is an open source SSL certificate application tool on Github, the tool can help us apply for free SSL certificates after the installation and configuration is complete, and through the timed tasks to achieve automatic renewal of certificates, theoretically configured once a lifetime utility, the official has provided a Chinese document can be accessed by themselves, here to record my operating procedures, the following operations are completed for the domestic server ubuntu-20.04 ladder-free!
First of all, install the script, according to the official document we can know that the installation can be completed by executing one line of command, the command will remotely download the script and install it to the current user's home directory, and at the same time create an alias alias for the script, so you need to refresh the environment after the installation is completed
# I forgot to log this part, so I'll just provide the command reference.
# Installation, note that the email is replaced with your own, or you can choose not to provide an email address.
$ curl | sh -s email=my@
# Refresh the environment so that the alias takes effect
$ source ~/.bashrc
# Check if the installation was successful by looking at the version number.
$ -v
/acmesh-official/
v3.1.0
Next, you need to apply for an SSL certificate, according to the official document there are many ways to apply for a certificate, here are the three ways I understand:
-
HTTP method: detect the local installation of the WEB server, automatically create a file in the root directory of the website to complete the verification of domain ownership, support for automatic renewal, if there is no WEB server and port 80 is idle, the script will also simulate a WEB server to respond, because my WEB environment is Docker deployment can not be detected, and occupy port 80, the program PASS
-
Automatic DNS: through the domain name service provider's APIKEY call interface to automatically create a resolution record for the domain name to complete the verification of domain name ownership, support for automatic renewal, but unfortunately, my domain name from the Western Digital, the Western Digital only open to the agent of the API call permissions (want to curse), the agent needs to be pre-recharged (more want to curse), the program PASS!
-
Manual DNS: This is the solution I'm using, where a resolution record is created manually at the domain name provider, and a script verifies ownership of the domain name and issues the certificate.
After the introduction is complete and ready to work, follow the process in the official documentation and enter the following command at the command line
# I applied for a pan-domain certificate, so use *.
$ --issue --dns -d *. --yes-i-know-dns-manual-mode-enough-go-ahead-please
[Monday, October 14, 2024 11:56:07 CST] Using CA: /v2/DV90
[Monday, October 14, 2024 11:56:07 CST] Single domain='*.'
[Monday, October 14, 2024 11:56:20 CST] Getting webroot for domain='*.'
[Monday, October 14, 2024 11:56:20 CST] Add the following TXT record.
[Monday, October 14, 2024 11:56:20 CST] Domain: '_acme'
[Monday, October 14, 2024 11:56:20 CST] TXT value: 'G2kdxbaqrhza92njOTS5Rm9Tm_BLXsJLQAjm5luF63A'
[Monday, October 14, 2024 11:56:20 CST] Please make sure to prepend '_acme-challenge.' to your domain
[Monday, October 14, 2024 11:56:20 CST] so that the resulting subdomain is: _acme
[Monday, October 14, 2024 11:56:20 CST] Please add the TXT records to the domains, and re-run with --renew.
[Monday, October 14, 2024 11:56:20 CST] Please add '--debug' or '--log' to see more information.
[Monday, October 14, 2024 11:56:20 CST] See: /acmesh-official//wiki/
According to the logs, we can see that the application is for a ZeroSSL certificate, and we need to add theTXT
typed_acme-challenge
Resolving records, the value of the records can also be seen in the log, open the domain name provider management address, add the corresponding resolving records
Wait here for a few moments to make sure the resolution is working and then follow the official documentation process to verify domain ownership and generate the certificate
[Monday, October 14, 2024 12:07:37 CST] The domain '*.' seems to already have an ECC cert, let's use it.
[Monday, October 14, 2024 12:07:37 CST] Renewing: '*.'
[Monday, October 14, 2024 12:07:37 CST] Renewing using Le_API=/v2/DV90
[Monday, October 14, 2024 12:07:40 CST] Using CA: /v2/DV90
[Mon Oct 14, 2024 12:07:40 CST] Single domain='*.'
[Monday, October 14, 2024 12:07:41 CST] Verifying: *.'
[Monday, October 14, 2024 12:07:48 CST] Processing. the CA is processing your order, please wait. (1/30)
[Monday, October 14, 2024 12:07:53 CST] Success
[Monday, October 14, 2024 12:07:53 CST] Verification finished, beginning signing.
[Monday, October 14, 2024 12:07:53 CST] Let's finalize the order.
[Monday, October 14, 2024 12:07:53 CST] Le_OrderFinalize='/v2/DV90/order/***/finalize'
[Monday, October 14, 2024 12:07:56 CST] Order status is 'processing', let's sleep and retry.
[Monday, October 14, 2024 12:07:56 CST] Sleeping for 15 seconds then retrying
[Monday, October 14, 2024 12:08:12 CST] Polling order status: /v2/DV90/order/***
[Monday, October 14, 2024 12:08:14 CST] Downloading cert.
[Monday, October 14, 2024 12:08:14 CST] Le_LinkCert='/v2/DV90/cert/***'
[Monday, October 14, 2024 12:08:17 CST] Cert success.
-----BEGIN CERTIFICATE-----
Can't show you here~
-----END CERTIFICATE-----
[Monday, October 14, 2024 12:08:17 CST] Your cert is in: /root/. /*.hanzhe.site_ecc/*.
[Monday, October 14, 2024 12:08:17 CST] Your cert key is in: /root/. /*.hanzhe.site_ecc/*. /*.hanzhe.site_ecc/*.
[Monday, October 14, 2024 12:08:17 CST] The intermediate CA cert is in: /root/. /*.hanzhe.site_ecc/*. /*.hanzhe.site_ecc/.
[Monday, October 14, 2024 12:08:17 CST] And the full-chain cert is in: /root/. /*.hanzhe.site_ecc/. /*.hanzhe.site_ecc/
If the domain name ownership verification fails, wait for a few minutes to execute once, if everything goes well, SSL certificate has been applied for, according to the logs know that the certificate file in the user directory, but the official does not recommend copying the file directly, it is recommended to install the certificate to the specified directory through the commands provided by the script.
# Install the certificate file to the specified directory
$ --install-cert -d *. \
--key-file /opt/docker/nginx/data/ssl// \
--fullchain-file /opt/docker/nginx/data/ssl// \
Certificate ready, if your WEB server has been configured with the certificate directly restart on the line, I am using the NGINX WEB server:
server {
listen 443 ssl;
server_name ;
ssl_certificate /data/ssl//; # SSLCertificate Configuration
ssl_certificate_key /data/ssl//; # SSLCertificate Configuration
location / {
root /usr/share/nginx/www;
index ;
}
}
After the configuration is complete use thedocker compose restart ngixn
Just restart the web server
My server environment does not support auto-renewal, I found out the issuer is ZeroSSL, I was going to apply for it myself, but then I found out that ZeroSSL's pan-domain certificates require you to register and login to buy a premium subscription, which is a fee, so this script can apply for it directly without logging in, thanks!