SSL certificate series tutorials (practical): use ACME.SH tool to order ZeroSSL certificate for free, support multi-domain wildcard

Original link: https://www.blueskyxn.com/202208/6364.html

SSL证书系列教程(实战):使用ACME.SH工具免费订购ZeroSSL证书,支持多域名通匹符

foreword

Both Acme.sh and CertBot are tools that are commonly used to automatically apply for SSL certificates, of course, they can also be used to apply manually.

I personally need to deploy manually more often, so this article still uses the manual application for ZeroSSL’s SSL certificate as an example, of course, using Acme.sh.

Generally speaking, it runs better in the Linux environment, and the operation is simple and fast.

Its official website is https://github.com/acmesh-official/acme.sh

ACME Support

ACME supports many common SSL certificate brands.

Including but not limited to LE (Let’s Encrypt), ZeroSSL, BP (Buypass), Google, etc.

Originally, I was going to use it to test GoogleSSL, but it has been 2 days and I haven’t been granted permission. The group friends said that maybe Google is about to end the internal test.

You can refer to these documents:

https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA

https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL

https://github.com/acmesh-official/acme.sh/wiki/CA

CA MaxLifetime ECC Domain Count Wildcard IPv4 IPv6 NotAfter
Let’s Encrypt 90 Yes 100 Yes No No No
ZeroSSL 90 Yes 100 Yes No No Yes
Google 90 Yes 100 Yes No No Yes
Buypass 180 Yes 5 Paid No No No
SSL.com 90 Yes 2 Paid No No No
HiCA 180 Paid 10 (1 if Wildcard) Yes Yes Yes No

ZeroSSL certificate

The official website of ZeroSSL is https://zerossl.com/

The official website also provides some services, but it is not very friendly to free users (most functions do not)

However, the main functions can be used for free under ACME (instead, the official website browser asks for money, the real IQ tax) can be read https://zerossl.com/features/acme/

It should be noted that his own SSL business is not particularly old-fashioned.

The ACME tool can implement the same free, multi-domain, multi-wildcard (also called wildcard) SSL certificate as above.

At the same time, the advantage is that there is no need for additional registration, just fill in an email address, and the certificate defaults to the AT country (if you apply for a TA certificate through Tencent Cloud, 51SSL, etc., there must be a real name)

The OCSP address is http://zerossl.ocsp.sectigo.com using CloudFlare’s anycast dual IP. It can only be said that it is very common. It is also normal for CF in mainland China to be abnormal.

Install

Equivalent to browser generation, tool script application certificate has a little threshold for getting started in this regard

 curl https://get.acme.sh | sh

Then it is automatically installed

QQ%E5%9B%BE%E7%89%8720220812140829.png

The default directory is /root/.acme.sh/

 cd /root/.acme.sh/

Then the installation is complete

If you want to use Zero SSL, it is best to configure and register first to avoid errors as shown in the figure

QQ%E5%9B%BE%E7%89%8720220812141652.png

The command reference is

 acme.sh --set-default-ca --server zerossl
 acme.sh --register-account -m [email protected]

Apply manually

There are many automatic methods on the Internet (referring to automatic renewal, DNSAPI application), but the manual application is not very clear, so it is best to look at the official documents.

https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode

As shown in the command below, fill in the domain names you need in turn. By default, the first one is the main domain name (a folder will be generated), remember to change the domain name.

 acme.sh --issue -d 'google.com' -d '*.google.com' -d 'baidu.com' -d '*.baidu.com' --dns \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

Of course, removing the quotation marks is also Oak’s

 acme.sh --issue -d google.com -d *.google.com -d baidu.com -d *.baidu.com --dns \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

Generally speaking, there is no problem with removing the P at the end.

 acme.sh --issue -d google.com -d *.google.com -d baidu.com -d *.baidu.com --dns

If there is a bug/error, you can also consider adding a dns-01 after the DNS

 acme.sh --issue -d google.com -d *.google.com -d baidu.com -d *.baidu.com --dns dns-01

After running any of the above commands, you can see

QQ%E5%9B%BE%E7%89%8720220812142050.png

Here I will tell you the domain names and txt variables that need to be verified. Each domain name project needs to set a txt parsing time

For example, Huawei Cloud is like this, remember to be able to respond to two TXTs (if any) at the same time, not a random TXT

QQ%E5%9B%BE%E7%89%8720220812142231.png

If you configure multiple CNAMEs with different values, for example, I forgot to delete the last one, it will be as shown in the figure

QQ%E5%9B%BE%E7%89%8720220812142802.png

Then it fails, so be sure to check if there are any problems, such as conflict coverage, otherwise you will waste a lot of time

Then you see that ACME asks you to use Renew, remember not to be stupid and add it directly, otherwise it will be like this

QQ%E5%9B%BE%E7%89%8720220812144447.png

The correct command is

 acme.sh --renew -d 'google.com' -d '*.google.com' -d 'baidu.com' -d '*.baidu.com' \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

Of course, it can also be simplified as above, such as

 acme.sh --renew -d google.com -d *.google.com -d baidu.com -d *.baidu.com

(If you report an error, please use the suffix)

 acme.sh --renew -d google.com -d *.google.com -d baidu.com -d *.baidu.com \ --yes-I-know-dns-manual-mode-enough-go-ahead-please

Then the normal output is as shown

QQ%E5%9B%BE%E7%89%8720220812145647.png

Then go to the local file to find what you want

By default it is in the folder of the main domain name

QQ%E5%9B%BE%E7%89%8720220812145706.png

Connecting the first cer and the fourth csr is the PEM required by SSL. Of course, you can also use the one from Fullchain.cer, both of which can be used.

Then the key is naturally the fifth key.

Then throw it in and use it

QQ%E5%9B%BE%E7%89%8720220812145746.png

This article is reprinted from: https://www.blueskyxn.com/202208/6364.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment