SSL certificate series tutorials (practical): use ACME.SH tool to order GoogleSSL certificate for free, support multi-domain wildcard

Original link: https://www.blueskyxn.com/202208/6374.html

SSL证书系列教程(实战):使用ACME.SH工具免费订购GoogleSSL证书,支持多域名通配符

foreword

The comprehensive introduction of ACME.SH has been mentioned in the previous tutorial, and the repeated parts will not be described.

Note that the wildcards and wildcards I said are the same thing, but I am used to calling them wildcards, which means matching.

Google SSL certificate

The characteristic of Google certificate is that the first one is to be higher. After all, the big factory, secondly, the OCSP server has the advantage, and then the function of ZeroSSL is basically the same as that of Google.

Google’s OCSP address is http://ocsp.pki.goog/s/gts1p5/lnDlces6w2o After testing, there are 5 Shanghai Google IPs in mainland China, and overseas areas are Google’s global CDN. Considering the power of 8888, it should still be very good. Powerful.

To use a Google certificate, you only need to fill in an email address, and use your Google account to obtain a Google KEY. There is no fee, no real-name authentication, and no private information.

It should also support multi-domain wildcards, but the actual situation prevails, because I have not tested this project

Preparation

At present, Google SSL is still in the internal testing stage, and you need to fill in the form to obtain the qualification. If you’ve used Rclone (or derivatives such as gclone), you must have created a Google Cloud Project.

Note that this has nothing to do with Google’s cloud computing service, and does not require credit card verification or anything. Of course, if you can’t figure this out, you can consider other methods, other products, or refer to the rclone (or autorclone, gclone and fclone) tutorials to register

First, you need to manually open 2 Google APIs, which support ordinary Google accounts, as well as Google business and enterprise accounts.

Public Certificate Authority API and Certificate Authority Service API, the last account is convenient for you to log in with multiple accounts.

The reference link is https://console.cloud.google.com/marketplace/product/google/publicca.googleapis.com?q=search&referrer=search&authuser=1

and https://console.cloud.google.com/marketplace/product/google/privateca.googleapis.com?q=search&referrer=search&authuser=1

QQ%E5%9B%BE%E7%89%8720220810180148.png

QQ%E5%9B%BE%E7%89%8720220810180157.png

Then you need to go here and fill out the form https://docs.google.com/forms/d/e/1FAIpQLSd8zUIww_ztyT9a56OPq9NXISiyw6Y9g8S7LBtRQjxPhsHz5A/viewform

QQ%E5%9B%BE%E7%89%8720220810180428.png

I filled it out on Wednesday night and can only be used on Friday night. Others apply on Friday morning and can also use it in the evening. It is not ruled out that they will be processed uniformly when they go to work on Friday. In principle, we need to wait for the email notification, but we can use it before the email arrives.

If you do not fill out the form, it will appear as shown

QQ%E5%9B%BE%E7%89%8720220810183543.png

 ERROR: (gcloud.beta.publicca.external-account-keys.create) PERMISSION_DENIED: Permission 'publicca.externalAccountKeys.create' denied on resource '//publicca.googleapis.com/projects/quantum-age-332306/locations/global' (or it may not exist). - '@type': type.googleapis.com/google.rpc.ErrorInfo domain: publicca.googleapis.com metadata: permission: publicca.externalAccountKeys.create resource: projects/quantum-age-332306/locations/global reason: IAM_PERMISSION_DENIED

Get Google Key

Search for CloudShell directly on the API page above

QQ%E5%9B%BE%E7%89%8720220810182946.png

QQ%E5%9B%BE%E7%89%8720220810183045.png

QQ%E5%9B%BE%E7%89%8720220810183056.png

After authorization and connection, switch the terminal in the upper right corner

QQ%E5%9B%BE%E7%89%8720220810183215.png

QQ%E5%9B%BE%E7%89%8720220810183231.png

Of course, you can also have a shortcut Shell entry in the upper right corner, on the side of the avatar, and a little on the left, which will open a small window at the bottom. Both can be used. I use the shortcut version.

QQ%E5%9B%BE%E7%89%8720220812215627.png

Then the command configuration

 gcloud services enable publicca.googleapis.com

Then generate the key, note that the key may only be used once, and you may have to get a new one if you change the device

 gcloud beta publicca external-account-keys create

And then there

The format is

 b64MacKey: _-5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXyw4gDlRUIlFF7w keyId: 924559XXXXXXXXXXXXXXXc19

Then don’t do it the other way around

ACME configuration and usage

configure

 acme.sh --register-account -m [邮箱] --server google \ --eab-kid [申请到的keyId] \ --eab-hmac-key [申请到的b64MacKey]

QQ%E5%9B%BE%E7%89%8720220812215906.png

If you want to set the default CA

 acme.sh --set-default-ca --server google

It doesn’t matter if it is not set as the default CA, just add server Google after the command

Initiate an issuance request (no dns01 will report an error)

 acme.sh --issue -d google.com -d *.google.com --server google --dns dns-01

QQ%E5%9B%BE%E7%89%8720220812220207.png

Then as in the old tutorial, set the TXT record

then verify

 acme.sh --renew -d google.com -d *.google.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

Then it’s done. The content of the certificate is still the old way to find it in the directory. The file format is the same as ZeroSSL.

QQ%E5%9B%BE%E7%89%8720220812220756.png

This article is reprinted from: https://www.blueskyxn.com/202208/6374.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment