# 自动获取域名证书及DNS设置 > How to Get a Free SSL and auto update via cloudflare dns ## Method One: 方法1: 1. get a domain 1. you can get a domain with godaddy.com or [name.com](http://name.com) or other domain sp EXCEPT chinese sp. * 获取域名。我之前推荐使用name.com申请域名。但是现在我更倾向于直接在[cloudflare.com](https://www.cloudflare.com)上申请,并开启自动续费,如果有必要。但是千万不要申请国内域名商的域名。如果有国内的域名,请转出。 2. redirect your domain ns server(nameserver) to cloudflare and get your dns api global key: 1. redirect domain ns server:modify your domain ns server to cloudflare, You must delete old nameserver and update to new nameserver :[coby.ns.cloudflare.com](http://coby.ns.cloudflare.com/) and [mira.ns.cloudflare.com](http://mira.ns.cloudflare.com/) . 2. get api key: In your cloudfare account profile,you can get your api key.choose GLOBAL Key,like that:cc729fd0aebf3f59a0102a037558aa07f1d52 and your account ,an email address. * 如果不在cloudflare上面的域名,建议转到cloudflare或者ns服务器更改为cloudflare的。:coby.ns.cloudflare.com 和 mira.ns.cloudflare.com(可能会有变化,请在官网查看)。 * 获取到域名/cloudflare的api key。在个人账户里面,找到GLOBAL key。类似这样一串数字:cc729fd0aebf3f59a0102a037558aa07f1d52。外加你的cloudflare的账号(邮箱)。 3. install acme.sh 1. install。use this code : * 安装acme.sh:(如果你在墙内,可能速度很慢甚至无法下载。这个自己解决) ```shell curl https://get.acme.sh | sh -s email=your@mail.com ``` 2. your [acme.sh](http://acme.sh) is in your home directory: ~/.acme.sh/ 3. acme的目录在 ~/.acme.sh/ 4. create an alias like that: alias [acme.sh](http://acme.sh) = ~/.acme.sh/acme.sh * 创建一个应用程序的快捷方式alias,以便后面直接调用。 可以写入到bash.rc里面。如:ache.sh=~/.acme.sh/acme.sh 5. modify your account config,add your cloudflare key to ~/.acme.sh/account.conf . * 修改acme.sh的配置文件:在~/.acme.sh/account.conf里。填入刚才在cloudflare里面获取到的api key。 ```bash SAVED_CF_Key='your cloudflare global key' SAVED_CF_Email='your@mail.com' ``` 5. others like dnspod,please modify the key,like: * 如果用的不是cloudflare而是其他的,比如Dnspod,则用以下配置。具体可以参看acme的帮助文档: ```bash DP_Id = '123455' # your id; DP_Key = 'your key like eabd83adxxxx' ``` 4. get your domain connect to your service 1. make sure your dns A record is done and in cloudflare; 2. use this code to install your domain(cloudflare): * 让acme控制你的域名: ```bash "/yourname/.acme.sh"/acme.sh --issue --dns dns_cf -d yourdomain.com -d www.yourdomain.com ``` 3. others like dnspod: ```bash "/yourname/.acme.sh"/acme.sh --issue --dns dns_dp -d yourdomain.com -d www.yourdomain.com ``` * 以上,其实就完成了。可以看看你的`crontab -l` 定时任务里有没有acme的定时任务。 4. auto update 1. ganarally,the [ache.sh](http://ache.sh) will add cron job to crontab automaticly; 2. use crontab -l to see the [job.](http://job.you) you will find this in list: ```bash 52 0 * * * "/yourname/.acme.sh"/acme.sh --cron --home "/yourname/.acme.sh" > /dev/null ``` 3. if you can't find this, you can use this command to add job to corntab: * 如果没有加入定时任务,则安装cronjob: ```bash "/yourname/.acme.sh/acme.sh" --install-cronjob ``` 6. copy your cert and key file to your really using cert and key file: * 接下来,把生成的证书,复制到你要用的地方。