tt's Note
运维
开发
软件
项目
脚本

ssl证书

阿里云

创建文件credentials.ini

dns_aliyun_access_key = 
dns_aliyun_access_key_secret = 
docker run -it --rm \\
--name certbot \\
-v /etc/letsencrypt:/etc/letsencrypt \\
-v ./credentials.ini:/data/credentials.ini \\
registry.cn-hangzhou.aliyuncs.com/buyfakett/certbot-dns-aliyun \\
certonly --authenticator=dns-aliyun --dns-aliyun-credentials='/data/credentials.ini' \\
-d xxx.top -m xxx@qq.com \\
--non-interactive \\
--agree-tos \\
--preferred-challenges dns \\
--manual-cleanup-hook 'aliyun-dns clean'

域名生成在/etc/letsencrypt/live

全自动获取

#!/bin/bash

##############################################################################################################
# 1、所有申请的证书都为 90 天有效期
# 2、acme.sh 只能做单域名申请,不能申请通配域名 acme.sh 安装 curl https://get.acme.sh | sh -s email=xx@xxx.com
# 3、certbot 申请的证书是 letsencrypt 的,政府域名 dns 不支持 letsencrypt 的 dns key 验证
# 4、已经申请的证书30天后才能更新或再次申请
# 5、webroot 申请的证书需要把域名 http://${domain}/.well-known/acme-challenge/ 映射到脚本所在服务器的 ${WEB_PATH} 目录
###############################################################################################################

set -x

function issue_wildcard_domain_by_aws_route53() {
    ######################
    # dns route53 通配域名
    ######################
    domain=$1
    cd ${WORKDIR}
    # 申请证书
    if [ ! -f "${LETSENCRYPT_DATA_DIR}/renewal/${domain}.conf" ];then
        cmd_args="certonly --noninteractive --agree-tos --dns-route53 -d *.${domain} -m ${EMAIL}"
    else
        cmd_args="renew --cert-name ${domain} --force-renewal"
    fi
    docker run -i --rm --name certbot \
    -v "$(pwd)/${LETSENCRYPT_DATA_DIR}:/etc/letsencrypt" \
    -v $(pwd)/log/:/var/log/letsencrypt/ \
    -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
    -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
    certbot/dns-route53:v2.10.0 ${cmd_args}
    # 打包证书
    mkdir -p ${CERT_DIR}/${domain}/
    [[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem ${CERT_DIR}/${domain}/
    [[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem ${CERT_DIR}/${domain}/
    cd ${CERT_DIR} && zip -r _wildcard.${domain}.zip ${domain}/ && rm -rf ${domain}/
}

function issue_wildcard_domain_by_aliyun_dns() {
    #####################
    # dns aliyun 通配域名
    #####################
    domain=$1
    mkdir -p ${LETSENCRYPT_DATA_DIR}/credentials/
    cat << EOF > ${LETSENCRYPT_DATA_DIR}/credentials/aliyun.ini
dns_aliyun_access_key = ${DNS_ALIYUN_ACCESS_KEY}
dns_aliyun_access_key_secret = ${DNS_ALIYUN_ACCESS_KEY_SECRET}
EOF
    chmod 600 ${LETSENCRYPT_DATA_DIR}/credentials/aliyun.ini
    # 申请证书
    cd ${WORKDIR}
    if [ ! -f "${LETSENCRYPT_DATA_DIR}/renewal/${domain}.conf" ];then
        cmd_args="certonly --noninteractive --agree-tos --authenticator dns-aliyun -d *.${domain} -m ${EMAIL} --dns-aliyun-credentials /root/.secrets/aliyun.ini"
    else
        cmd_args="renew --cert-name ${domain} --force-renewal"
    fi
    docker run -i --rm --name certbot \
    -v $(pwd)/${LETSENCRYPT_DATA_DIR}/credentials:/root/.secrets \
    -v $(pwd)/${LETSENCRYPT_DATA_DIR}:/etc/letsencrypt \
    -v $(pwd)/log/:/var/log/letsencrypt/ \
    muen/dns-aliyun:v2.3.0 ${cmd_args}
    # --dns-aliyun-propagation-seconds 30 \
    # 打包证书
    mkdir -p ${CERT_DIR}/${domain}/
    [[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem ${CERT_DIR}/${domain}/
    [[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem ${CERT_DIR}/${domain}/
    cd ${CERT_DIR} && zip -r _wildcard.${domain}.zip ${domain}/ && rm -rf ${domain}/

