ssl证书
阿里云
创建文件credentials.ini
dns_aliyun_access_key =
dns_aliyun_access_key_secret = docker run -it --rm \\
--name certbot \\
-v /etc/letsencrypt:/etc/letsencrypt \\
-v ./credentials.ini:/data/credentials.ini \\
registry.cn-hangzhou.aliyuncs.com/buyfakett/certbot-dns-aliyun \\
certonly --authenticator=dns-aliyun --dns-aliyun-credentials='/data/credentials.ini' \\
-d xxx.top -m xxx@qq.com \\
--non-interactive \\
--agree-tos \\
--preferred-challenges dns \\
--manual-cleanup-hook 'aliyun-dns clean'域名生成在/etc/letsencrypt/live
全自动获取
#!/bin/bash
##############################################################################################################
# 1、所有申请的证书都为 90 天有效期
# 2、acme.sh 只能做单域名申请,不能申请通配域名 acme.sh 安装 curl https://get.acme.sh | sh -s email=xx@xxx.com
# 3、certbot 申请的证书是 letsencrypt 的,政府域名 dns 不支持 letsencrypt 的 dns key 验证
# 4、已经申请的证书30天后才能更新或再次申请
# 5、webroot 申请的证书需要把域名 http://${domain}/.well-known/acme-challenge/ 映射到脚本所在服务器的 ${WEB_PATH} 目录
###############################################################################################################
set -x
function issue_wildcard_domain_by_aws_route53() {
######################
# dns route53 通配域名
######################
domain=$1
cd ${WORKDIR}
# 申请证书
if [ ! -f "${LETSENCRYPT_DATA_DIR}/renewal/${domain}.conf" ];then
cmd_args="certonly --noninteractive --agree-tos --dns-route53 -d *.${domain} -m ${EMAIL}"
else
cmd_args="renew --cert-name ${domain} --force-renewal"
fi
docker run -i --rm --name certbot \
-v "$(pwd)/${LETSENCRYPT_DATA_DIR}:/etc/letsencrypt" \
-v $(pwd)/log/:/var/log/letsencrypt/ \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
certbot/dns-route53:v2.10.0 ${cmd_args}
# 打包证书
mkdir -p ${CERT_DIR}/${domain}/
[[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem ${CERT_DIR}/${domain}/
[[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem ${CERT_DIR}/${domain}/
cd ${CERT_DIR} && zip -r _wildcard.${domain}.zip ${domain}/ && rm -rf ${domain}/
}
function issue_wildcard_domain_by_aliyun_dns() {
#####################
# dns aliyun 通配域名
#####################
domain=$1
mkdir -p ${LETSENCRYPT_DATA_DIR}/credentials/
cat << EOF > ${LETSENCRYPT_DATA_DIR}/credentials/aliyun.ini
dns_aliyun_access_key = ${DNS_ALIYUN_ACCESS_KEY}
dns_aliyun_access_key_secret = ${DNS_ALIYUN_ACCESS_KEY_SECRET}
EOF
chmod 600 ${LETSENCRYPT_DATA_DIR}/credentials/aliyun.ini
# 申请证书
cd ${WORKDIR}
if [ ! -f "${LETSENCRYPT_DATA_DIR}/renewal/${domain}.conf" ];then
cmd_args="certonly --noninteractive --agree-tos --authenticator dns-aliyun -d *.${domain} -m ${EMAIL} --dns-aliyun-credentials /root/.secrets/aliyun.ini"
else
cmd_args="renew --cert-name ${domain} --force-renewal"
fi
docker run -i --rm --name certbot \
-v $(pwd)/${LETSENCRYPT_DATA_DIR}/credentials:/root/.secrets \
-v $(pwd)/${LETSENCRYPT_DATA_DIR}:/etc/letsencrypt \
-v $(pwd)/log/:/var/log/letsencrypt/ \
muen/dns-aliyun:v2.3.0 ${cmd_args}
# --dns-aliyun-propagation-seconds 30 \
# 打包证书
mkdir -p ${CERT_DIR}/${domain}/
[[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem ${CERT_DIR}/${domain}/
[[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem ${CERT_DIR}/${domain}/
cd ${CERT_DIR} && zip -r _wildcard.${domain}.zip ${domain}/ && rm -rf ${domain}/
}
function issue_single_domain_by_certbot() {
################################
# certbot 单域名通过 webroot 申请
################################
domain=$1
cd ${WORKDIR}
if [ ! -f "${LETSENCRYPT_DATA_DIR}/renewal/${domain}.conf" ];then
cmd_args="certonly --webroot --noninteractive --agree-tos --webroot-path=${WEB_PATH} -d ${domain} -m ${EMAIL}"
else
cmd_args="renew --cert-name ${domain} --webroot-path=${WEB_PATH} --force-renewal"
fi
docker run -i --rm --name certbot \
-v "$(pwd)/${LETSENCRYPT_DATA_DIR}/:/etc/letsencrypt" \
-v $(pwd)/log/:/var/log/letsencrypt/ \
-v ${WEB_PATH}:${WEB_PATH} \
certbot/certbot:v2.10.0 ${cmd_args}
# 打包证书
mkdir -p ${CERT_DIR}/${domain}/
[[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/privkey.pem ${CERT_DIR}/${domain}/
[[ -f "${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem" ]] && cp -rf -L ${LETSENCRYPT_DATA_DIR}/live/${domain}/fullchain.pem ${CERT_DIR}/${domain}/
cd ${CERT_DIR} && zip -r _wildcard.${domain}.zip ${domain}/ && rm -rf ${domain}/
}
function issue_single_domain_by_acme() {
################################
# acme.sh 单域名通过 webroot 申请
################################
domain=$1
cd ${WORKDIR}
if [ ! -f "${ACME_DATA_DIR}/${domain}_ecc/${domain}.conf" ];then
cmd_args=" --issue --server https://acme.zerossl.com/v2/DV90 -w ${WEB_PATH} -d ${domain} --force"
else
cmd_args="--renew -d ${domain} --force"
fi
# 添加证书邮箱账号
docker run --rm -i -v "$(pwd)/${ACME_DATA_DIR}":/acme.sh \
neilpang/acme.sh:3.0.7 --issue --server https://acme.zerossl.com/v2/DV90 -d ${domain} --register-account -m ${EMAIL}
# 申请证书
docker run --rm -i -v "$(pwd)/${ACME_DATA_DIR}":/acme.sh -v ${WEB_PATH}:${WEB_PATH} -v ${CERT_DIR}/${domain}/:/cert/${domain}/ neilpang/acme.sh:3.0.7 ${cmd_args}
# 转换证书为 nginx
docker run --rm -i -v "$(pwd)/${ACME_DATA_DIR}":/acme.sh -v ${CERT_DIR}/${domain}/:/cert/${domain}/ \
neilpang/acme.sh:3.0.7 --install-cert -d ${domain} --key-file /cert/${domain}/privkey.pem --fullchain-file /cert/${domain}/fullchain.pem
# 打包证书
cd ${CERT_DIR} && zip -r ${domain}.zip ${domain} && rm -rf ${domain}
# 更新证书
# /root/.acme.sh/acme.sh --renew -d example.com --force --ecc
}
# 工作目录
WORKDIR=/data/app/issue-domain
# 证书存放绝对路径目录
CERT_DIR=/data/web/download/cert
# 证书列表
DOMAIN_LIST_FILE=${CERT_DIR}/domains.txt
# 证书账号邮箱
EMAIL=xxx@xxx.com
# 阿里云数据相对路径目录
LETSENCRYPT_DATA_DIR=letsencrypt
# 验证的 web 绝对路径目录
WEB_PATH="/data/web/letsencrypt/"
# acme 证书存放相对路径目录
ACME_DATA_DIR="acme.sh"
# 亚马逊数据相对路径目录
LETSENCRYPT_DATA_DIR=letsencrypt
domain=$1
[[ -z ${domain} ]] && { echo "参数 domain 必传" && exit 1; }
if [ ! -z $(echo ${domain}|egrep "xxx.com$") ];then
# 沐恩亚马逊配置
AWS_ACCESS_KEY_ID='xxx'
AWS_SECRET_ACCESS_KEY='xxx'
issue_wildcard_domain_by_aws_route53 ${domain}
elif [ ! -z $(echo ${domain}|egrep "xxx.com$") ];then
# 沐恩账号阿里云配置
DNS_ALIYUN_ACCESS_KEY="xxx"
DNS_ALIYUN_ACCESS_KEY_SECRET="xxx"
issue_wildcard_domain_by_aliyun_dns ${domain}
fi
[[ $? -eq 0 ]] && [[ -z $(egrep -v "^#" ${DOMAIN_LIST_FILE} | egrep "^${domain}$" ${DOMAIN_LIST_FILE}) ]] && echo "${domain}" >> ${DOMAIN_LIST_FILE}
亚马逊权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "*"
}
]
}