使用 acme.sh 申请域名 SSL/TLS 证书完整指南
- 使用 acme.sh 申请域名 SSL/TLS 证书完整指南
- 简介
- 为什么选择 acme.sh 和 ZeroSSL?
- 前置要求
- 安装过程
- 步骤一:安装 acme.sh
- 步骤二:配置 ZeroSSL
- 证书申请
- 方法一:手动 DNS 验证(推荐新手使用)
- 方法二:自动 DNS API 验证
- 证书安装和管理
- 步骤一:创建 SSL 目录
- 步骤二:安装证书
- 步骤三:配置 Nginx
- 步骤四:测试并重启 Nginx
- 证书文件说明
- 自动续期
- 验证过程
- 故障排除提示
- 安全最佳实践
- 总结
使用 acme.sh 申请域名 SSL/TLS 证书完整指南
简介
本指南将详细介绍如何使用 acme.sh 配合 ZeroSSL 获取和管理 SSL/TLS 证书。我们将以 cheungxiongwei.com 为例,介绍从安装到自动续期的完整过程,包括根域名和泛域名证书的配置。
为什么选择 acme.sh 和 ZeroSSL?
- 免费无限证书:可以免费生成无限数量的90天 SSL 证书
- 支持泛域名:使用单个证书即可保护无限数量的子域名
- 自动化管理:内置证书续期和部署功能
- 多域名支持:可同时为多个域名颁发证书
- 账户集成:所有证书都存储在您的 ZeroSSL 账户中
前置要求
- 一台具有 root 访问权限的 Linux 服务器
- 已注册的域名
- 基本的命令行使用知识
- 域名 DNS 设置的访问权限
安装过程
步骤一:安装 acme.sh
curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --version
步骤二:配置 ZeroSSL
- 设置 ZeroSSL 为默认证书颁发机构:
acme.sh --set-default-ca --server zerossl
- 设置 ZeroSSL EAB(外部账户绑定)凭证:
- 访问 ZeroSSL 控制面板
- 生成 EAB 凭证
- 配置凭证:
export ZERO_EAB_KEY="你的_eab_key"
export ZERO_EAB_HMAC="你的_eab_hmac"
证书申请
方法一:手动 DNS 验证(推荐新手使用)
- 启动证书申请:
acme.sh --issue --dns -d cheungxiongwei.com -d *.cheungxiongwei.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
实例如下所示:
root@VM-20-16-debian:~# acme.sh --issue --dns -d cheungxiongwei.com -d *.cheungxiongwei.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Dec 25 11:00:37 PM CST 2024] Domains have changed.
[Wed Dec 25 11:00:40 PM CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Dec 25 11:00:41 PM CST 2024] Multi domain='DNS:cheungxiongwei.com,DNS:*.cheungxiongwei.com'
[Wed Dec 25 11:00:56 PM CST 2024] Getting webroot for domain='cheungxiongwei.com'
[Wed Dec 25 11:00:56 PM CST 2024] Getting webroot for domain='*.cheungxiongwei.com'
[Wed Dec 25 11:00:56 PM CST 2024] Add the following TXT record:
[Wed Dec 25 11:00:56 PM CST 2024] Domain: '_acme-challenge.cheungxiongwei.com'
[Wed Dec 25 11:00:56 PM CST 2024] TXT value: 'lKfyLYE1Qu8BZ8Tdh8KU_lYuhLJzVOwxMyP_ZB_moUw'
[Wed Dec 25 11:00:56 PM CST 2024] Please make sure to prepend '_acme-challenge.' to your domain
[Wed Dec 25 11:00:56 PM CST 2024] so that the resulting subdomain is: _acme-challenge.cheungxiongwei.com
[Wed Dec 25 11:00:56 PM CST 2024] Add the following TXT record:
[Wed Dec 25 11:00:56 PM CST 2024] Domain: '_acme-challenge.cheungxiongwei.com'
[Wed Dec 25 11:00:56 PM CST 2024] TXT value: 'Ior4i9eurMXy3AsdXrhwap18hhBOsrjETORkI-yv7JM'
[Wed Dec 25 11:00:56 PM CST 2024] Please make sure to prepend '_acme-challenge.' to your domain
[Wed Dec 25 11:00:56 PM CST 2024] so that the resulting subdomain is: _acme-challenge.cheungxiongwei.com
[Wed Dec 25 11:00:56 PM CST 2024] Please add the TXT records to the domains, and re-run with --renew.
