1. install acme Sh
Note: if you need to use Standalone Mode, please install socat first
# yum intall socat
It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore this warning.
[test@ssh ~]$ curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 775 0 775 0 0 67 0 --:--:-- 0:00:11 --:--:-- 194
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 193k 100 193k 0 0 234k 0 --:--:-- --:--:-- --:--:-- 234k
Installing from online archive.
Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
Extracting master.tar.gz
It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore this warning.
Installing to /home/test/.acme.sh
Installed to /home/test/.acme.sh/acme.sh
Installing alias to '/home/test/.bashrc'
OK, Close and reopen your terminal to start using acme.sh
Installing cron job
no crontab for test
Good, bash is found, so change the shebang to use bash as preferred.
OK
Install success!
Installation succeeded
1.1 acme SH is installed in your home directory:
/home/test/.acme.sh
You can create an alias of bash for easy use: alias acme Sh=~/ Acme Sh/acme Sh
1.2 automatically create cronjob s for you
All certificates will be automatically detected at 0:00 every day. If they are about to expire and need to be updated, the certificates will be automatically updated
20 0 * * * "/home/test/.acme.sh"/acme.sh --cron --home "/home/test/.acme.sh" > /dev/null
2. generate certificate
Acme SH implements all authentication protocols supported by acme protocol Generally, there are two authentication methods: http and dns authentication
2.1 http
You need to put a file in the root directory of your website to verify the ownership of your domain name and complete the verification Then you can generate the certificate
acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/
You only need to specify the domain name and the root directory of the website where the domain name is located Acme SH will automatically generate verification files, put them in the root directory of the website, and then automatically complete the verification Finally, it will cleverly delete the verification file The whole process has no side effects
If you use an apache server, acme SH can also intelligently automatically complete verification from apache configuration. You do not need to specify the website root directory:
acme.sh --issue -d mydomain.com --apache
If you use nginx server, or reverse generation, acme SH can also intelligently and automatically complete verification from nginx configuration. You do not need to specify the website root directory:
acme.sh --issue -d mydomain.com --nginx
Note that acme SH will revert to the previous state after verification, and will not change your own configuration privately The advantage is that you don't have to worry about the bad configuration. There is also a disadvantage. You need to configure the ssl configuration yourself. Otherwise, you can only successfully generate certificates, and your website still can't access https But for security, you should change the configuration manually
If you haven't run any web services and port 80 is idle, acme SH can pretend to be a webserver and listen to port 80 temporarily to complete the verification:
acme.sh --issue -d mydomain.com --standalone
2.2 manual dns mode
Manually add a txt resolution record on the domain name to verify the ownership of the domain name
The advantage of this method is that you don't need any server or any public ip. You only need dns resolution records to complete the verification The disadvantage is that if the Automatic DNS API is not configured at the same time, acme SH will not be able to automatically update the certificate. You need to manually re resolve and verify the domain name ownership again each time.
acme.sh --issue --dns -d mydomain.com
Then, acme SH will generate the corresponding resolution record and display it. You only need to add this txt record in your domain name management panel
After the resolution is completed, regenerate the certificate:
acme.sh --renew -d mydomain.com
Note that the second time we used --renew
2.3 dns api mode
The real strength of dns is that it can use the api provided by the domain name resolver to automatically add txt records to complete the verification
Acme At present, SH supports the automatic integration of dozens of analyzers such as cloudflare, dnspod, cloudxns, godaddy and ovh
Take dnspod as an example. You need to log in to the dnspod account first to generate your api id and api key, which are free of charge Then:
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
acme.sh --issue --dns dns_dp -d aa.com -d www.aa.com
The certificate will be automatically generated The api id and api key given here will be automatically recorded. In the future, you don't need to specify them again when using dnspod api Just generate it directly:
acme.sh --issue -d mydomain2.com --dns dns_dp
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
How to use DNS API If your DNS provider doesn't provide API access, you can use our DNS alias mode: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode 1. CloudFlare Option: CloudFlare Domain API offers two methods to automatically issue certs. Using the global API key First you need to login to your CloudFlare account to get your API key. export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Email="xxxx@sss.com" Using the new cloudflare api token export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Account_ID="xxxxxxxxxxxxx" In order to use the new token, the token currently needs access read access to Zone.Zone, and write access to Zone.DNS, across all Zones. See Issue #2398 for more info. Alternatively, if the certificate only covers a single zone, you can restrict the API Token only for write access to Zone.DNS for a single domain, and then specify the CF_Zone_ID directly: export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Account_ID="xxxxxxxxxxxxx" export CF_Zone_ID="xxxxxxxxxxxxx" Ok, let's issue a cert now: acme.sh --issue --dns dns_cf -d example.com -d www.example.com The CF_Key and CF_Email or CF_Tokenand CF_Account_IDwill be saved in ~/.acme.sh/account.conf and will be reused when needed. 2. DNSPod.cn Option: The DNSPod.cn Domain API option requires that you first login to your account to get a DNSPod API Key and ID. export DP_Id="1234" export DP_Key="sADDsdasdgdsf" Ok, let's issue a cert now: acme.sh --issue --dns dns_dp -d example.com -d www.example.com The DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed. 3. Use CloudXNS.com domain API to automatically issue cert First you need to login to your CloudXNS account to get your API Key and Secret. export CX_Key="1234" export CX_Secret="sADDsdasdgdsf" Ok, let's issue a cert now: acme.sh --issue --dns dns_cx -d example.com -d www.example.com The CX_Key and CX_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed. 4. Use GoDaddy.com domain API to automatically issue cert First you need to login to your GoDaddy account to get your API Key and Secret. https://developer.godaddy.com/keys/ Please create a Production key, instead of a Test key. export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd" Ok, let's issue a cert now: acme.sh --issue --dns dns_gd -d example.com -d www.example.com The GD_Key and GD_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed. 5. Use PowerDNS embedded API to automatically issue cert First you need to login to your PowerDNS account to enable the API and set your API-Token in the configuration. https://doc.powerdns.com/md/httpapi/README/ export PDNS_Url="http://ns.example.com:8081" export PDNS_ServerId="localhost" export PDNS_Token="0123456789ABCDEF" export PDNS_Ttl=60 Ok, let's issue a cert now: acme.sh --issue --dns dns_pdns -d example.com -d www.example.com The PDNS_Url, PDNS_ServerId, PDNS_Token and PDNS_Ttl will be saved in ~/.acme.sh/account.conf and will be reused when needed.
