Home Data Center Series Say Goodbye to the Trouble of "SSL Certificate is about to expire": Introduction to the Principle of acme.sh and Detailed Usage Tutorial

Preface

A few days ago, I suddenly received a reminder from Tencent Cloud that my domain name SSL certificate had expired:
image.png

This domain name is what I use to deploy derp (tailscale relay server on the cloud host. If you are interested in related content, you can read the previous article:Debian series build tailscale DERP server (relay server) for dummies), Tencent Cloud could apply for a one-year free DV certificate before, and I thought it didn't matter if I got a certificate once a year, so I used it for two years, but now:

image.png

It’s hopeless. If I have to do it once every three months, I’d rather die (spending money is out of the question), so I have to consider the traditional free SSL certificate automatic renewal solution: acme.sh.

Note 1: I have known about acme.sh before, but I was too lazy to use it (once a year, I am fine with it), and most other occasions that require automatic renewal of SSL certificates have built-in acme functions, so there is no need to mess around with it separately. But now that I am forced to do this, I might as well study it carefully and write an article.

Note 2: In addition to acme.sh, there are other options for ACME protocol clients, such as certbot. However, acme.sh is lightweight enough and does not require any dependencies. My original needs were simple: I just needed to automatically renew the certificates in a directory on the derp server, without any other requirements, and did not need to integrate with Nginx and Apache. acme.sh just met my needs. The advantage of certbot is its high integration with Nginx and Apache (with special Nginx and Apache plug-ins) and more comprehensive functions, which I do not use at present, so I chose acme.sh after weighing the pros and cons.

Note 3: The acme.sh method is only suitable for updating certificates stored locally. However, most websites now use CDN, so acme.sh cannot be used (the certificate is on the CDN). If you want to automatically update the free certificate on the CDN, please refer to another article:Home Data Center Series SSL Certificate One-Stop Management Tool OHTTPS Usage Tutorial.

ACME Protocol Introduction

本文讲的”acme.sh”,其实只是一个比较出名的ACME客户端工具而已。市面上大多数能够自动更新 SSL 证书的应用(如宝塔面板、1Panel面板等)通常都集成了ACME相关工具来处理证书的申请、验证和更新,这是因为ACME协议是目前申请和管理免费的 SSL 证书(尤其是 Let’s Encrypt)的标准协议。

We can encounter ACME in many occasions in our daily life:

1. Integrate ACME applications and panels

Pagoda Panel:The Baota panel integrates the certificate application function of Let's Encrypt and provides automatic renewal function. It uses tools such as acme.sh or certbot in the background to handle certificate application and renewal.

1Panel: Similar to Baota, 1Panel also supports one-click application and automatic renewal of SSL certificates, and it also uses acme.sh for certificate management.

Other panels (such as CPanel, Plesk, etc.): These panels also have built-in support for Let's Encrypt, usually by integrating an acme protocol client (such as certbot or acme.sh) to handle certificates.

2. Typical ACME client tools

• acme.sh: A pure shell script ACME client that supports most CAs (such as Let's Encrypt, ZeroSSL, etc.) and can easily manage various types of certificates (such as wildcard certificates, ECC/RS256 certificates, etc.). Many applications and panels integrate acme.sh because it is lightweight, highly compatible, and has few dependencies. It is also the protagonist of this article.

• certbot: The official ACME client provided by the Electronic Frontier Foundation (EFF). It is powerful, especially with high integration on Apache and Nginx. certbot supports various automated operations and plug-ins, and can be used for certificate management in complex scenarios.

• lego: An ACME client written in Go that provides some advanced features (such as DNS validation) and is suitable for developers to use when they need custom functions.

Note: If you use a panel with integrated ACME function (such as Baota Panel, 1Panel Panel) to build your website, you do not need to configure acme.sh separately. You need to use acme.sh if you want to deploy Nginx or Apache purely (experienced workers prefer to have everything under control and will not use tools such as panels to build websites); or if you want to update the SSL certificate in a specific directory like I did this time, you will need to use acme.sh.

How ACME works

ACME(Automatic Certificate Management Environment)是一种协议,用于自动管理 SSL/TLS 证书的获取、安装和更新。它的核心工作主要包括”验证域名所有权”和”生成、签发和管理证书”。

The ACME protocol workflow generally includes the following steps:

  1. Register for an account:The client registers an account with a server that supports the ACME protocol (such as Let's Encrypt). Usually, it needs to provide contact information (this is not necessarily the case. Let's Encrypt does not require it, while ZeroSSL requires a valid email address) so that it can remind you when the certificate is about to expire. After registration, the client will obtain an account key.
  2. Verify domain ownership:The client initiates a domain name verification request, and the ACME server returns a challenge, requiring the client to prove its control over the target domain name. The client must respond to the challenge through a specific verification method (such as HTTP-01, DNS-01, or TLS-ALPN-01).
  3. Apply for a certificate:After verification, the client can generate a Certificate Signing Request (CSR) and submit it to the ACME server. The CSR contains information such as the domain name and the applicant's public key.
  4. Issuance of certificate:After the ACME server verifies the information in the CSR, if there is no problem, it will generate and issue a certificate. The client obtains the certificate and stores it locally.
  5. Automatic renewal: Before the certificate expires, the ACME client will automatically initiate the renewal process, re-verify domain name ownership and obtain a new certificate.

Install acme.sh

Preparation

Before installing acme.sh, make sure you have the latest list of root certificates in your system to verify the certificates for HTTPS connections, otherwise there may be some problems when generating free SSL certificates:

apt update apt install ca-certificates

Installation method selection

Script installation method

There are several ways to install acme using scripts:

1. From the webhttps://get.acme.shInstall:

curl https://get.acme.sh | sh -s [email protected]

2. Install from GitHub:

curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online -m [email protected]

or

wget -O - https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online -m [email protected]

3、使用”git clone”方式安装:

git clone --depth 1 https://github.com/acmesh-official/acme.sh.git cd acme.sh ./acme.sh --install -m [email protected]

4. Advanced Installation

git clone --depth 1 https://github.com/acmesh-official/acme.sh.git cd acme.sh ./acme.sh --install \ --home ~/myacme \ --config-home ~/ myacme/data \ --cert-home ~/mycerts \ --accountemail "[email protected]" \ --accountkey ~/myaccount.key \ --accountconf ~/myaccount.conf \ --useragent "this is my client."

Parameter Description:

  • --home: Specify acme.sh A custom directory for installation. By default,acme.sh Installed on ~/.acme.sh directory.
  • --config-home: Specify a writable folder.acme.sh All files (including certificates, keys, configuration) will be written to this directory. By default, this directory is located at --home middle.
  • --cert-home: Specify a custom directory for storing issued certificates. By default, certificates are stored in --config-home middle.
  • --accountemail: The email address used to register your Let's Encrypt account. You will receive renewal notification emails to this email address.
  • --accountkey: The file that stores the account private key. By default, this file is saved in --config-home middle.
  • --useragent: Specifies the URL sent to Let's Encrypt User-agent The value of the request header.
  • --nocron: During installation acme.sh Do not create a cron job.

注1:如”ACME工作原理”部分的描述,acme.sh在使用 Let’s Encrypt 或其他 CA 颁发机构申请证书时,需要注册一个账户(通常称为 ACME 账户),这个账户与一个邮箱地址绑定。上述命令中的”[email protected]” 就是注册这个 ACME 账户时使用的邮箱地址。该邮箱地址会在以下情况下使用:接收来自 CA(如 Let’s Encrypt)的重要通知,例如证书到期提醒、安全更新等;作为账户的身份信息,用于管理证书和账户的变更、撤销等操作。虽然不是必须的参数,但强烈推荐使用有效的邮箱地址,以便你能够及时接收到证书到期提醒和其他相关通知。

Note 2: The installation program will automatically perform the following operations:

1. Install acme.sh to the ~/.acme.sh directory, that is, the .acme.sh folder under the home directory:
image.png

2. Automatically set a cronjob at 0:00 every day to check the status of all certificates. If the certificate is about to expire, it will be automatically updated (available), which can be viewed with the following command:

crontab -l

image.png

Note: If cron is not installed, this step will fail, but it doesn’t matter. You can install crontab and add scheduled tasks later.

3. Automatically create an alias for the acme.sh script for easy use: alias acme.sh=~/.acme.sh/acme.sh, but it was not automatically created when I installed it on both devices.