千万不要直接链接到证书生成的地方: ```bash "/yourname/.ache.sh/acme.sh" --install-cert -d example.com \ --key-file /path/to/keyfile/in/nginx/key.pem \ --fullchain-file /path/to/fullchain/nginx/cert.pem \ --reloadcmd 3u88额u鹅ue e e e u e e 4 ``` please use fullchain file while using nginx. 如果是nginx的,用--fullchain-file 复制证书cert。 7. check config file in domain path: * 在acme目录里,会生成以域名的名字命名的目录,每个里面都会有一个conf文件: you can check the file name such as: ```ini "yourdomain.com.conf" ``` in your domain path ,the file struct is like this: 这个文件长这个样子: ```ini Le_Domain='www.yourdomain.com' Le_Alt='no' Le_Webroot='dns_cf' Le_PreHook='' Le_PostHook='' Le_RenewHook='' Le_API='https://acme.zerossl.com/v2/DV90' Le_Keylength='' Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OeqVf5QtIVRk32MefKS05qA/finalize' Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/OeqVf5QtIVRk32MefKS05qA' Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/tLbbP1kzrwv--IyPDT9zjQ' Le_CertCreateTime='1626686754' Le_CertCreateTimeStr='Mon Jul 19 09:25:54 UTC 2021' Le_NextRenewTimeStr='Fri Sep 17 09:25:54 UTC 2021' Le_NextRenewTime='1631784354' Le_RealCertPath='' Le_RealCACertPath='' Le_RealKeyPath='/your/real/key/path/www.yourdomain.com.key' Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hRCBuZ2lueA==__ACME_BASE64__END_' Le_RealFullChainPath='/your/real/fullchain/path/www.yourdomain.com.crt' ``` that's all.and then it will auto renew the cert. 具体我就不解释了。 8. set your nginx config file * 在你的nginx里面,要进行ssl相关的配置,主要是指向证书。 set your nginx config file for ssl file: ```bash ssl_certificate /your/real/key/path/www.yourdomain.com.crt; ssl_certificate_key /your/real/key/path/www.yourdomain.com.key; ssl_protocols TLSv1.2 TLSv1.3; ``` you need restart your nginx service while changing the path or file. 记得改了以后要重启nginx,systemctl restart nginx。 --- ## 我的配置 1. 搬瓦工服务器: account.conf ```ini LOG_FILE='/root/.acme.sh/acme.sh.log' #LOG_LEVEL=1 AUTO_UPGRADE='1' #NO_TIMESTAMP=1 UPGRADE_HASH='0013d98d045aa57c6a541ec97dd55722d76b319e' USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin' SAVED_CF_Key='cc729fd0febf3f59a0102a047558aa07f1d51' SAVED_CF_Email='maxwellxzy@gmail.com' ``` i.disbaidu.com.conf ``` Le_Domain='i.disbaidu.com' Le_Alt='no' Le_Webroot='dns_cf' Le_PreHook='' Le_PostHook='' Le_RenewHook='' Le_API='https://acme.zerossl.com/v2/DV90' Le_Keylength='2048' Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/_nt_mu_uXXi1CH6a334enw/finalize' Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/_nt_mu_uXXi1CH6a334enw' Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/BQEhssHOMGSEiFQOD_NT1g' Le_CertCreateTime='1657904190' Le_CertCreateTimeStr='2022-07-15T16:56:30Z' Le_NextRenewTimeStr='2022-09-13T16:56:30Z' Le_NextRenewTime='1663001790' Le_RealCertPath='' Le_RealCACertPath='' Le_RealKeyPath='/data/i.disbaidu.com.key' Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hZCBuZ2lueA==__ACME_BASE64__END_' Le_RealFullChainPath='/data/i.disbaidu.com.crt' ``` 3. 南非服务器: