Original link: https://www.blueskyxn.com/202208/6374.html
foreword
The comprehensive introduction of ACME.SH has been mentioned in the previous tutorial, and the repeated parts will not be described.
Note that the wildcards and wildcards I said are the same thing, but I am used to calling them wildcards, which means matching.
Google SSL certificate
The characteristic of Google certificate is that the first one is to be higher. After all, the big factory, secondly, the OCSP server has the advantage, and then the function of ZeroSSL is basically the same as that of Google.
Google’s OCSP address is http://ocsp.pki.goog/s/gts1p5/lnDlces6w2o After testing, there are 5 Shanghai Google IPs in mainland China, and overseas areas are Google’s global CDN. Considering the power of 8888, it should still be very good. Powerful.
To use a Google certificate, you only need to fill in an email address, and use your Google account to obtain a Google KEY. There is no fee, no real-name authentication, and no private information.
It should also support multi-domain wildcards, but the actual situation prevails, because I have not tested this project
Preparation
At present, Google SSL is still in the internal testing stage, and you need to fill in the form to obtain the qualification. If you’ve used Rclone (or derivatives such as gclone), you must have created a Google Cloud Project.
Note that this has nothing to do with Google’s cloud computing service, and does not require credit card verification or anything. Of course, if you can’t figure this out, you can consider other methods, other products, or refer to the rclone (or autorclone, gclone and fclone) tutorials to register
First, you need to manually open 2 Google APIs, which support ordinary Google accounts, as well as Google business and enterprise accounts.
Public Certificate Authority API and Certificate Authority Service API, the last account is convenient for you to log in with multiple accounts.
The reference link is https://console.cloud.google.com/marketplace/product/google/publicca.googleapis.com?q=search&referrer=search&authuser=1
Then you need to go here and fill out the form https://docs.google.com/forms/d/e/1FAIpQLSd8zUIww_ztyT9a56OPq9NXISiyw6Y9g8S7LBtRQjxPhsHz5A/viewform
I filled it out on Wednesday night and can only be used on Friday night. Others apply on Friday morning and can also use it in the evening. It is not ruled out that they will be processed uniformly when they go to work on Friday. In principle, we need to wait for the email notification, but we can use it before the email arrives.
If you do not fill out the form, it will appear as shown
ERROR: (gcloud.beta.publicca.external-account-keys.create) PERMISSION_DENIED: Permission 'publicca.externalAccountKeys.create' denied on resource '//publicca.googleapis.com/projects/quantum-age-332306/locations/global' (or it may not exist). - '@type': type.googleapis.com/google.rpc.ErrorInfo domain: publicca.googleapis.com metadata: permission: publicca.externalAccountKeys.create resource: projects/quantum-age-332306/locations/global reason: IAM_PERMISSION_DENIED
Get Google Key
Search for CloudShell directly on the API page above
After authorization and connection, switch the terminal in the upper right corner
Of course, you can also have a shortcut Shell entry in the upper right corner, on the side of the avatar, and a little on the left, which will open a small window at the bottom. Both can be used. I use the shortcut version.
Then the command configuration
gcloud services enable publicca.googleapis.com
Then generate the key, note that the key may only be used once, and you may have to get a new one if you change the device
gcloud beta publicca external-account-keys create
And then there
The format is
b64MacKey: _-5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXyw4gDlRUIlFF7w keyId: 924559XXXXXXXXXXXXXXXc19
Then don’t do it the other way around
ACME configuration and usage
configure
acme.sh --register-account -m [邮箱] --server google \ --eab-kid [申请到的keyId] \ --eab-hmac-key [申请到的b64MacKey]
If you want to set the default CA
acme.sh --set-default-ca --server google
It doesn’t matter if it is not set as the default CA, just add server Google after the command
Initiate an issuance request (no dns01 will report an error)
acme.sh --issue -d google.com -d *.google.com --server google --dns dns-01
Then as in the old tutorial, set the TXT record
then verify
acme.sh --renew -d google.com -d *.google.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
Then it’s done. The content of the certificate is still the old way to find it in the directory. The file format is the same as ZeroSSL.
This article is reprinted from: https://www.blueskyxn.com/202208/6374.html
This site is for inclusion only, and the copyright belongs to the original author.