Docker way

For some environments that are not suitable for script installation, you can use docker to simulate the effect of script installation of acme. The following command allows acme in docker to run as a daemon:

mkdir -p /docker/acme.sh docker run --name=acme.sh -itd --rm \ -v /docker/acme.sh:/acme.sh \ -v /var/run/docker.sock:/ var/run/docker.sock \neilpang/acme.sh daemon

This result is similar to the script installation to some extent, except that running acme requires the use of the commanddocker exec acme.shAt the same time, you need to manually start and run docker acme.

注:为什么不能使用”–restart=always”选项让docker acme开机自动运行呢?因为”–rm”和”–restart=always”是互斥的,理论上来说”–rm”更合适docker方式运行的acme。

Additional knowledge: acme.sh domain name authentication method

There are three main authentication methods for acme.sh to prove the client's control over the domain name:

  1. HTTP-01 Challenge (webroot)

• Principle: The client places a file containing a challenge string in the specified path under the target domain name (usually http://yourdomain/.well-known/acme-challenge/), and the ACME server requests this file through HTTP to verify domain name ownership.
• Scenario: Applicable to scenarios where a web server can directly provide content.
• Advantages: Simple and easy to use, suitable for common website environments.
• Disadvantages: It needs to rely on an existing web server (Nginx or Apache), and the server pointed to by the target domain name can be accessed to the .well-known/acme-challenge path.

注:该方式还有一种特殊模式”standalone”,通过”–standalone”参数开启,此时,acme.sh会自己启动一个临时的 Web 服务器,监听 80 或 443 端口,用于处理来自指定CA(比如Let’s Encrypt) 的验证请求。不过,”standalone”模式并不实用,因为要求80、443端口空闲,而正常情况下这2个端口基本都被web服务器占用了(除非是有一台专门用来管理证书的服务器,并不直接承载任何网站服务,可以利用”–standalone”模式来管理证书,然后将证书分发到其他服务器上)。

  1. DNS-01 Challenge

• Principle: The client needs to add a special TXT record in the DNS record of the target domain name, which contains the challenge string provided by the ACME server. The ACME server looks up the record through DNS to verify the domain name ownership.
• Scenario: Applicable to situations where the target server cannot be directly controlled or the target domain name is resolved to multiple IP addresses.
• Advantages: No need to expose ports or server availability, just access to DNS records.
• Disadvantage: Requires write access to DNS records.

注:该方式还有另一种实现方式”API验证”,需要使用者提供自己域名供应商API接口的身份验证信息,这种方式可以不需要使用者干预而自行完成验证。

  1. TLS-ALPN-01 Challenge

• Principle: The client responds to the TLS handshake request using a specific ALPN protocol (Application Layer Protocol Negotiation, usually acme-tls/1) on the target domain name. The ACME server attempts to establish a TLS connection with the client and verifies whether the challenge response is correct in the handshake.
• Scenario: Applicable to scenarios where HTTP-01 or DNS-01 cannot be used, especially services that can only communicate using specific TLS protocols.
• Advantages: No need to expose HTTP port, only TLS (usually 443) port needs to be opened.
• 缺点:需要对服务器的 TLS 配置有精确的控制,且客户端需要支持 ALPN 协议,并且也需要占用443端口,所以和”standalone”有类似的问题。

最终,域名方式最常用的就是”HTTP-01 Challenge(webroot)”和”DNS-01 Challenge”这两种方式。

Note: In addition to the ACME server verifying the control of the domain name when you first apply for an SSL certificate, the ACME server will check the ownership of the domain name again in the same way (HTTP, DNS) as when you applied for each certificate renewal. Therefore, please ensure that after the initial application, the verification related content (access to the .well-known path or DNS records) can remain unchanged.

acme.sh in action

Preparation

Changing the Default CA

acme.sh was acquired by ZeroSSL's parent company (Apilayer) in 2021, and after the acquisition, the default certificate authority (CA) of acme.sh was changed to ZeroSSL. It is not impossible to use ZeroSSL as the default CA, but one thing is that you need to register when you use ZeroSSL for the first time, and you will be forced to provide a valid email address when registering, which means you have to verify your email address. This is a bit annoying, so it is generally recommended to switch back to letsencrypt for the sake of convenience, using the following command:

acme.sh --set-default-ca --server letsencrypt

Acme also supports other CAs, you can choose as needed:
image.png

Use alias to create an alias for the acme.sh script (optional)

usealias命令显示已有的alias,如果没有,为了方便使用,需要使用alias命令为acms.sh脚本创建一个别名”acme.sh”:

alias acme.sh=~/.acme.sh/acme.sh

Note: In theory, this step should be performed automatically when installing using a script, but for some reason I found that it did not work after installing it using the script, so I added a step myself. If you find that there is this alias after the script is installed, you do not need to add it manually.

