freessl免费ssl证书申请(acme.sh)

去年申请了一个域名，一直都是http裸奔，考虑chrome 浏览器对http请求越来越歧视，想着上一个ssl，也看起来正规一点。

1. 方案

一顿搜索，发现有免费的ssl证书和收费ssl服务两种，于是都做了一下了解：

• 华为云

在最新的版本上，已经下架了免费ssl证书提供：

感兴趣的同学可以前往华为云SCM了解详细产品，支持单域名，多域名，泛域名多种形式。

• Freessl

2. Freessl 申请

Freessl目前有Trust 和 lets encrypt两个供应商，申请证书，可以通过网页上注册账号进行申请

2.1 网页申请

• 注册账号
• 按照指引进行ssl证书申请

2.2 命令行——acme.sh

acme.sh 实现了 acme 协议，用于从 lets encrypt 申请免费的ssl证书。

• 安装

# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   937    0   937    0     0    403      0 --:--:--  0:00:02 --:--:--   403
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  204k  100  204k    0     0  93633      0  0:00:02  0:00:02 --:--:-- 93633
[Fri Feb 19 20:18:08 CST 2021] Installing from online archive.
[Fri Feb 19 20:18:08 CST 2021] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Fri Feb 19 20:19:50 CST 2021] Extracting master.tar.gz
[Fri Feb 19 20:19:50 CST 2021] It is recommended to install socat first.
[Fri Feb 19 20:19:50 CST 2021] We use socat for standalone server if you use standalone mode.
[Fri Feb 19 20:19:50 CST 2021] If you don't use standalone mode, just ignore this warning.
[Fri Feb 19 20:19:50 CST 2021] Installing to /root/.acme.sh
[Fri Feb 19 20:19:50 CST 2021] Installed to /root/.acme.sh/acme.sh
[Fri Feb 19 20:19:50 CST 2021] Installing alias to '/root/.bashrc'
[Fri Feb 19 20:19:50 CST 2021] OK, Close and reopen your terminal to start using acme.sh
[Fri Feb 19 20:19:50 CST 2021] Installing alias to '/root/.cshrc'
[Fri Feb 19 20:19:50 CST 2021] Installing alias to '/root/.tcshrc'
[Fri Feb 19 20:19:50 CST 2021] Installing cron job
no crontab for root
no crontab for root
[Fri Feb 19 20:19:50 CST 2021] Good, bash is found, so change the shebang to use bash as preferred.
[Fri Feb 19 20:19:51 CST 2021] OK
[Fri Feb 19 20:19:51 CST 2021] Install success!

• 配置

# acme.sh --issue -d codercouch.com --nginx
-bash: acme.sh: command not found

出现命令not found，莫慌，这是acme.sh 安装完成后，只是在.bashrc文件添加了环境变量，但是没有重新加载，source命令更新一下即可

# source .bashrc

查看下acme.sh 都提供了那些命令接口：

# acme.sh -h
https://github.com/acmesh-official/acme.sh
v2.8.9
Usage: acme.sh <command> ... [parameters ...]
Commands:
  -h, --help               Show this help message.
  -v, --version            Show version info.
  --install                Install acme.sh to your system.
  --uninstall              Uninstall acme.sh, and uninstall the cron job.
  --upgrade                Upgrade acme.sh to the latest code from https://github.com/acmesh-official/acme.sh.
  --issue                  Issue a cert.
  --deploy                 Deploy the cert to your server.
  -i, --install-cert       Install the issued cert to apache/nginx or any other server.
  -r, --renew              Renew a cert.
  --renew-all              Renew all the certs.
  --revoke                 Revoke a cert.
  --remove                 Remove the cert from list of certs known to acme.sh.
  --list                   List all the certs.
  --to-pkcs12              Export the certificate and key to a pfx file.
  --to-pkcs8               Convert to pkcs8 format.
  --sign-csr               Issue a cert from an existing csr.
  --show-csr               Show the content of a csr.
  -ccr, --create-csr       Create CSR, professional use.
  --create-domain-key      Create an domain private key, professional use.
  --update-account         Update account info.
  --register-account       Register account key.
  --deactivate-account     Deactivate the account.
  --create-account-key     Create an account private key, professional use.
  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob      Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron                   Run cron job to renew all the certs.
  --set-notify             Set the cron notification hook, level or mode.
  --deactivate             Deactivate the domain authz, professional use.
  --set-default-ca         Used with '--server', Set the default CA to use.
                           See: https://github.com/acmesh-official/acme.sh/wiki/Server