[Wed Dec 25 11:00:56 PM CST 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log
- 添加 DNS TXT 记录:
| 记录类型 | 主机记录 | 记录值 |
|---|---|---|
| TXT | _acme-challenge | [提供的值] |
实例如下所示:
- 验证 DNS 解析:
dig TXT _acme-challenge.cheungxiongwei.com
实例如下所示:
root@VM-20-16-debian:~# dig TXT _acme-challenge.cheungxiongwei.com; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> TXT _acme-challenge.cheungxiongwei.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36339
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;_acme-challenge.cheungxiongwei.com. IN TXT;; ANSWER SECTION:
_acme-challenge.cheungxiongwei.com. 600 IN TXT "lKfyLYE1Qu8BZ8Tdh8KU_lYuhLJzVOwxMyP_ZB_moUw"
_acme-challenge.cheungxiongwei.com. 600 IN TXT "Ior4i9eurMXy3AsdXrhwap18hhBOsrjETORkI-yv7JM";; Query time: 76 msec
;; SERVER: 183.60.83.19#53(183.60.83.19) (UDP)
;; WHEN: Wed Dec 25 23:11:19 CST 2024
;; MSG SIZE rcvd: 155
- 完成证书颁发:
acme.sh --renew -d cheungxiongwei.com -d *.cheungxiongwei.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
实例如下所示:
root@VM-20-16-debian:~# acme.sh --renew --force -d cheungxiongwei.com -d "*.cheungxiongwei.com" --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Dec 25 11:15:56 PM CST 2024] The domain 'cheungxiongwei.com' seems to already have an ECC cert, let's use it.
[Wed Dec 25 11:15:56 PM CST 2024] Renewing: 'cheungxiongwei.com'
[Wed Dec 25 11:15:56 PM CST 2024] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Wed Dec 25 11:15:58 PM CST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Dec 25 11:15:58 PM CST 2024] Multi domain='DNS:cheungxiongwei.com,DNS:*.cheungxiongwei.com'
[Wed Dec 25 11:15:58 PM CST 2024] Verifying: cheungxiongwei.com
[Wed Dec 25 11:16:04 PM CST 2024] Processing. The CA is processing your order, please wait. (1/30)
[Wed Dec 25 11:16:12 PM CST 2024] Success
[Wed Dec 25 11:16:12 PM CST 2024] Verifying: *.cheungxiongwei.com
[Wed Dec 25 11:16:17 PM CST 2024] Processing. The CA is processing your order, please wait. (1/30)
[Wed Dec 25 11:16:24 PM CST 2024] Success
[Wed Dec 25 11:16:24 PM CST 2024] Verification finished, beginning signing.
[Wed Dec 25 11:16:24 PM CST 2024] Let's finalize the order.
[Wed Dec 25 11:16:24 PM CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/CfiC81TBj8Hl3TXQElLq1g/finalize'
[Wed Dec 25 11:16:27 PM CST 2024] Order status is 'processing', let's sleep and retry.
[Wed Dec 25 11:16:27 PM CST 2024] Sleeping for 15 seconds then retrying
[Wed Dec 25 11:16:43 PM CST 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/eenYsldoeabFVRi0pP96-w
[Wed Dec 25 11:16:44 PM CST 2024] Downloading cert.
[Wed Dec 25 11:16:44 PM CST 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/m-mHnT0JgETLrBvoxWvbAq'
[Wed Dec 25 11:16:46 PM CST 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIEAjCCA4mgAwIBAgIRALqkOsVdtzzKulS7jZmq6qswCgYIKoZAzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNDEyMjAwMDAwMDBaFw0yNTAz
MjAyMzU5NTlaMBQxEjAQBgNVBAMTCTAwbmV0LmNvbTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABESbSn2vb+xyzgT9BY+q99NDKHg7skDlAZIDywuRZfZKm2Jn2Zs5