}

function issue_single_domain_by_certbot() {
    ################################
    # certbot 单域名通过 webroot 申请
    ################################
    domain=$1
    cd ${WORKDIR}
    if [ ! -f "${LETSENCRYPT_DATA_DIR}/renewal/${domain}.conf" ];then
        cmd_args="certonly --webroot --noninteractive --agree-tos --webroot-path=${WEB_PATH} -d ${domain} -m ${EMAIL}"
    else
        cmd_args="renew --cert-name ${domain} --webroot-path=${WEB_PATH} --force-renewal"
    fi
    docker run -i --rm --name certbot \
    -v "$(pwd)/${LETSENCRYPT_DATA_DIR}/:/etc/letsencrypt" \
    -v $(pwd)/log/:/var/log/letsencrypt/ \
    -v ${WEB_PATH}:${WEB_PATH} \
    certbot/certbot:v2.10.0 ${cmd_args}
    # 打包证书
    mkdir -p ${CERT_DIR}/${domain}/
    [[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem ${CERT_DIR}/${domain}/
    [[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem ${CERT_DIR}/${domain}/
    cd ${CERT_DIR} && zip -r _wildcard.${domain}.zip ${domain}/ && rm -rf ${domain}/
}

function issue_single_domain_by_acme() {
    ################################
    # acme.sh 单域名通过 webroot 申请
    ################################
    domain=$1
    cd ${WORKDIR}
    if [ ! -f "${ACME_DATA_DIR}/${domain}_ecc/${domain}.conf" ];then
        cmd_args=" --issue --server https://acme.zerossl.com/v2/DV90 -w ${WEB_PATH} -d ${domain} --force"
    else
        cmd_args="--renew -d ${domain} --force"
    fi
    # 添加证书邮箱账号
    docker run --rm -i -v "$(pwd)/${ACME_DATA_DIR}":/acme.sh \
    neilpang/acme.sh:3.0.7 --issue --server https://acme.zerossl.com/v2/DV90 -d ${domain} --register-account -m ${EMAIL}
    # 申请证书
    docker run --rm -i -v "$(pwd)/${ACME_DATA_DIR}":/acme.sh -v ${WEB_PATH}:${WEB_PATH} -v ${CERT_DIR}/${domain}/:/cert/${domain}/ neilpang/acme.sh:3.0.7 ${cmd_args}
    # 转换证书为 nginx
    docker run --rm -i -v "$(pwd)/${ACME_DATA_DIR}":/acme.sh -v ${CERT_DIR}/${domain}/:/cert/${domain}/ \
    neilpang/acme.sh:3.0.7 --install-cert -d ${domain} --key-file /cert/${domain}/privkey.pem --fullchain-file /cert/${domain}/fullchain.pem
    # 打包证书
    cd ${CERT_DIR} && zip -r ${domain}.zip ${domain} && rm -rf ${domain}
    # 更新证书
    # /root/.acme.sh/acme.sh --renew -d example.com --force --ecc
}

# 工作目录
WORKDIR=/data/app/issue-domain

# 证书存放绝对路径目录
CERT_DIR=/data/web/download/cert
# 证书列表
DOMAIN_LIST_FILE=${CERT_DIR}/domains.txt
# 证书账号邮箱
EMAIL=xxx@xxx.com
# 阿里云数据相对路径目录
LETSENCRYPT_DATA_DIR=letsencrypt
# 验证的 web 绝对路径目录
WEB_PATH="/data/web/letsencrypt/"
# acme 证书存放相对路径目录
ACME_DATA_DIR="acme.sh"
# 亚马逊数据相对路径目录
LETSENCRYPT_DATA_DIR=letsencrypt

domain=$1
[[ -z ${domain} ]] && { echo "参数 domain 必传" && exit 1; }

if [ ! -z $(echo ${domain}|egrep "xxx.com$") ];then
    # 沐恩亚马逊配置
    AWS_ACCESS_KEY_ID='xxx'
    AWS_SECRET_ACCESS_KEY='xxx'
    issue_wildcard_domain_by_aws_route53 ${domain}
elif [ ! -z $(echo ${domain}|egrep "xxx.com$") ];then
    # 沐恩账号阿里云配置
    DNS_ALIYUN_ACCESS_KEY="xxx"
    DNS_ALIYUN_ACCESS_KEY_SECRET="xxx"
    issue_wildcard_domain_by_aliyun_dns ${domain}
fi

[[ $? -eq 0 ]] && [[ -z $(egrep -v "^#" ${DOMAIN_LIST_FILE} | egrep "^${domain}$" ${DOMAIN_LIST_FILE}) ]] && echo "${domain}" >> ${DOMAIN_LIST_FILE}

亚马逊权限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "route53:GetChange",
        "route53:GetHostedZone",
        "route53:ListHostedZones",
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": "*"
    }
  ]
}