使用 acme.sh 申请 SSL 证书并自动续签

By zfadmin 未分类

使用 acme.sh 申请 SSL 证书并自动续签

原文 https://linux.do/t/topic/1397983

使用 acme.sh 申请 SSL 证书并自动续签

6.1 域名解析

先在Cloudflare 的DNS 设置中添加一条A 记录

橙云(代理)可以按需打开,对后续流程没有影响

6.2 安装 acme.sh

curl https://get.acme.sh | sh -s email=username@example.com

请注意替换 username@example.com 为你自己的邮箱,避免无法收到上游证书的邮件通知

安装完成后重新加载 Bash:

source ~/.bashrc

然后也可以开启自动更新:

acme.sh --upgrade --auto-upgrade

6.3 设置 Let’s Encrypt 为默认 CA

acme.sh --set-default-ca --server letsencrypt

6.4 用 DNS 验证签发证书

为了兼容 Cloudflare 橙云(代理) / CDN,这里使用DNS 验证签发证书的方式

登录 Cloudflare Dash 后在 API Token 菜单里添加一个 API Token(令牌),选择模板【编辑区域 DNS】

把令牌复制下来,后面要填入 CF_Token 参数

回到账户主页,复制 账户 ID 和 区域 ID

接着在终端运行

export CF_Token="你的Token"
export CF_Account_ID="你的AccountID"
export CF_Zone_ID="你的 Zone ID"

6.4.1 测试证书生成

提示

在正式申请证书之前,我们先用测试命令(--issue --server letsencrypt_test )来验证是否可以成功申请,这样可以避免在本地配置有误时,反复申请证书失败,超过 Let’s Encrypt 的频率上限(比如,每小时、每个域名、每个用户失败最多 5 次),导致后面的步骤无法进行

acme.sh --issue \
  --dns dns_cf \
  --server letsencrypt_test \
  -d my-domain.com \
  --keylength ec-256

申请多SAN证书(同时申请泛域名证书 *.my-domain.com

acme.sh --issue \
  --dns dns_cf \
  --server letsencrypt_test \
  -d my-domain.com \
+ -d *.my-domain.com \
  --keylength ec-256