me9SPXgt9ZCcvayTVP1alkQT1ytMxiIZ+72jggKDMIICfzAfBgNVHCMEGDAWgBQP
a+ZLzjlHrvZ+kB558DCRkshfozAdBgNVHQ4EFgQUAEDtu1gHQKgDYKQ9lHKj2S5Y
recwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAk4wJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGIBggr
BgEFBQcBAQR8MHowSwYIKwYBBQUHMAKGP2h0dHA6Ly96ZXJvc3NsLmNydC5zZWN0
aWdvLmNvbS9aZXJvU1NMRUNDRG9tYWluU2VjdXJlU2l0ZUNBLmNydDArBggrBgEF
BQcwAYYfaHR0cDovL3plcm9zc2wub2NzcC5zZWN0aWdvLmNvbTCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB1AM8RVu7VLnyv84db2Wkum+kacWdKsBfsrAHSW3fOzDsI
AAABk+QgGeEAAAQDAEYwRAIgNC7u1tPnusTIQQk9ZPJq3EsGnboO/XdamSMo+ZeT
9cQCIGQa+xYMCtXGe1tmXxg/BNhuKgqJ5klNz5/R3OlOoFqrAHYAzPsPaoVxCWX+
lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGT5CAZrQAABAMARzBFAiAP0NMP34kj
v8KrdGz6LOKYe2eHhOhOxIUFzDNyn0uqoQIhAIslJrjZtT6NjLX3lN+u5LYIu28Q
d5hDqOjCGJQwBHuaMCMGA1UdEQQcMBqCCTAwbmV0LmNvbYINd3d3LjAwbmV0LmNv
bTAKBggqhkjOPQQDAwNnADBkAjBQkeA6mwV57H2TBIpV4aQhU37aDy0kE3TcPNO3
1wCk4zNd2SqhaP9f1j1zg8eEhG4CMDSxZgjcsM6+No6Kak7jDllj48d1FH6qQwIF
j74jpsEby16snf1TaC+CXYT/Yhq/kA==
-----END CERTIFICATE-----
[Wed Dec 25 11:16:46 PM CST 2024] Your cert is in: /root/.acme.sh/cheungxiongwei.com_ecc/cheungxiongwei.com.cer
[Wed Dec 25 11:16:46 PM CST 2024] Your cert key is in: /root/.acme.sh/cheungxiongwei.com_ecc/cheungxiongwei.com.key
[Wed Dec 25 11:16:46 PM CST 2024] The intermediate CA cert is in: /root/.acme.sh/cheungxiongwei.com_ecc/ca.cer
[Wed Dec 25 11:16:46 PM CST 2024] And the full-chain cert is in: /root/.acme.sh/cheungxiongwei.com_ecc/fullchain.cer
- 验证证书内容是否正确
openssl x509 -in /root/.acme.sh/cheungxiongwei.com_ecc/cheungxiongwei.com.cer -text -noout
实例如下所示:
root@VM-20-16-debian:~# openssl x509 -in /root/.acme.sh/cheungxiongwei.com_ecc/cheungxiongwei.com.cer -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number:a6:df:e7:9c:58:8e:11:f0:53:42:a9:bd:1e:b4:1e:eeSignature Algorithm: ecdsa-with-SHA384Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CAValidityNot Before: Dec 25 00:00:00 2024 GMTNot After : Mar 25 23:59:59 2025 GMTSubject: CN = cheungxiongwei.comSubject Public Key Info:Public Key Algorithm: id-ecPublicKeyPublic-Key: (256 bit)pub:04:88:23:25:aa:b8:36:9f:40:ee:b8:ca:f7:95:6a:a4:b0:f5:81:68:11:95:aa:37:fc:04:34:4a:ce:ee:68:f8:a2:fd:54:22:e3:df:cb:ee:36:74:8b:45:ac:c4:ff:88:76:c4:2a:07:2f:d8:aa:23:aa:a6:48:fc:24:18:4b:75:3dASN1 OID: prime256v1NIST CURVE: P-256X509v3 extensions:X509v3 Authority Key Identifier: 0F:6B:E6:4B:CE:49:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3X509v3 Subject Key Identifier: 1F:BB:DD:9D:3D:C9:4B:C2:A8:B5:E9:E4:65:D7:70:B6:46:D2:6E:26X509v3 Key Usage: criticalDigital SignatureX509v3 Basic Constraints: criticalCA:FALSEX509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client AuthenticationX509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6459.1.2.2.78CPS: https://sectigo.com/CPSPolicy: 2.23.141.1.2.1Authority Information Access: CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crtOCSP - URI:http://zerossl.ocsp.sectigo.comCT Precertificate SCTs: Signed Certificate Timestamp:Version : v1 (0x0)Log