一、安裝acme.sh(Let's Encrypt 客戶端)
github:https://github.com/Neilpang/acme.sh
wget -O - https://get.acme.sh | sh
安裝完成后,會自動增加任務用于證書的自動更新
注意:使用acme.sh不必在root下操作,但建議在root下操作
二、手工申請證書:
注:這種方法一般適用于DNS供應商不提供API的場景,且必須帶有參數--yes-I-know-dns-manual-mode-enough-go-ahead-please,且不能自動續期
1、首先配置好要申請證書的域名,例如:*.myimportantdomain.com,一般為10分鐘:
acme.sh --issue --dns -d \
*.myimportantdomain.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
2、根據提示(會以綠色文字顯示)在DNS中創建所申請域名的對應的TXT記錄,并等待DNS記錄生效,一般為10分鐘:
Add the following TXT record:
Domain: '_acme-challenge.myimportantdomain.com'
TXT value: '123pXF6fDUM88pg14kY123D3AUc5Cd_YVYZ5znpnC38'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge..myimportantdomain.com
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
3、等待DNS解析生效后,執行以下命令
acme.sh --renew --dns \
-d *.myimportantdomain.com
--yes-I-know-dns-manual-mode-enough-go-ahead-please
4、申請成功,會提示證書文件存放位置:
Your cert is in /root/.acme.sh/*.myimportantdomain.com/*.myimportantdomain.com.cer
Your cert key is in /root/.acme.sh/*.myimportantdomain.com/*.myimportantdomain.com.key
v2 chain.
The intermediate CA cert is in /root/.acme.sh/*.myimportantdomain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/*.myimportantdomain.com/fullchain.cer
_on_issue_success
三、安裝證書:
acme.sh --install-cert -d *.myimportantdomain.com \
--key-file /usr/local/nginx/conf/*.myimportantdomain.com.key \
--fullchain-file /usr/local/nginx/conf/*.myimportantdomain.com \
--reloadCmd "nginx -s restart"