最终应该看到类似这样的提示

[Wed Dec 31 10:33:10 PM PST 2025] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed Dec 31 10:33:11 PM PST 2025] Multi domain='DNS:my-domain,DNS:*.my-domain'
[Wed Dec 31 10:33:12 PM PST 2025] Getting webroot for domain='my-domain'
[Wed Dec 31 10:33:12 PM PST 2025] Getting webroot for domain='*.my-domain'
[Wed Dec 31 10:33:12 PM PST 2025] Adding TXT value: sc4mUhp8Yx0awGtlI61sgOQVqUT3t2XRUyGNB_IRPwM for domain: _acme-challenge.my-domain
[Wed Dec 31 10:33:13 PM PST 2025] Adding record
[Wed Dec 31 10:33:14 PM PST 2025] Added, OK
[Wed Dec 31 10:33:14 PM PST 2025] The TXT record has been successfully added.
[Wed Dec 31 10:33:14 PM PST 2025] Adding TXT value: 5pOMuiSpOMffJXzyUANGnKy7OxmMPw5NTTurIhM8rI8 for domain: _acme-challenge.my-domain
[Wed Dec 31 10:33:14 PM PST 2025] Adding record
[Wed Dec 31 10:33:15 PM PST 2025] Added, OK
[Wed Dec 31 10:33:15 PM PST 2025] The TXT record has been successfully added.
[Wed Dec 31 10:33:15 PM PST 2025] Let's check each DNS record now. Sleeping for 20 seconds first.
[Wed Dec 31 10:33:36 PM PST 2025] You can use '--dnssleep' to disable public dns checks.
[Wed Dec 31 10:33:36 PM PST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Wed Dec 31 10:33:36 PM PST 2025] Checking my-domain for _acme-challenge.my-domain
[Wed Dec 31 10:33:36 PM PST 2025] Success for domain my-domain '_acme-challenge.my-domain'.
[Wed Dec 31 10:33:36 PM PST 2025] Checking my-domain for _acme-challenge.my-domain
[Wed Dec 31 10:33:37 PM PST 2025] Success for domain my-domain '_acme-challenge.my-domain'.
[Wed Dec 31 10:33:37 PM PST 2025] All checks succeeded
[Wed Dec 31 10:33:37 PM PST 2025] Verifying: my-domain
[Wed Dec 31 10:33:37 PM PST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Wed Dec 31 10:33:41 PM PST 2025] Success
[Wed Dec 31 10:33:41 PM PST 2025] Verifying: *.my-domain
[Wed Dec 31 10:33:41 PM PST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Wed Dec 31 10:33:44 PM PST 2025] Success
[Wed Dec 31 10:33:45 PM PST 2025] Removing DNS records.
[Wed Dec 31 10:33:45 PM PST 2025] Removing txt: sc4mUhp8Yx0awGtlI61sgOQVqUT3t2XRUyGNB_IRPwM for domain: _acme-challenge.my-domain
[Wed Dec 31 10:33:46 PM PST 2025] Successfully removed
[Wed Dec 31 10:33:46 PM PST 2025] Removing txt: 5pOMuiSpOMffJXzyUANGnKy7OxmMPw5NTTurIhM8rI8 for domain: _acme-challenge.my-domain
[Wed Dec 31 10:33:47 PM PST 2025] Successfully removed
[Wed Dec 31 10:33:47 PM PST 2025] Verification finished, beginning signing.
[Wed Dec 31 10:33:47 PM PST 2025] Let's finalize the order.
[Wed Dec 31 10:33:47 PM PST 2025] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/254758073/30088374353'
[Wed Dec 31 10:33:47 PM PST 2025] Order status is 'processing', let's sleep and retry.
[Wed Dec 31 10:33:47 PM PST 2025] Sleeping for 3 seconds then retrying
[Wed Dec 31 10:33:51 PM PST 2025] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/254758073/30088374353
[Wed Dec 31 10:33:51 PM PST 2025] Downloading cert.
[Wed Dec 31 10:33:51 PM PST 2025] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2c8acc4b1a29c6a1d01877079d3b5968e12e'
[Wed Dec 31 10:33:52 PM PST 2025] Cert success.
-----BEGIN CERTIFICATE-----
MIIDszCCAzmgAwIBAgISLIrMSxopxqHQGHcHnTtZaOEuMAoGCCqGSM49BAMDMFcx
CzAJBgNVBAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlwdDEm
MCQGA1UEAxMdKFNUQUdJTkcpIFB1enpsaW5nIFBhcnNuaXAgRTcwHhcNMjYwMTAx
MDUzNTE3WhcNMjYwNDAxMDUzNTE2WjASMRAwDgYDVQQDEwdkMncudG9wMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEvd3yvYkzReTCH7QPPA3XWj6cKhHnHQUTROye
Vmzhm9STvyTfeSu+t/A7s77sMVQUKBSExeh+1zZwqCYBm58ZC6OCAigwggIkMA4G
A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUE/nwVxblyIfBzHHm5K+EwYB3U08wHwYDVR0j
BBgwFoAUpA+UC0RjapmpoNmMZkOxT9ywLEYwNgYIKwYBBQUHAQEEKjAoMCYGCCsG
AQUFBzAChhpodHRwOi8vc3RnLWU3LmkubGVuY3Iub3JnLzAdBgNVHREEFjAUggkq
LmQydy50b3CCB2Qydy50b3AwEwYDVR0gBAwwCjAIBgZngQwBAgEwMQYDVR0fBCow
KDAmoCSgIoYgaHR0cDovL3N0Zy1lNy5jLmxlbmNyLm9yZy80Ny5jcmwwggEEBgor
BgEEAdZ5AgQCBIH1BIHyAPAAdgAW6GnB0ZXq18P4lxrj8HYB94zhtp0xqFIYtoN/
MagVCAAAAZt4Qy6PAAAEAwBHMEUCIQCiMiPRotvXnei+vQR4QcGGJgPZRJTL0kYC
wvUCX0mwxwIgc+gD0Evbz6rIGA9K48OsjG92eczIa1f9WRuiJfEpUlEAdgDIS5B6
B76qKaYUwkWEt6P2YkOUaHsl/mKDi3HsQirS+QAAAZt4Qy69AAAEAwBHMEUCIQDj
bCmFrZLEUBCF6+S+KLvjsDtaUXG1hqWPkgUgfMOM6gIgWHMr26+zNQl8hjk3Anhg
Wl7A4gcO+1GsJE1UjztVS34wCgYIKoZIzj0EAwMDaAAwZQIwUgZzLtWb/EgysZcB
X1TAdi2hpXkBoRt/8SSi/P5rVabsehQ+QDP0dvvxGrBLIl4pAjEA50gTG7vlzLaT
L/PBII+xYvAIIzX98hfBeW4h6yfIkCeVMaUviSRxLmn8kjElcwHL
-----END CERTIFICATE-----
[Wed Dec 31 10:33:52 PM PST 2025] Your cert is in: /home/username/.acme.sh/my-domain_ecc/my-domain.cer
[Wed Dec 31 10:33:52 PM PST 2025] Your cert key is in: /home/username/.acme.sh/my-domain_ecc/my-domain.key
[Wed Dec 31 10:33:52 PM PST 2025] The intermediate CA cert is in: /home/username/.acme.sh/my-domain_ecc/ca.cer
[Wed Dec 31 10:33:52 PM PST 2025] And the full-chain cert is in: /home/username/.acme.sh/my-domain_ecc/fullchain.cer

这一步确定成功之后,就可以申请正式的证书了。(测试证书不需要删除,它会自动被正式证书覆盖)

6.4.2 正式证书申请

之前已经设置过 Let’s Encrypt 为默认 CA,申请正式证书只需要去掉 --server letsencrypt_test,并在最后加入 --force 参数

acme.sh --issue \
  --dns dns_cf \
- --server letsencrypt_test \
  -d my-domain.com \
- --keylength ec-256 
+ --keylength ec-256 \
+ --force


acme.sh --issue \
  --dns dns_cf \
  -d my-domain.com \
  --keylength ec-256 \
  --force

提示

--force 参数的意思就是,在现有证书到期前,手动(强行)更新证书。上一步我们从“测试服”申请的证书虽然不能直接用,但是它本身是尚未过期的,所以需要用到这个参数。

Leave a Reply