namesilo域名+香港服务器+acme.sh给网站生成免费ssl证书流程步骤

技术  /  管理员 发布于 2星期前   52

文章标题可以不看，哈哈，这个acme.sh申请证书跟它们虽然有关系，但是关系不大，只要你有就行，

废话不多说，我这有个新站想养养，解析完上线之后就想给搞个ssl证书，之前我也有写过类似的文章，

虽然步骤一样但是比较官方:

https://www.zongscan.com/demo333/89509.html

下面是我真实的项目操作，直接就把我用acme生成ssl的操作步骤记录之。

说明一下环境：

域名：namesilo
香港服务器
acme.sh

ps:

这里多说一句，网站是hyperf框架做的，环境是docker,

不过宿主机做nginx代理，所以对ssl生成没影响。

上面都ok了，网站也部署好，80端口可以访问了，其他就不多说了

进入步骤

安装acme,我这里是香港服务器，所以直接curl，后面跟自己的邮箱

root@iZj6cbsc4dkk193z0fenflZ:~# curl https://get.acme.sh | sh -s email=514224527@qq.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0   5212      0 --:--:-- --:--:-- --:--:--  5238
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  216k  100  216k    0     0  1574k      0 --:--:-- --:--:-- --:--:-- 1581k
[Tue Mar  7 03:00:32 PM CST 2023] Installing from online archive.
[Tue Mar  7 03:00:32 PM CST 2023] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Tue Mar  7 03:00:33 PM CST 2023] Extracting master.tar.gz
[Tue Mar  7 03:00:33 PM CST 2023] It is recommended to install socat first.
[Tue Mar  7 03:00:33 PM CST 2023] We use socat for standalone server if you use standalone mode.
[Tue Mar  7 03:00:33 PM CST 2023] If you don't use standalone mode, just ignore this warning.
[Tue Mar  7 03:00:33 PM CST 2023] Installing to /root/.acme.sh
[Tue Mar  7 03:00:33 PM CST 2023] Installed to /root/.acme.sh/acme.sh
[Tue Mar  7 03:00:33 PM CST 2023] Installing alias to '/root/.bashrc'
[Tue Mar  7 03:00:33 PM CST 2023] OK, Close and reopen your terminal to start using acme.sh
[Tue Mar  7 03:00:33 PM CST 2023] Installing cron job
no crontab for root
no crontab for root
[Tue Mar  7 03:00:33 PM CST 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Mar  7 03:00:34 PM CST 2023] OK
[Tue Mar  7 03:00:34 PM CST 2023] Install success!
root@iZj6cbsc4dkk193z0fenflZ:~# ll
total 2304
drwx------ 11 root root    4096 Mar  7 15:00 ./
drwxr-xr-x 19 root root    4096 Mar  7 14:28 ../
drwx------  5 root root    4096 Mar  7 15:00 .acme.sh/
-rw-------  1 root root    7739 Mar  6 18:12 .bash_history
-rw-r--r--  1 root root    3137 Mar  7 15:00 .bashrc
drwx------  4 root root    4096 Mar  2 14:13 .cache/
drwx------  4 root root    4096 Mar  2 14:13 .config/
-rw-------  1 root root      20 Mar  7 11:18 .lesshst
drwxr-xr-x  7 root root    4096 Mar 28  2022 lnmp1.9/
-rw-r--r--  1 root root  202681 Jan 20 09:07 lnmp1.9.tar.gz
-rw-r--r--  1 root root 2069203 Mar  2 14:14 lnmp-install.log
drwxr-xr-x  3 root root    4096 Mar  2 14:13 .local/
-rw-------  1 root root    1381 Mar  6 13:39 .mysql_history
-rw-r--r--  1 root root     187 Mar  2 14:12 .pearrc
drwxr-xr-x  2 root root    4096 Dec 28 17:57 .pip/
-rw-r--r--  1 root root     161 Jul  9  2019 .profile
-rw-r--r--  1 root root     206 Mar  1 17:34 .pydistutils.cfg
drwxr-xr-x  2 root root    4096 Dec 28 17:49 .rpmdb/
drwx------  4 root root    4096 Mar  2 09:58 snap/
drwx------  2 root root    4096 Mar  2 11:41 .ssh/

创建bash的alias

root@iZj6cbsc4dkk193z0fenflZ:~# alias acme.sh=~/.acme.sh/acme.sh

我这里宿主机用nginx做代理，那就是用nginx方式

错误示范

root@iZj6cbsc4dkk193z0fenflZ:~# acme.sh --issue -d www.hofq.top --nginx
[Tue Mar  7 03:18:01 PM CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Mar  7 03:18:01 PM CST 2023] Create account key ok.
[Tue Mar  7 03:18:01 PM CST 2023] No EAB credentials found for ZeroSSL, let's get one
[Tue Mar  7 03:18:03 PM CST 2023] Registering account: https://acme.zerossl.com/v2/DV90
[Tue Mar  7 03:18:05 PM CST 2023] Registered
[Tue Mar  7 03:18:06 PM CST 2023] ACCOUNT_THUMBPRINT='Nynom-6Dolwi59qXenoI1ci2HkTcmMO44fWybJu_hNM'
[Tue Mar  7 03:18:06 PM CST 2023] Creating domain key
[Tue Mar  7 03:18:06 PM CST 2023] The domain key is here: /root/.acme.sh/www.hofq.top_ecc/www.hofq.top.key
[Tue Mar  7 03:18:06 PM CST 2023] Single domain='www.hofq.top'
[Tue Mar  7 03:18:06 PM CST 2023] Getting domain auth token for each domain
[Tue Mar  7 03:18:09 PM CST 2023] Getting webroot for domain='www.hofq.top'
[Tue Mar  7 03:18:09 PM CST 2023] Verifying: www.hofq.top
[Tue Mar  7 03:18:09 PM CST 2023] Nginx mode for domain:www.hofq.top
[Tue Mar  7 03:18:09 PM CST 2023] Can not find nginx conf.
[Tue Mar  7 03:18:09 PM CST 2023] Please add '--debug' or '--log' to check more details.
[Tue Mar  7 03:18:09 PM CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

ps:

这样会提示nginx配置文件找不到

Can not find nginx conf.

