记录下自己网站申请zerossl泛域名证书的命令,方便自己后期查阅
一. 准备工作
1.DNSPod Token
前往DNSPod控制台,申请DNSPod Token
传送门: https://console.dnspod.cn/account/token/token
2.注册ZeroSSL账号并申请EAB凭证
传送门: 注册账户
传送门: 申请EAB凭证
二.申请证书
这里申请证书以example.com和*.example.com为例, 请自行更换为所需要的域名
# 将[email protected]替换为自己的邮箱即可
curl https://get.acme.sh | sh -s [email protected]
实测安装完成后使用bash执行acme.sh会提示command not found,因此需要添加一个alias
echo "alias acme.sh='/root/.acme.sh/acme.sh'" >> /root/.bashrc
source /root/.bashrc
然后,添加环境变量,使acme.sh能读取第一步所申请的DNSPod Token
export DP_Id="<your dnspod token id>"
export DP_Key="<your dnspod token>"
接着把zerossl账户信息交给acme.sh使用,这里需要使用到第一步所申请的EAB凭证
acme.sh --register-account \
--server zerossl \
--eab-kid <your eab key id> \
--eab-hmac-key <your eab hmac key>
执行完毕后,就可以愉快的申请证书了
acme.sh --issue \
--server zerossl \
--dns dns_dp \
-d *.example.com \
-d example.com
接着acme.sh就将自动更新DNS记录去申请,等待命令执行完成,如看到类似下面的日志,则证书申请成功,如若不然,可以在申请证书申请命令后面添加–debug参数,可以看到出错的具体原因
[Tue 19 Dec 2023 03:18:42 PM CST] Your cert is in: /root/.acme.sh/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Tue 19 Dec 2023 03:18:42 PM CST] Your cert key is in: /root/.acme.sh/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Tue 19 Dec 2023 03:18:42 PM CST] The intermediate CA cert is in: /root/.acme.sh/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Tue 19 Dec 2023 03:18:42 PM CST] And the full chain certs is /root/.acme.sh/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
三.安装证书
证书申请完毕后,保存在/root/.acme.sh目录下,但acme.sh不建议直接拷贝,直接拷贝将无法自动续期证书,这里以nginx为例,将申请到的证书安装给nginx使用
先创建/etc/nginx/ssl/example.com保存example.com的证书
acme.sh --install-cert \
-d *.example.com \
--key-file /etc/nginx/ssl/example.com/*.example.com.key \
--fullchain-file /etc/nginx/ssl/example.com/*.examle.com.fullchain.cer \
--reloadcmd "service nginx force-reload"
顺便贴一份nginx ssl配置模板,以备不时之需
# ssl.conf
server_tokens off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=31536000;includeSubDomains;preload";
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header x-xss-protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https:; connect-src 'self' https:; img-src 'self' data: https: blob:; style-src 'unsafe-inline' https:; font-src https:";
# example.com.conf
server {
listen 80;
server_name *.example.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name *.example.com;
include /etc/nginx/ssl.conf;
# certificate path
ssl_certificate /etc/nginx/ssl/example.com/*.expample.com.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/example.com/*.example.com.key;
}
四.结束语
记录几个acme.sh命令
查询证书信息
acme.sh --info -d *.example.com
acme.sh --uninstall
顺便说一下, *.example.com的泛域名证书是二级泛域名证书,如果是三级域名,例如a.b.example.com使用该证书,浏览器会报不安全的网站,因此需要申请*.b.example.com的泛域名证书, over