前言

前面寫過一個(gè)在云服務(wù)器上布署SSL證書的文《IT基礎(chǔ)設(shè)施：在CentOS7中為nginx布署免費(fèi)SSL證書》耸袜，使用certbot的時(shí)候姥闭，它會(huì)自動(dòng)檢測(cè)應(yīng)用配置垫挨，找到應(yīng)用所在的目錄歧杏，使用文件進(jìn)行域名的所有權(quán)驗(yàn)證夜只。但是逻澳，如果我在家里沒有80端口的情況下布署應(yīng)用闸天，就沒辦法完成這個(gè)驗(yàn)證了，今天在路由器里的插件中偶然得知了acme.sh斜做，可以通過域名解析服務(wù)的API苞氮，通過添加DNS完成域名所有權(quán)驗(yàn)證。

關(guān)鍵詞

• Let's Encrypt
• HTTPS
• 沒有80
• DNS驗(yàn)證

環(huán)境

• CentOS 7 x64
• 家庭寬帶內(nèi)網(wǎng)

過程

以下我們以阿里的解析服務(wù)為例：

1瓤逼、先到阿里控制臺(tái)葱淳，找到自己的Access_Key和Access_Secret。

2抛姑、下載acme.sh

curl  https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh

下面設(shè)置一下變量赞厕，將引號(hào)里的內(nèi)容改為你自己的Key與Secret

export Ali_Key="11111111"
export Ali_Secret="2222222222222222222222222222"

申請(qǐng)泛域名證書

acme.sh --issue --dns dns_ali -d *.blackice.me -d blackice.me 

等待程序執(zhí)行完成

[Tue Feb 19 22:50:12 CST 2019] Multi domain='DNS:*.blackice.me,DNS:blackice.me'
[Tue Feb 19 22:50:12 CST 2019] Getting domain auth token for each domain
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='*.blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Getting webroot for domain='blackice.me'
[Tue Feb 19 22:50:21 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:23 CST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_ali.sh
[Tue Feb 19 22:50:25 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Tue Feb 19 22:50:46 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:49 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:49 CST 2019] Checking blackice.me for _acme-challenge.blackice.me
[Tue Feb 19 22:50:51 CST 2019] Domain blackice.me '_acme-challenge.blackice.me' success.
[Tue Feb 19 22:50:51 CST 2019] All success, let's return
[Tue Feb 19 22:50:51 CST 2019] Verifying: *.blackice.me
[Tue Feb 19 22:50:55 CST 2019] Success
[Tue Feb 19 22:50:55 CST 2019] Verifying: blackice.me
[Tue Feb 19 22:50:58 CST 2019] Success
[Tue Feb 19 22:50:58 CST 2019] Removing DNS records.
[Tue Feb 19 22:51:05 CST 2019] Verify finished, start to sign.
[Tue Feb 19 22:53:35 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
#這里會(huì)顯示證書文本#
-----END CERTIFICATE-----
[Tue Feb 19 22:53:35 CST 2019] Your cert is in  /root/.acme.sh/*.blackice.me/*.blackice.me.cer 
[Tue Feb 19 22:53:35 CST 2019] Your cert key is in  /root/.acme.sh/*.blackice.me/*.blackice.me.key 
[Tue Feb 19 22:53:35 CST 2019] The intermediate CA cert is in  /root/.acme.sh/*.blackice.me/ca.cer 
[Tue Feb 19 22:53:35 CST 2019] And the full chain certs is there:  /root/.acme.sh/*.blackice.me/fullchain.cer 

補(bǔ)充：

如果無法自動(dòng)創(chuàng)建DNS，則可以使用手工創(chuàng)建的方式

1定硝、運(yùn)行命令皿桑，生成記錄值

acme.sh --issue -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

下面的示例中 Txt Value部分就是記錄值，這里申請(qǐng)了幾個(gè)域名蔬啡，就要添加幾個(gè)記錄值诲侮。

[root@GitServer home]# acme.sh --issue -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 27 06:01:46 CST 2019] Multi domain='DNS:*.xxx.com,xxx.com'
[Mon May 27 06:01:46 CST 2019] Getting domain auth token for each domain
[Mon May 27 06:01:54 CST 2019] Getting webroot for domain='*.xxx.com'
[Mon May 27 06:01:54 CST 2019] Getting webroot for domain='xxx.com'
[Mon May 27 06:01:54 CST 2019] Add the following TXT record:
[Mon May 27 06:01:54 CST 2019] Domain: '_acme-challenge.xxx.com'
[Mon May 27 06:01:54 CST 2019] TXT value: '4BMosUI7G-3TgWLLwrIbh4ykOA8oe9m77bXl_CiRevo'
[Mon May 27 06:01:54 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 27 06:01:54 CST 2019] so the resulting subdomain will be: _acme-challenge.xxx.com
[Mon May 27 06:01:55 CST 2019] Add the following TXT record:
[Mon May 27 06:01:55 CST 2019] Domain: '_acme-challenge.xxx.com'
[Mon May 27 06:01:55 CST 2019] TXT value: 'YZjDJKNgRCYnO8wl7gkGjUk8o-iosMWrVRFCmW2gtNI'
[Mon May 27 06:01:55 CST 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon May 27 06:01:55 CST 2019] so the resulting subdomain will be: _acme-challenge.xxx.com
[Mon May 27 06:01:55 CST 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon May 27 06:01:55 CST 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log

2、到控制臺(tái)創(chuàng)建TXT解析記錄

3箱蟆、重新運(yùn)行命令獲取證書

acme.sh --renew -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

驗(yàn)證通過后頒發(fā)證書

[root@GitServer home]# acme.sh --renew -d *.xxx.com -d xxx.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon May 27 06:08:58 CST 2019] Renew: '*.xxx.com'
[Mon May 27 06:08:59 CST 2019] Multi domain='DNS:*.xxx.com,DNS:xxx.com'
[Mon May 27 06:08:59 CST 2019] Getting domain auth token for each domain
[Mon May 27 06:08:59 CST 2019] *.xxx.com is already verified, skip dns-01.
[Mon May 27 06:08:59 CST 2019] Verifying: xxx.com
[Mon May 27 06:09:06 CST 2019] Success
[Mon May 27 06:09:06 CST 2019] Verify finished, start to sign.
[Mon May 27 06:09:06 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/23423234432/234234
[Mon May 27 06:09:11 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/2342341234214
[Mon May 27 06:09:15 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
...證書內(nèi)容
-----END CERTIFICATE-----
[Mon May 27 06:09:15 CST 2019] Your cert is in  /root/.acme.sh/*.xxx.com/*.xxx.com.cer 
[Mon May 27 06:09:15 CST 2019] Your cert key is in  /root/.acme.sh/*.xxx.com/*.xxx.com.key 
[Mon May 27 06:09:15 CST 2019] The intermediate CA cert is in  /root/.acme.sh/*.xxx.com/ca.cer 
[Mon May 27 06:09:15 CST 2019] And the full chain certs is there:  /root/.acme.sh/*.xxx.com/fullchain.cer 

補(bǔ)充：IIS或Azure需要pfx格式的證書沟绪，在Linux運(yùn)行下列命令，輸入兩次密碼即可將crt和key合并為pfx.

openssl pkcs12 -export -out xxx.com.pfx -inkey xxx.com.key -in xxx.com.crt