Original link: https://www.blueskyxn.com/202208/6364.html
foreword
Both Acme.sh and CertBot are tools that are commonly used to automatically apply for SSL certificates, of course, they can also be used to apply manually.
I personally need to deploy manually more often, so this article still uses the manual application for ZeroSSL’s SSL certificate as an example, of course, using Acme.sh.
Generally speaking, it runs better in the Linux environment, and the operation is simple and fast.
Its official website is https://github.com/acmesh-official/acme.sh
ACME Support
ACME supports many common SSL certificate brands.
Including but not limited to LE (Let’s Encrypt), ZeroSSL, BP (Buypass), Google, etc.
Originally, I was going to use it to test GoogleSSL, but it has been 2 days and I haven’t been granted permission. The group friends said that maybe Google is about to end the internal test.
You can refer to these documents:
https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA
https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
https://github.com/acmesh-official/acme.sh/wiki/CA
| CA | MaxLifetime | ECC | Domain Count | Wildcard | IPv4 | IPv6 | NotAfter |
|---|---|---|---|---|---|---|---|
| Let’s Encrypt | 90 | Yes | 100 | Yes | No | No | No |
| ZeroSSL | 90 | Yes | 100 | Yes | No | No | Yes |
| 90 | Yes | 100 | Yes | No | No | Yes | |
| Buypass | 180 | Yes | 5 | Paid | No | No | No |
| SSL.com | 90 | Yes | 2 | Paid | No | No | No |
| HiCA | 180 | Paid | 10 (1 if Wildcard) | Yes | Yes | Yes | No |
ZeroSSL certificate
The official website of ZeroSSL is https://zerossl.com/
The official website also provides some services, but it is not very friendly to free users (most functions do not)
However, the main functions can be used for free under ACME (instead, the official website browser asks for money, the real IQ tax) can be read https://zerossl.com/features/acme/
It should be noted that his own SSL business is not particularly old-fashioned.
The ACME tool can implement the same free, multi-domain, multi-wildcard (also called wildcard) SSL certificate as above.
At the same time, the advantage is that there is no need for additional registration, just fill in an email address, and the certificate defaults to the AT country (if you apply for a TA certificate through Tencent Cloud, 51SSL, etc., there must be a real name)
The OCSP address is http://zerossl.ocsp.sectigo.com using CloudFlare’s anycast dual IP. It can only be said that it is very common. It is also normal for CF in mainland China to be abnormal.
Install
Equivalent to browser generation, tool script application certificate has a little threshold for getting started in this regard
curl https://get.acme.sh | sh
Then it is automatically installed
The default directory is /root/.acme.sh/
cd /root/.acme.sh/
Then the installation is complete
If you want to use Zero SSL, it is best to configure and register first to avoid errors as shown in the figure
The command reference is
acme.sh --set-default-ca --server zerossl
acme.sh --register-account -m [email protected]
Apply manually
There are many automatic methods on the Internet (referring to automatic renewal, DNSAPI application), but the manual application is not very clear, so it is best to look at the official documents.
https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
As shown in the command below, fill in the domain names you need in turn. By default, the first one is the main domain name (a folder will be generated), remember to change the domain name.
acme.sh --issue -d 'google.com' -d '*.google.com' -d 'baidu.com' -d '*.baidu.com' --dns \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
Of course, removing the quotation marks is also Oak’s
acme.sh --issue -d google.com -d *.google.com -d baidu.com -d *.baidu.com --dns \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
Generally speaking, there is no problem with removing the P at the end.
acme.sh --issue -d google.com -d *.google.com -d baidu.com -d *.baidu.com --dns
If there is a bug/error, you can also consider adding a dns-01 after the DNS
acme.sh --issue -d google.com -d *.google.com -d baidu.com -d *.baidu.com --dns dns-01
After running any of the above commands, you can see
Here I will tell you the domain names and txt variables that need to be verified. Each domain name project needs to set a txt parsing time
For example, Huawei Cloud is like this, remember to be able to respond to two TXTs (if any) at the same time, not a random TXT
If you configure multiple CNAMEs with different values, for example, I forgot to delete the last one, it will be as shown in the figure
Then it fails, so be sure to check if there are any problems, such as conflict coverage, otherwise you will waste a lot of time
Then you see that ACME asks you to use Renew, remember not to be stupid and add it directly, otherwise it will be like this
The correct command is
acme.sh --renew -d 'google.com' -d '*.google.com' -d 'baidu.com' -d '*.baidu.com' \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
Of course, it can also be simplified as above, such as
acme.sh --renew -d google.com -d *.google.com -d baidu.com -d *.baidu.com
(If you report an error, please use the suffix)
acme.sh --renew -d google.com -d *.google.com -d baidu.com -d *.baidu.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
Then the normal output is as shown
Then go to the local file to find what you want
By default it is in the folder of the main domain name
Connecting the first cer and the fourth csr is the PEM required by SSL. Of course, you can also use the one from Fullchain.cer, both of which can be used.
Then the key is naturally the fifth key.
Then throw it in and use it
This article is reprinted from: https://www.blueskyxn.com/202208/6364.html
This site is for inclusion only, and the copyright belongs to the original author.