正确方式，指定nginx配置文件绝对路径，生成ssl证书

root@iZj6cbsc4dkk193z0fenflZ:~# acme.sh --issue -d www.hofq.top --nginx /usr/local/nginx/conf/vhost/hofq.conf
[Tue Mar  7 03:25:18 PM CST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Mar  7 03:25:19 PM CST 2023] Single domain='www.hofq.top'
[Tue Mar  7 03:25:19 PM CST 2023] Getting domain auth token for each domain
[Tue Mar  7 03:25:23 PM CST 2023] Getting webroot for domain='www.hofq.top'
[Tue Mar  7 03:25:23 PM CST 2023] Verifying: www.hofq.top
[Tue Mar  7 03:25:23 PM CST 2023] Nginx mode for domain:www.hofq.top
[Tue Mar  7 03:25:23 PM CST 2023] Found conf file: /usr/local/nginx/conf/vhost/hofq.conf
[Tue Mar  7 03:25:23 PM CST 2023] Backup /usr/local/nginx/conf/vhost/hofq.conf to /root/.acme.sh/www.hofq.top_ecc/backup/www.hofq.top.nginx.conf
[Tue Mar  7 03:25:23 PM CST 2023] Check the nginx conf before setting up.
[Tue Mar  7 03:25:23 PM CST 2023] OK, Set up nginx config file
[Tue Mar  7 03:25:23 PM CST 2023] nginx conf is done, let's check it again.
[Tue Mar  7 03:25:23 PM CST 2023] Reload nginx
[Tue Mar  7 03:25:28 PM CST 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Mar  7 03:25:32 PM CST 2023] Success
[Tue Mar  7 03:25:32 PM CST 2023] Restoring from /root/.acme.sh/www.hofq.top_ecc/backup/www.hofq.top.nginx.conf to /usr/local/nginx/conf/vhost/hofq.conf
[Tue Mar  7 03:25:32 PM CST 2023] Reload nginx
[Tue Mar  7 03:25:32 PM CST 2023] Verify finished, start to sign.
[Tue Mar  7 03:25:32 PM CST 2023] Lets finalize the order.
[Tue Mar  7 03:25:32 PM CST 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/KHnhZRVcpwfdc7L25GVIMQ/finalize'
[Tue Mar  7 03:25:34 PM CST 2023] Order status is processing, lets sleep and retry.
[Tue Mar  7 03:25:34 PM CST 2023] Retry after: 15
[Tue Mar  7 03:25:50 PM CST 2023] Polling order status: https://acme.zerossl.com/v2/DV90/order/KHnhZRVcpwfdc7L25GVIMQ
[Tue Mar  7 03:25:51 PM CST 2023] Downloading cert.
[Tue Mar  7 03:25:51 PM CST 2023] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/5_hS63jJg-1LKPKD1mOWvQ'
[Tue Mar  7 03:25:53 PM CST 2023] Cert success.
-----BEGIN CERTIFICATE-----
MIID+zCCA4GgAwIBAgIRAL55qDrr5rE5RElnxyvq7PkwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMzAzMDcwMDAwMDBaFw0yMzA2
MDUyMzU5NTlaMBcxFTATBgNVBAMTDHd3dy5ob2ZxLnRvcDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABMpAkoNIWRUrMMVCZ1swOgYR5f2WhGu98knka+MdZNu90/Tt
HCiW1JfPB8BDNZkLfavG10E8EdcAsjp8dV7NccWjggJ4MIICdDAfBgNVHSMEGDAW
gBQPa+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4EFgQUvWcalrvftp6CWCTzrwc1
YfUFAE4wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAk4wJTAj
BggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGI
BggrBgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6Ly96ZXJvc3NsLmNydC5z
ZWN0aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2VjdXJlU2l0ZUNBLmNydDArBggr
BgEFBQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0aWdvLmNvbTCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr
3IKKAAABhrr2FaMAAAQDAEcwRQIhAPAUK0Un0iFJRa8Dwf7tICOmcixCCW+Zp+0k
n8NC4DAFAiBN/ytKB6nS3fdIW0nzOmDE06hNaozMLLeDoKyv/wZmvwB2AHoyjFTY
ty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhrr2FgwAAAQDAEcwRQIgaP3K
22Otxo37sfXb3qrKfsHRuu6bz8G6+bi99s+mdG0CIQC4NfVTT4rxt08a+KvxegdF
uT0YGbh76r+oWA5Iquxq/DAXBgNVHREEEDAOggx3d3cuaG9mcS50b3AwCgYIKoZI
zj0EAwMDaAAwZQIwVlIzlsPh+AJcunWkZHXmb9a9e984uPX+DpiPRHRbrFNucszP
X6qhPa6SymBuC3QXAjEA71C0O1Naud84tQe5Gl6XW8r/E33dVvThmYe5Qn4obb3s
OU4dIyUEMJAdihIz6l49
-----END CERTIFICATE-----
[Tue Mar  7 03:25:53 PM CST 2023] Your cert is in: /root/.acme.sh/www.hofq.top_ecc/www.hofq.top.cer
[Tue Mar  7 03:25:53 PM CST 2023] Your cert key is in: /root/.acme.sh/www.hofq.top_ecc/www.hofq.top.key
[Tue Mar  7 03:25:53 PM CST 2023] The intermediate CA cert is in: /root/.acme.sh/www.hofq.top_ecc/ca.cer
[Tue Mar  7 03:25:53 PM CST 2023] And the full chain certs is there: /root/.acme.sh/www.hofq.top_ecc/fullchain.cer

看到以上信息：

Cert success.就生成成功了

把生成的证书cp到指定位置，就是你nginx配置文件上指向证书的位置

比如我这里是：

/usr/local/nginx/conf/cert

root@iZj6cbsc4dkk193z0fenflZ:~# acme.sh --install-cert -d www.hofq.top \
> --key-file       /usr/local/nginx/conf/cert/key.pem  \
> --fullchain-file /usr/local/nginx/conf/cert/cert.pem \
> --reloadcmd     "/usr/local/nginx/sbin/nginx -s reload"
[Tue Mar  7 03:29:28 PM CST 2023] The domain 'www.hofq.top' seems to have a ECC cert already, lets use ecc cert.
[Tue Mar  7 03:29:29 PM CST 2023] Installing key to: /usr/local/nginx/conf/cert/key.pem
[Tue Mar  7 03:29:29 PM CST 2023] Installing full chain to: /usr/local/nginx/conf/cert/cert.pem
[Tue Mar  7 03:29:29 PM CST 2023] Run reload cmd: /usr/local/nginx/sbin/nginx -s reload
[Tue Mar  7 03:29:29 PM CST 2023] Reload success

ps:

最后一个--reloadcmd就是字面意思重载nginx配置文件立即生效

在一次提示注意：

上面的命令注意把邮箱，域名改成自己的，别cc cv.

这样就ok了，访问一下看看效果