之前的野卡证书到期了,也懒得再弄了,搞个免费的就好,毕竟这小网站也没几个人来看。下面记录下过程,红色和蓝色字体请替换为自己的信息。
官方中文说明:
github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E
官方提供的安装命令:curl https://get.acme.sh | sh
我执行失败,所以我手动wget了一份: https://github.com/Neilpang/acme.sh/archive/master.zip
解压【使用官方命令的无需】;unzip master.zip
尝试了DNS API模式,感觉还是手动比较好使。
生成txt记录值:
sh acme.sh –issue -d 526net.com -d *.526net.com –dns –yes-I-know-dns-manual-mode-enough-go-ahead-please
执行完毕返回信息:
[Sun Aug 26 15:47:02 CST 2018] Multi domain=’DNS:526net.com,DNS:*.526net.com’
[Sun Aug 26 15:47:02 CST 2018] Getting domain auth token for each domain
[Sun Aug 26 15:47:03 CST 2018] Getting webroot for domain=’526net.com’
[Sun Aug 26 15:47:03 CST 2018] Getting webroot for domain=’*.526net.com’
[Sun Aug 26 15:47:03 CST 2018] Add the following TXT record:
[Sun Aug 26 15:47:03 CST 2018] Domain: ‘_acme-challenge.526net.com‘
[Sun Aug 26 15:47:03 CST 2018] TXT value: ‘ffje2_WoN0urtL70nfDGHtF1GMq0eqQ9tWFGAVeoihU‘
[Sun Aug 26 15:47:03 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Sun Aug 26 15:47:03 CST 2018] so the resulting subdomain will be: _acme-challenge.526net.com
[Sun Aug 26 15:47:03 CST 2018] Add the following TXT record:
[Sun Aug 26 15:47:03 CST 2018] Domain: ‘_acme-challenge.526net.com’
[Sun Aug 26 15:47:03 CST 2018] TXT value: ‘qS1QNofaf70hIuQCPD8wnJdP3Lac2EHb7RqX5lMr6M4‘
[Sun Aug 26 15:47:03 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Sun Aug 26 15:47:03 CST 2018] so the resulting subdomain will be: _acme-challenge.526net.com
[Sun Aug 26 15:47:03 CST 2018] Please add the TXT records to the domains, and re-run with –renew.
[Sun Aug 26 15:47:03 CST 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log
去你的域名dns管理面板,增加二级域名类型txt :域名:_acme-challenge.526net.com 对应上图红色字体, TXT 值:对应上面蓝色字体,我添加两个域名是两条记录,添加两条就行
添加完毕后,需要一定的生效时间,可以在服务器或vps里执行:nslookup -q=TXT _acme-challenge.526net.com 查看值是否生效
生成证书:
sh acme.sh –renew -d 526net.com -d *.526net.com –yes-I-know-dns-manual-mode-enough-go-ahead-please
等提示成功后,在NGINX 站点配置文件中新增:
ssl on;
ssl_certificate /root/.acme.sh/526net.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/526net.com/526net.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
最后在服务器定时任务中增加自动续期脚本即可:
24 0 * * * "/home/acme"/acme.sh –cron –home "/root/.acme.sh" > /dev/null
红色是 acme.sh 目录 【wget需要设定】 蓝色是 证书存储目录默认就是上面的
OK完毕。