ID : CF:11:56:EE:D5:2E:7C:AF:F3:87:5B:D9:69:2E:9B:E9:1A:71:67:4A:B0:17:EC:AC:11:D2:5B:77:CE:CC:3B:08Timestamp : Dec 25 16:07:35.839 2024 GMTExtensions: noneSignature : ecdsa-with-SHA25630:45:02:20:49:47:9A:90:8C:EB:C7:CD:EF:B9:80:C5:F3:41:B6:0F:17:15:E7:B9:E8:68:BD:45:EC:62:47:DB:AB:92:89:F7:02:21:00:BB:44:9A:66:80:01:D0:EB:70:69:08:33:D3:21:55:BB:A7:B8:C1:1E:94:5A:61:DB:B5:C2:CF:72:4D:8D:A2:5ASigned Certificate Timestamp:Version : v1 (0x0)Log ID : CC:FB:0F:6A:85:71:09:65:FE:95:9B:53:CE:E9:B2:7C:22:E9:85:5C:0D:97:8D:B6:A1:7E:54:C0:FE:4C:0D:B0Timestamp : Dec 25 16:07:35.787 2024 GMTExtensions: noneSignature : ecdsa-with-SHA25630:46:02:21:00:AE:D0:2F:DA:D6:88:93:8E:67:F0:E0:2E:32:B6:AC:2A:98:9F:7A:D2:52:5A:1C:3A:33:E1:AC:60:8B:14:45:DB:02:21:00:89:06:FB:39:DA:68:9F:FC:F0:F2:74:AD:D8:3C:5A:6C:37:C3:55:C4:33:51:E3:46:CC:FC:7C:75:48:70:42:4FX509v3 Subject Alternative Name: DNS:cheungxiongwei.com, DNS:*.cheungxiongwei.comSignature Algorithm: ecdsa-with-SHA384Signature Value:30:64:02:30:0b:5a:fb:bb:b4:30:29:16:42:49:87:37:58:cb:4b:09:28:85:ff:8b:11:d4:d2:24:43:cf:77:bf:02:b6:d6:40:0a:cb:bf:56:fe:2d:da:e5:4f:1b:d8:f6:ab:53:e4:b0:02:30:15:f2:de:ba:89:4c:fe:cf:d2:24:40:1a:e1:3f:8b:c1:b9:9c:fe:62:77:57:d9:88:6d:b7:38:29:8d:04:61:6b:d9:4e:a7:74:b7:f6:2e:f6:9b:02:b7:ed:a4:ae:2d:27
X509v3 Subject Alternative Name: DNS:00net.com, DNS:*.00net.com 证书中包含的两个域名,其中包含通配符(*),说明签发的证书没有问题。
方法二:自动 DNS API 验证
- 配置 DNS API 凭证(以 DNSPod 为例):
export DP_Id="API_ID"
export DP_Key="API_KEY"
- 颁发证书:
acme.sh --issue --dns dns_dp -d cheungxiongwei.com -d *.cheungxiongwei.com
证书安装和管理
步骤一:创建 SSL 目录
sudo mkdir -p /etc/ssl/cheungxiongwei.com
步骤二:安装证书
acme.sh --install-cert -d cheungxiongwei.com \
--key-file /etc/ssl/cheungxiongwei.com/cheungxiongwei.com.key \
--fullchain-file /etc/ssl/cheungxiongwei.com/fullchain.cer \
--reloadcmd "systemctl reload nginx"
步骤三:配置 Nginx
server {listen 443 ssl;server_name cheungxiongwei.com www.cheungxiongwei.com;ssl_certificate /etc/ssl/cheungxiongwei.com/fullchain.cer; # 使用完整证书链ssl_certificate_key /etc/ssl/cheungxiongwei.com/cheungxiongwei.com.key; # 使用私钥文件ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers HIGH:!aNULL:!MD5;root /var/www/cheungxiongwei.com;index index.html;location / {try_files $uri $uri/ =404;}
}server {listen 80;server_name cheungxiongwei.com www.cheungxiongwei.com;return 301 https://$host$request_uri;
}
步骤四:测试并重启 Nginx
sudo nginx -t
sudo systemctl restart nginx
证书文件说明
- fullchain.cer:完整的证书链,用于服务器配置
- cheungxiongwei.com.key:私钥(需要安全保管)
- ca.cer:中间证书
- cheungxiongwei.com.cer:域名证书
自动续期
acme.sh 包含内置的 cron 任务,每天检查证书续期。我们之前使用的 --install-cert 命令已经配置了自动续期并重载 Nginx。
验证过程
- 检查 HTTPS 连接:访问 https://cheungxiongwei.com
- 验证泛域名证书:测试任意子域名,如 https://www.cheungxiongwei.com
- 在浏览器中检查证书详情
故障排除提示
- 如果 DNS 验证失败,等待 10-15 分钟让解析生效
- 检查 Nginx 错误日志:
sudo tail -f /var/log/nginx/error.log - 验证 Nginx 配置中的证书路径
- 确保 SSL 证书文件权限正确
安全最佳实践
- 确保私钥安全并做好备份
- 仅使用 TLS 1.2 和 1.3 版本
- 定期监控证书过期时间
- 维护证书文件的安全备份
- 使用强加密的 SSL 密码配置
总结
现在您的域名已经配置了完整的根域名和泛域名 SSL 证书保护。该设置包括自动续期和优化的 Nginx 安全配置。建议定期使用在线 SSL 测试工具检查 SSL 配置,以确保符合最佳实践和安全更新。