Register an account on the ACME server (optional)

This step is not necessary. Some CAs will automatically generate an account based on the domain name even if you have not registered (such as Let's Encrypt), while some CAs will strictly check the validity of the email address (such as ZeroSSL). However, even if Let's Encrypt does not have strict requirements, I still recommend providing a valid email address so that you can easily receive notifications from Let's Encrypt (such as notifications about the certificate expiring).

If you don't have a corresponding ACME server account, you can register a new account using the following command

acme.sh --register-account --accountemail [email protected]

This way you can register an account on the ACME server (CA) and associate it with your own email address.

If you already have an account but no associated email address, you can update the email address separately using the following command:

acme.sh --update-account --accountemail [email protected]

Note: If the email address provided when installing using the script is real, an account will be automatically created on the corresponding ACME server using the email address (of course, it depends on whether the ACME server needs to verify the validity of the email address, so this step cannot be avoided). There is no need to recreate it separately, so I said this step is optional.

Apply for a certificate using acme.sh

Additional knowledge: What does acme.sh do?

When you apply for an SSL certificate for the first time using acme.sh, after passing the domain name verification on the ACME server, the local acme.sh script will be placed in the path~/.acme.sh/yourdomainThe following main certificate files are generated in (one folder for each domain name):

  1. yourdomain.key: Private key file. This file contains the private key used to decrypt SSL traffic.
  2. yourdomain.cer: Certificate file. It contains the public key certificate issued by the ACME server.
  3. yourdomain.fullchain.cer: The complete certificate chain file. It contains the combination of the domain name certificate and the intermediate certificates, which is used in most web server configurations.
  4. ca.cer: CA certificate file. It contains the root certificate and intermediate certificates used to issue the certificate.

而后每次自动续期时,除了私钥文件不会变(除非手动指定),证书文件和完整证书链文件都会被自动更新,而CA证书文件一般不会变,但是也可能会变(比如更换了CA,从 Let’s Encrypt更换到ZeroSSL,或者虽然同一个CA,但是证书链发生了变化,比如Let’s Encrypt 在 2021 年底将默认中间证书从 R3 切换到 E1)。

So, to sum up, acme.sh is actually specifying the path (the default is~/.acme.sh/) generates 4 files (private key file, certificate file, complete certificate chain file, CA certificate file) in the corresponding domain name folder under the root directory, and continuously updates the certificate file and complete certificate chain file, and updates the CA certificate file as needed.

Note 1: If you do not want to use the default~/.acme.sh/Path, you can use--config-homeIf you only want to change the storage path of the certificate file, you can use--cert-homeParameters are changed so that except for the certificate file, other configuration files will remain in~/.acme.sh/in the path.

Note 2:~/.acme.sh/account.confIt is the global configuration file of acme.sh, which contains the user's ACME account information (such as the account's key and API URL).

Two ways to apply for a certificate with acme.sh

Apply using script

HTTP authentication method (webroot)

如果acme.sh是为已有网站的域名申请的证书,假设需要申请证书的域名为”www.tangwudi.com“,那么基于脚本并使用webroot方式进行域名验证的命令如下:

acme.sh --issue -d www.tangwudi.com --webroot /home/wwwroot/www.tangwudi.com/
  • --issue Indicates request to generate a certificate
  • -d Specify the domain name for which the certificate needs to be generated. If you generate multiple domain names at one time, you can have multiple-d
  • --webroot /home/wwwroot/www.tangwudi.com/ Specify the actual location of the root directory of the website corresponding to the domain name

Note 1: In addition to using--webrootIn addition to this method of directly specifying the root directory of the corresponding website, there are other--nginxand--apacheThese two methods correspond to the cases where the web server is nginx and apache. However, these two methods depend on the default installation path and configuration of the web server. If the web server is not installed according to the default path or does not have permission to reload the service, it may cause trouble. Therefore, if only one domain needs SSL, it is best to use--webrootWay.