Parameters:
  -d, --domain <domain.tld>         Specifies a domain, used to issue, renew or revoke etc.
  --challenge-alias <domain.tld>    The challenge domain alias for DNS alias mode.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

  --domain-alias <domain.tld>       The domain alias for DNS alias mode.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

  --preferred-chain <chain>         If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
                                    If no match, the default offered chain will be used. (default: empty)
                                    See: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain

  -f, --force                       Force install, force cert renewal or override sudo restrictions.
  --staging, --test                 Use staging server, for testing.
  --debug [0|1|2|3]                 Output debug info. Defaults to 1 if argument is omitted.
  --output-insecure                 Output all the sensitive messages.
                                    By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
  -w, --webroot <directory>         Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --alpn                            Use standalone alpn mode.
  --stateless                       Use stateless mode.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode

  --apache                          Use apache mode.
  --dns [dns_hook]                  Use dns manual mode or dns api. Defaults to manual mode when argument is omitted.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/dnsapi

  --dnssleep <seconds>              The time in seconds to wait for all the txt records to propagate in dns api mode.
                                    It's not necessary to use this by default, acme.sh polls dns status by DOH automatically.
  -k, --keylength <bits>            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
  -ak, --accountkeylength <bits>    Specifies the account key length: 2048, 3072, 4096
  --log [file]                      Specifies the log file. Defaults to "/root/.acme.sh/acme.sh.log" if argument is omitted.
  --log-level <1|2>                 Specifies the log level, default is 1.
  --syslog <0|3|6|7>                Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
  --eab-kid <eab_key_id>            Key Identifier for External Account Binding.
  --eab-hmac-key <eab_hmac_key>     HMAC key for External Account Binding.


  These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:

  --cert-file <file>                Path to copy the cert file to after issue/renew..
  --key-file <file>                 Path to copy the key file to after issue/renew.
  --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.
  --fullchain-file <file>           Path to copy the fullchain cert file to after issue/renew.
  --reloadcmd <command>             Command to execute after issue/renew to reload the server.

  --server <server_uri>             ACME Directory Resource URI. (default: https://acme-v02.api.letsencrypt.org/directory)
                                    See: https://github.com/acmesh-official/acme.sh/wiki/Server

  --accountconf <file>              Specifies a customized account config file.
  --home <directory>                Specifies the home dir for acme.sh.
  --cert-home <directory>           Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home <directory>         Specifies the home dir to save all the configurations.
  --useragent <string>              Specifies the user agent string. it will be saved for future use too.
  -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
  --accountkey <file>               Specifies the account key path, only valid for the '--install' command.
  --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
  --httpport <port>                 Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --tlsport <port>                  Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --local-address <ip>              Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  --listraw                         Only used for '--list' command, list the certs in raw format.
  -se, --stop-renew-on-error        Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle <file>                Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path <directory>             Specifies directory containing CA certificates in PEM format, used by wget or curl.
  --no-cron                         Only valid for '--install' command, which means: do not install the default cron job.
                                    In this case, the certs will not be renewed automatically.
  --no-profile                      Only valid for '--install' command, which means: do not install aliases to user profile.
  --no-color                        Do not output color text.
  --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc                             Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
  --csr <file>                      Specifies the input csr.
  --pre-hook <command>              Command to be run before obtaining any certificates.
  --post-hook <command>             Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
  --renew-hook <command>            Command to be run after each successfully renewed certificate.
  --deploy-hook <hookname>          The hook file to deploy cert
  --ocsp, --ocsp-must-staple        Generate OCSP-Must-Staple extension.
  --always-force-new-domain-key     Generate new domain key on renewal. Otherwise, the domain key is not changed by default.
  --auto-upgrade [0|1]              Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted.
  --listen-v4                       Force standalone/tls server to listen at ipv4.
  --listen-v6                       Force standalone/tls server to listen at ipv6.
  --openssl-bin <file>              Specifies a custom openssl bin location.
  --use-wget                        Force to use wget, if you have both curl and wget installed.
  --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force use of dns manual mode.
                                    See:  https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode

  -b, --branch <branch>             Only valid for '--upgrade' command, specifies the branch name to upgrade to.
  --notify-level <0|1|2|3>          Set the notification level:  Default value is 2.
                                    0: disabled, no notification will be sent.
                                    1: send notifications only when there is an error.
                                    2: send notifications when a cert is successfully renewed, or there is an error.
                                    3: send notifications when a cert is skipped, renewed, or error.
  --notify-mode <0|1>               Set notification mode. Default value is 0.
                                    0: Bulk mode. Send all the domain's notifications in one message(mail).
                                    1: Cert mode. Send a message for every single cert.
  --notify-hook <hookname>          Set the notify hook
  --revoke-reason <0-10>            The reason for revocation, can be used in conjunction with the '--revoke' command.
                                    See: https://github.com/acmesh-official/acme.sh/wiki/revokecert

  --password <password>             Add a password to exported pfx file. Use with --to-pkcs12.

