PM CST 2022] Removing DNS records. [Fri Sep 9 07:46:56 PM CST 2022] Removing txt: fSuElrGOngpmxIjNYIQ_m1RFoF8eMeqESecoe00-Ebo for domain: _acme-challenge.example.org [Fri Sep 9 07:46:56 PM CST 2022] Using acme-dns [Fri Sep 9 07:46:56 PM CST 2022] Removed: Success [Fri Sep 9 07:46:56 PM CST 2022] Verify finished, start to sign. [Fri Sep 9 07:46:56 PM CST 2022] Lets finalize the order. [Fri Sep 9 07:46:56 PM CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/vde1KxBa3XzF9Qu1XNfGUA/finalize' [Fri Sep 9 07:47:03 PM CST 2022] Order status is processing, lets sleep and retry. [Fri Sep 9 07:47:03 PM CST 2022] Retry after: 15 [Fri Sep 9 07:47:19 PM CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/vde1KxBa3XzF9Qu1XNfGUA [Fri Sep 9 07:47:27 PM CST 2022] Downloading cert. [Fri Sep 9 07:47:27 PM CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/Y5Iu1MFA4ZefWC9faoeYeA' [Fri Sep 9 07:47:37 PM CST 2022] Cert success. -----BEGIN CERTIFICATE----- MIIGYjCCBEqgAwIBAgIQHO99Ikjng7jgsxUyXGtyVDANBgkqhkiG9w0BAQwFADBL MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIyMDkwOTAwMDAwMFoXDTIy MTIwODIzNTk1OVowFTETMBEGA1UEAwwKKi53YmJvLmRldjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMEawA+/YasSWe5gVOJRe1gV2fldhDvLFc6M6yIX T3jHoQDEkMT+ZuBrLH7eiumNLvP8X3Dxs3ay+mN6s+8n8Ld2nU4D7Rs8QgD/orSX LCArIWo+njJkmrOoWTYYvNz3CQIRXYEP9nvswq4kMvd2H9whd+2zAodEFGH+VGpB GZ3BiwHhyRBOht1CGq3PHa+bKfPebpaSTsGC1r5hWI2dYM4u2ouYBkemoXFKYTZG KL4HV3GzwNTzyzR5UkkkPnfbGUp9Dd32Qof2A9G/lyOAZyz7EmA15gZvFhXKzOi7 Ss92iFD9E9tJMK+lxbSUmw0D1pTuAhRE+QleEjBKB36lDYsCAwEAAaOCAnYwggJy MB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoamMB0GA1UdDgQWBBSdwLKJ LHCsVldJbhyyF7G3eiPL5TAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEE AbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAI BgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDovL3pl cm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FEb21haW5TZWN1cmVTaXRl Q0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28u Y29tMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYARqVV63X6kSAwtaKJafTzfREs QXS+/Um4havy/HD+bUcAAAGDIhMswgAABAMARzBFAiEA7zNBVHbjTd62K3m5NJD3 XKV4jk7AJy6ZmUfr3mZizp8CIFpEPDA+Y99cLDAsJ7GtAfdeLFTn2Zv0G4ne5p6r ipoxAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAGDIhMslgAA BAMARzBFAiEA/6RUM63358DusgNK9Z1BaN6ZeA75Vk+aG1wF1uPAMhcCIBl2zo0O TMzJUFeELRog7Vyxs9G+kj76bc3cE0KXIn6cMBUGA1UdEQQOMAyCCioud2Jiby5k ZXYwDQYJKoZIhvcNAQEMBQADggIBAGFX+CdiZRXtotWEfjdtkdEJ3jKskuAVNp0k DTZsQVfqjx+zHKuqCmABQwtESpi2PBj8x95e5qjIYGSKFeNUtpz8380nJapC6gW3 xOLejQpsMfOaSo7htFDzgxMoemPXurNmxyVvOSTHLlBjIQKavuNhmMfjftpAKSxS gCWSe8R5exjksIh07p2AwZY1DgWqbZSt48zlXdeNR8xcDnmhsDRGzKtEnQrCHxWv DB9XFjWFva0ydqf8gM6x21G2EjWBmk6Ho94333wbw2t8jj0us5Z/awJABAHGyNyc iS1Bw1Mtqnjmxe7bGfF5cXmw/3Dh/DrVbLUqezeGFiAKSZIVG8+djPXSlEMAARj6 Q11CYZ+LzmlYKKpls1uU+D2/mYlr29nCmAntwi7DhJHmCuSZXUprkYT6H6+3Ndhb 7uDWsxmHNRPzmPckBQtgimRAveSXviwl+5cN09Sna3Yagzm9Z2F0S+SeUJd91nm1 6JKSUF+PHt1MeVg3xl0SlxjIiwTVie12ncTSTvXMYduc7N4OleQoGEykPsIKY8OK kG5MWha+VQ7JOV19qVEkjuag6lS/J5kO4SnCNf3oCEuezvJBVSVK1Q1J36OMSqxr oxBtQFTtYGtNaFLls8YTPW9yztY1IYZzfE6zEqOHWrbiVu1mdAsaUskXMQR10bCD XLGrESn3 -----END CERTIFICATE----- [Fri Sep 9 07:47:37 PM CST 2022] Your cert is in: /root/.acme.sh/*.example.org/example.org.cer [Fri Sep 9 07:47:37 PM CST 2022] Your cert key is in: /root/.acme.sh/*.example.org/example.org.key [Fri Sep 9 07:47:37 PM CST 2022] The intermediate CA cert is in: /root/.acme.sh/*.example.org/ca.cer [Fri Sep 9 07:47:37 PM CST 2022] And the full chain certs is there: /root/.acme.sh/*.example.org/fullchain.cer
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
6. 安装证书
# 把证书放到指定路径下
DOMAIN=example.org;CERT_PATH=/etc/ssl/certs/${DOMAIN}; mkdir -p ${CERT_PATH}; acme.sh --install-cert -d ${DOMAIN} -d *.${DOMAIN} --cert-file ${CERT_PATH}/${DOMAIN}.cer --key-file ${CERT_PATH}/${DOMAIN}.key --fullchain-file ${CERT_PATH}/fullchain.cer
- 1
- 2
7. 参考
https://kn007.net/topics/using-acme-sh-and-acme-dns-get-googles-free-wildcard-ssl-certificate/
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/689333
推荐阅读
相关标签