Apply for API KEY at Godaddy background first
https://developer.godaddy.com/keys#
Then pour the Godaddy key and generate the certificate
export GD_Key="daxaaaaaaaaaaaabbdn"
export GD_Secret="Eafsfbbbbq4"
$ acme.sh --issue --dns dns_gd -d cnblog.xyz -d '*.cnblog.xyz'
Note: the application for universal configuration includes www
Issued successfully
-----END CERTIFICATE-----
[Sun Jul] Your cert is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.cer
[Sun Jul] Your cert key is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.key
[Sun Jul] The intermediate CA cert is in /home/test/.acme.sh/cnblog.xyz/ca.cer
[Sun Jul] And the full chain certs is there: /home/test/.acme.sh/cnblog.xyz/fullchain.cer
[test@ssh .acme.sh]$
[test@ssh .acme.sh]$ acme.sh --issue --dns dns_gd -d cnblog.xyz -d '*.cnblog.xyz' [Sun Jul] Multi domain='DNS:cnblog.xyz,DNS:*.cnblog.xyz' [Sun Jul] Getting domain auth token for each domain [Sun Jul] Getting webroot for domain='cnblog.xyz' [Sun Jul] Getting webroot for domain='*.cnblog.xyz' [Sun Jul] Adding txt value: R2LSKSVk2h3S_YfBd7olT84Tbv-6QvfsD5DBEqar2A0 for domain: _acme-challenge.cnblog.xyz [Sun Jul] Adding record [Sun Jul] Added, sleeping 10 seconds [Sun Jul] The txt record is added: Success. [Sun Jul] Adding txt value: BWsOvaC8CSpI2Uad5lHlLp3JXVitYr5C3QpHjB29NME for domain: _acme-challenge.cnblog.xyz [Sun Jul] Adding record [Sun Jul] Added, sleeping 10 seconds [Sun Jul] The txt record is added: Success. [Sun Jul] Let's check each DNS record now. Sleep 20 seconds first. [Sun Jul] Checking cnblog.xyz for _acme-challenge.cnblog.xyz [Sun Jul] Domain cnblog.xyz '_acme-challenge.cnblog.xyz' success. [Sun Jul] Checking cnblog.xyz for _acme-challenge.cnblog.xyz [Sun Jul] Domain cnblog.xyz '_acme-challenge.cnblog.xyz' success. [Sun Jul] All success, let's return [Sun Jul] Verifying: cnblog.xyz [Sun Jul] Success [Sun Jul] Verifying: *.cnblog.xyz [Sun Jul] Success [Sun Jul] Removing DNS records. [Sun Jul] Removing txt: R2LSKSVk2h3S_YfBd7olT84Tbv-6QvfsD5DBEqar2A0 for domain: _acme-challenge.cnblog.xyz [Sun Jul] Removed: Success [Sun Jul] Removing txt: BWsOvaC8CSpI2Uad5lHlLp3JXVitYr5C3QpHjB29NME for domain: _acme-challenge.cnblog.xyz [Sun Jul] Removed: Success [Sun Jul] Verify finished, start to sign. [Sun Jul] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/90525602/4059024784 [Sun Jul] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/036a09d2a53a2deae0004c16b4ea1e4c62a9 [Sun Jul] Cert success. -----BEGIN CERTIFICATE----- MIIFWTCCBEGgAwIBAgISA2oJ0qU6LergAEwWtOoeTGKpMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MDUwMDUyMzlaFw0y izw7hnQZSa9ghwzOsSypkXx9QO8VppwevPTU7lo= -----END CERTIFICATE----- [Sun Jul] Your cert is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.cer [Sun Jul] Your cert key is in /home/test/.acme.sh/cnblog.xyz/cnblog.xyz.key [Sun Jul] The intermediate CA cert is in /home/test/.acme.sh/cnblog.xyz/ca.cer [Sun Jul] And the full chain certs is there: /home/test/.acme.sh/cnblog.xyz/fullchain.cer [test@ssh .acme.sh]$