自动获取域名证书及DNS设置

How to Get a Free SSL and auto update via cloudflare dns

Method One:

方法1:

get a domain
1. you can get a domain with godaddy.com or name.com or other domain sp EXCEPT chinese sp.
- 获取域名。我之前推荐使用name.com申请域名。但是现在我更倾向于直接在cloudflare.com上申请，并开启自动续费，如果有必要。但是千万不要申请国内域名商的域名。如果有国内的域名，请转出。
redirect your domain ns server(nameserver) to cloudflare and get your dns api global key:
1. redirect domain ns server:modify your domain ns server to cloudflare, You must delete old nameserver and update to new nameserver :coby.ns.cloudflare.com and mira.ns.cloudflare.com .
2. get api key: In your cloudfare account profile,you can get your api key.choose GLOBAL Key,like that:cc729fd0aebf3f59a0102a037558aa07f1d52 and your account ,an email address.
- 如果不在cloudflare上面的域名，建议转到cloudflare或者ns服务器更改为cloudflare的。:coby.ns.cloudflare.com 和 mira.ns.cloudflare.com（可能会有变化，请在官网查看）。
- 获取到域名/cloudflare的api key。在个人账户里面，找到GLOBAL key。类似这样一串数字：cc729fd0aebf3f59a0102a037558aa07f1d52。外加你的cloudflare的账号（邮箱）。
install acme.sh
1. install。use this code :
- 安装acme.sh：（如果你在墙内，可能速度很慢甚至无法下载。这个自己解决）
```
curl  https://get.acme.sh | sh -s email=your@mail.com
```
1. your acme.sh is in your home directory: ~/.acme.sh/
2. acme的目录在 ~/.acme.sh/
3. create an alias like that: alias acme.sh = ~/.acme.sh/acme.sh
- 创建一个应用程序的快捷方式alias，以便后面直接调用。可以写入到bash.rc里面。如：ache.sh=~/.acme.sh/acme.sh
1. modify your account config,add your cloudflare key to ~/.acme.sh/account.conf .
- 修改acme.sh的配置文件：在～/.acme.sh/account.conf里。填入刚才在cloudflare里面获取到的api key。
```
SAVED_CF_Key='your cloudflare global key'
SAVED_CF_Email='your@mail.com'
```
1. others like dnspod,please modify the key,like:
- 如果用的不是cloudflare而是其他的，比如Dnspod，则用以下配置。具体可以参看acme的帮助文档：
```
DP_Id = '123455' # your id;
DP_Key = 'your key like eabd83adxxxx'
```
get your domain connect to your service
1. make sure your dns A record is done and in cloudflare;
2. use this code to install your domain(cloudflare):
- 让acme控制你的域名：
```
"/yourname/.acme.sh"/acme.sh --issue --dns dns_cf -d yourdomain.com -d www.yourdomain.com
```
1. others like dnspod:
```
"/yourname/.acme.sh"/acme.sh --issue --dns dns_dp -d yourdomain.com -d www.yourdomain.com
```
  - 以上，其实就完成了。可以看看你的crontab -l 定时任务里有没有acme的定时任务。
2. auto update
  1. ganarally,the ache.sh will add cron job to crontab automaticly;
  2. use crontab -l to see the job. you will find this in list:
```
52 0 * * * "/yourname/.acme.sh"/acme.sh --cron --home "/yourname/.acme.sh" > /dev/null
```
3. if you can't find this, you can use this command to add job to corntab:
- 如果没有加入定时任务，则安装cronjob：
```
"/yourname/.acme.sh/acme.sh" --install-cronjob
```
copy your cert and key file to your really using cert and key file:
- 接下来，把生成的证书，复制到你要用的地方。千万不要直接链接到证书生成的地方：
```
"/yourname/.ache.sh/acme.sh" --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     3u88额u鹅ue e e e u e e 4
```
please use fullchain file while using nginx. 如果是nginx的，用--fullchain-file 复制证书cert。

check config file in domain path:

在acme目录里，会生成以域名的名字命名的目录，每个里面都会有一个conf文件： you can check the file name such as:

"yourdomain.com.conf"

in your domain path ,the file struct is like this: 这个文件长这个样子：

Le_Domain='www.yourdomain.com'
Le_Alt='no'
Le_Webroot='dns_cf'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme.zerossl.com/v2/DV90'
Le_Keylength=''
Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OeqVf5QtIVRk32MefKS05qA/finalize'
Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/OeqVf5QtIVRk32MefKS05qA'
Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/tLbbP1kzrwv--IyPDT9zjQ'
Le_CertCreateTime='1626686754'
Le_CertCreateTimeStr='Mon Jul 19 09:25:54 UTC 2021'
Le_NextRenewTimeStr='Fri Sep 17 09:25:54 UTC 2021'
Le_NextRenewTime='1631784354'
Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/your/real/key/path/www.yourdomain.com.key'
Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hRCBuZ2lueA==__ACME_BASE64__END_'
Le_RealFullChainPath='/your/real/fullchain/path/www.yourdomain.com.crt'

that's all.and then it will auto renew the cert. 具体我就不解释了。

set your nginx config file

在你的nginx里面，要进行ssl相关的配置，主要是指向证书。 set your nginx config file for ssl file:

				ssl_certificate       /your/real/key/path/www.yourdomain.com.crt;
        ssl_certificate_key   /your/real/key/path/www.yourdomain.com.key;
        ssl_protocols         TLSv1.2 TLSv1.3;

you need restart your nginx service while changing the path or file. 记得改了以后要重启nginx，systemctl restart nginx。

我的配置

搬瓦工服务器：

account.conf

LOG_FILE='/root/.acme.sh/acme.sh.log'
#LOG_LEVEL=1
AUTO_UPGRADE='1'
#NO_TIMESTAMP=1
UPGRADE_HASH='0013d98d045aa57c6a541ec97dd55722d76b319e'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
SAVED_CF_Key='cc729fd0febf3f59a0102a047558aa07f1d51'
SAVED_CF_Email='maxwellxzy@gmail.com'

i.disbaidu.com.conf

Le_Domain='i.disbaidu.com'
Le_Alt='no'
Le_Webroot='dns_cf'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme.zerossl.com/v2/DV90'
Le_Keylength='2048'
Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/_nt_mu_uXXi1CH6a334enw/finalize'
Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/_nt_mu_uXXi1CH6a334enw'
Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/BQEhssHOMGSEiFQOD_NT1g'
Le_CertCreateTime='1657904190'
Le_CertCreateTimeStr='2022-07-15T16:56:30Z'
Le_NextRenewTimeStr='2022-09-13T16:56:30Z'
Le_NextRenewTime='1663001790'
Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/data/i.disbaidu.com.key'
Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hZCBuZ2lueA==__ACME_BASE64__END_'
Le_RealFullChainPath='/data/i.disbaidu.com.crt'

南非服务器：

7.5 KiB Raw Blame History Unescape Escape

自动获取域名证书及DNS设置

Method One:

我的配置

7.5 KiB

Raw Blame History