SSL certificate series tutorials (practical): use ACME.SH tool to order GoogleSSL certificate for free, support multi-domain wildcard

Original link:



The comprehensive introduction of ACME.SH has been mentioned in the previous tutorial, and the repeated parts will not be described.

Note that the wildcards and wildcards I said are the same thing, but I am used to calling them wildcards, which means matching.

Google SSL certificate

The characteristic of Google certificate is that the first one is to be higher. After all, the big factory, secondly, the OCSP server has the advantage, and then the function of ZeroSSL is basically the same as that of Google.

Google’s OCSP address is After testing, there are 5 Shanghai Google IPs in mainland China, and overseas areas are Google’s global CDN. Considering the power of 8888, it should still be very good. Powerful.

To use a Google certificate, you only need to fill in an email address, and use your Google account to obtain a Google KEY. There is no fee, no real-name authentication, and no private information.

It should also support multi-domain wildcards, but the actual situation prevails, because I have not tested this project


At present, Google SSL is still in the internal testing stage, and you need to fill in the form to obtain the qualification. If you’ve used Rclone (or derivatives such as gclone), you must have created a Google Cloud Project.

Note that this has nothing to do with Google’s cloud computing service, and does not require credit card verification or anything. Of course, if you can’t figure this out, you can consider other methods, other products, or refer to the rclone (or autorclone, gclone and fclone) tutorials to register

First, you need to manually open 2 Google APIs, which support ordinary Google accounts, as well as Google business and enterprise accounts.

Public Certificate Authority API and Certificate Authority Service API, the last account is convenient for you to log in with multiple accounts.

The reference link is




Then you need to go here and fill out the form


I filled it out on Wednesday night and can only be used on Friday night. Others apply on Friday morning and can also use it in the evening. It is not ruled out that they will be processed uniformly when they go to work on Friday. In principle, we need to wait for the email notification, but we can use it before the email arrives.

If you do not fill out the form, it will appear as shown


 ERROR: (gcloud.beta.publicca.external-account-keys.create) PERMISSION_DENIED: Permission 'publicca.externalAccountKeys.create' denied on resource '//' (or it may not exist). - '@type': domain: metadata: permission: publicca.externalAccountKeys.create resource: projects/quantum-age-332306/locations/global reason: IAM_PERMISSION_DENIED

Get Google Key

Search for CloudShell directly on the API page above




After authorization and connection, switch the terminal in the upper right corner



Of course, you can also have a shortcut Shell entry in the upper right corner, on the side of the avatar, and a little on the left, which will open a small window at the bottom. Both can be used. I use the shortcut version.


Then the command configuration

 gcloud services enable

Then generate the key, note that the key may only be used once, and you may have to get a new one if you change the device

 gcloud beta publicca external-account-keys create

And then there

The format is


Then don’t do it the other way around

ACME configuration and usage

configure --register-account -m [邮箱] --server google \ --eab-kid [申请到的keyId] \ --eab-hmac-key [申请到的b64MacKey]


If you want to set the default CA --set-default-ca --server google

It doesn’t matter if it is not set as the default CA, just add server Google after the command

Initiate an issuance request (no dns01 will report an error) --issue -d -d * --server google --dns dns-01


Then as in the old tutorial, set the TXT record

then verify --renew -d -d * \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

Then it’s done. The content of the certificate is still the old way to find it in the directory. The file format is the same as ZeroSSL.


This article is reprinted from:
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment