Get Your SSL Cert via acme.sh

阅读中文版本

Install acme.sh

Install the script of acme.sh.

curl https://get.acme.sh | sh

Then reload your shell.

For example:

source ~/.bashrc

Create Cloudflare API Key

I strongly recommend DNS API mode for this, if this domain is not a free domain from freenom.com.

First of all, add your domain to Cloudflare. I won’t show how to do this just because it’s way too simple.

Create an API token so that acme.sh can use it.

Do not hand in your global API key so simply.

Remember to copy the Zone ID and Account ID shown above.

Click “Create Token”.

Cloudflare provides a template for that, just use it.

Choose the specific zone.

Add TTL as you like.

Confirm the settings of the token.

Copy the token and test it.

Must copy! This token will never be displayed again once you leave this page.

Time to Use acme.sh

Register the fxxxing zerossl account.

acme.sh --register-account -m my@example.com

Then add environment variables for acme.sh

export CF_Token='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
export CF_Account_ID='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
export CF_Zone_ID='xxxxxxxxxxxxxxxxxxxxxx'

Then simply start a request and acme.sh will do everything automatically.

Using an ECC cert is good. Add --force as your need.

acme.sh --issue -d example.com --dns dns_cf --keylength ec-256 

Then you could see where the cert and keys are stored.

The script will set up a cron task, trying to renew the cert using the API when it is about to expire.

Fxxx ZeroSSL

The default CA provider has been switched to ZeroSSL from Let’s Encrypt.

But I have frequently come into very slow response from the poor service of ZeroSSL, I decided to switch back.

A parameter --server is needed to specify the CA server. As for let’s encrypt, it could look like this:

acme.sh --server letsencrypt --issue -d example.com --dns dns_cf --keylength ec-256 

DNS manual mode

This mode does not need a A or AAAA record.

Add --force as your need.

acme.sh --issue -d example.com --dns --keylength ec-256 --yes-I-know-dns-manual-mode-enough-go-ahead-please 

The output should look like this:

Add the following TXT record:
Domain: '_acme-challenge.example.com'
TXT value: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.example.com
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Add TXT record as the instruction presented. Check it before continue.

dig txt _acme-challenge.example.com

Then renew the cert.

acme.sh --renew -d example.com --dns --ecc --yes-I-know-dns-manual-mode-enough-go-ahead-please

The cert will expire in 90 days. Remember to renew it in time.

Custom working directory

The script supports custom working directory. This is very useful when you want it to work somewhere else, making it possible to run several different profiles at the same time.

Type acme.sh --help and you can find:

--home <directory>         Specifies the home dir for acme.sh
...
--config-home <directory>         Specifies the home dir to save all the configurations.

All you have to do is to append these two parameters in the front of the command.

And this won’t create an automatic cron job for auto renew, it has to be done manually.

Add the line below to your cron config:

59 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home /root/myacmeconfig/ > /dev/null

Get Your SSL Cert via acme.sh
https://blog.h3a.moe/en/src/d07427/
Author
H3arn
Posted on
2021-11-14, Sun, 08:05 PM
Licensed under