• 申请证书

# acme.sh --issue -d xxx.com --nginx
[Fri Feb 19 20:25:57 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb 19 20:25:58 CST 2021] Create account key ok.
[Fri Feb 19 20:25:58 CST 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Fri Feb 19 20:26:00 CST 2021] Registered
[Fri Feb 19 20:26:00 CST 2021] ACCOUNT_THUMBPRINT='asTMsWHNgnvvpTYB6dK-8_ofL_5lfVssWfEtCm1BiIw'
[Fri Feb 19 20:26:00 CST 2021] Creating domain key
[Fri Feb 19 20:26:00 CST 2021] The domain key is here: /root/.acme.sh/codercouch.com/codercouch.com.key
[Fri Feb 19 20:26:00 CST 2021] Single domain='codercouch.com'
[Fri Feb 19 20:26:00 CST 2021] Getting domain auth token for each domain
[Fri Feb 19 20:26:08 CST 2021] Getting webroot for domain='codercouch.com'
[Fri Feb 19 20:26:08 CST 2021] Verifying: codercouch.com
[Fri Feb 19 20:26:08 CST 2021] Nginx mode for domain:codercouch.com
[Fri Feb 19 20:26:08 CST 2021] Found conf file: /etc/nginx/nginx.conf
[Fri Feb 19 20:26:08 CST 2021] Backup /etc/nginx/nginx.conf to /root/.acme.sh/codercouch.com/backup/codercouch.com.nginx.conf
[Fri Feb 19 20:26:08 CST 2021] Check the nginx conf before setting up.
[Fri Feb 19 20:26:08 CST 2021] OK, Set up nginx config file
[Fri Feb 19 20:26:08 CST 2021] nginx conf is done, let's check it again.
[Fri Feb 19 20:26:08 CST 2021] Reload nginx
[Fri Feb 19 20:26:39 CST 2021] Success
[Fri Feb 19 20:26:39 CST 2021] Restoring from /root/.acme.sh/codercouch.com/backup/codercouch.com.nginx.conf to /etc/nginx/nginx.conf
[Fri Feb 19 20:26:39 CST 2021] Reload nginx
[Fri Feb 19 20:26:39 CST 2021] Verify finished, start to sign.
[Fri Feb 19 20:26:39 CST 2021] Lets finalize the order.
[Fri Feb 19 20:26:39 CST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/113270590/8001380716'
[Fri Feb 19 20:26:43 CST 2021] Downloading cert.
[Fri Feb 19 20:26:43 CST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/049944468d9e8937e5d2d7c5782949715aa2'
[Fri Feb 19 20:26:47 CST 2021] Cert success.
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
[Fri Feb 19 20:26:47 CST 2021] Your cert is in  /root/.acme.sh/codercouch.com/codercouch.com.cer
[Fri Feb 19 20:26:47 CST 2021] Your cert key is in  /root/.acme.sh/codercouch.com/codercouch.com.key
[Fri Feb 19 20:26:47 CST 2021] The intermediate CA cert is in  /root/.acme.sh/codercouch.com/ca.cer
[Fri Feb 19 20:26:47 CST 2021] And the full chain certs is there:  /root/.acme.sh/codercouch.com/fullchain.cer

• 配置Nginx

# vi /etc/nginx/nginx.conf

在nginx配置文件中，添加ssl的路径配置即可

3.证书检测和更新

目前生成的证书只有90天的有效期，我们需要在证书过期前，申请新的证书，acme.sh 也支持自动检测证书有效期和自动更新

在步骤 2 中，acme.sh安装完成后，会自动在crontab中，添加一个定时任务，通过crontab -l命令可以进行查看

# crontab -l
50 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

可以看到，每天0点50分，会自动进行一次检测， 如果快过期了，需要更新， 则会自动更新证书。

更高级的安装选项请参考: https://github.com/Neilpang/acme.sh/wiki/How-to-install

4.acme.sh脚本更新

目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.
升级 acme.sh 到最新版 :

acme.sh --upgrade

如果你不想手动升级, 可以开启自动升级:

acme.sh  --upgrade  --auto-upgrade

也可以随时关闭自动更新:

acme.sh --upgrade  --auto-upgrade  0