Note 2: When using HTTP authentication, make sure that the website itself can be accessed normally andhttp://yourdomain/.well-known/acme-challenge/The path must be accessible, otherwise it will definitely fail.

Note 3: The HTTP verification method can only verify a single domain name. If you want to apply for a wildcard domain name certificate, you must use the DNS verification method.

DNS verification method
Manual method

1. Generate a txt record locally using acme.sh
The command is as follows (please replace tangwudi.com with your own domain name when using it):

acme.sh --issue --dns -d tangwudi.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

Then record the generated txt record content:
image.png

2. Add a txt record in the domain name provider's console:
image.png

image.png

3. Use--renewParameters to regenerate the host certificate of tangwudi.com:

acme.sh --renew -d tangwudi.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

image.png

API method

This method no longer requires you to manually create txt records. Instead, you need to verify through the domain name provider's API. Therefore, you need the authentication information of the API interface corresponding to your domain name provider's account (usually API ID and API key, which vary from DNS provider to DNS provider). The following is the API and API parameter verification information of some DNS providers:

image.png

Taking the domain name hosted on Alibaba Cloud as an example, first obtain Aliyun's Ali_Key and Ali_Secret:
image.png

Create a new AccessKey:
image.png

You can also use the RAM access control method currently recommended by Alibaba Cloud to create it. The link is as follows:Alibaba Cloud RAM Users
image.png

After obtaining Ali_Key and Ali_Secret, use the export command to export them as environment variables:

export Ali_Key="xxxxxxxx" export Ali_Secret="xxxxxxxxxxxxx"

Finally, use the following command to generate the wildcard domain name certificate for tangwudi.com:

acme.sh --issue --dns dns_ali -d *.tangwudi.com 

注1:上面命令中”–dns”参数后面跟着的”dns_ali”,一般来说是”dns_服务商简称”,比如这里就是”dns_ali”,而如果采用腾讯dnspod,就是”dns_dp”,如果采用cloudflare,就是”dns_cf”,不过也有例外,所以大家最好还是在部署之前确认一下,具体可以参考”ACME-powered domain provider API".

注2:我在手动方式中使用的”-d tangwudi.com”和API方式中使用的”-d *.tangwudi.com“,前一个是生成”tangwudi.com”这个域名对应的主机证书,而后一个是生成”tangwudi.com”对应的泛域名证书,两者完全不一样,后者可以匹配二级域名”tangwudi.com”下的任意主机证书,这点大家一定要注意,一般来说,直接生成泛域名证书就够了,不用单独申请主机证书。

Note 3: The dns verification method does not require the support of the http environment and is more adaptable (for example, this time I want to automatically renew the SSL certificate of the derp application). The only disadvantage is that it requires control over the domain name. Some friends who only have control over the website but not the domain name (for example, using a virtual host to build a website) are not suitable. At this time, the http verification method is more suitable, so everyone can choose the appropriate method according to their actual environment.

Apply using docker

This method is an alternative solution in an environment where it is inconvenient to apply using a script. In essence, it uses the docker exec command to run acme running in docker as a script. In the previous part of the article, I talked about how to run acme in docker as a daemon process. Under this premise, you only need to run the following command:

docker exec \ -e Ali_Key="xxxxxxxx" \ -e Ali_Secret="xxxxxxxxxxxxx" \ acme.sh --issue -d tangwudi.com --dns dns_ali

I feel that it is most convenient to apply for certificates using Docker and choose API verification, so don't bother with other methods. However, the principles are actually the same. Choosing other methods will be more troublesome. It depends on you.


In fact, if you apply using Docker, it is not necessary to deploy this step in advance. A one-time command is also possible, for example:
(1) –webroot 模式

docker run --rm -it \ -v /docker/acme.sh:/acme.sh \ neilpang/acme.sh --issue -d tangwudi.com --webroot /acme.sh/webroot

(2) –dns 模式

docker run --rm -it \ -v /docker/acme.sh:/acme.sh \ neilpang/acme.sh --issue -d tangwudi.com --dns dns_cf

It depends on what everyone likes.


Certificate deployment

Certificate deployment for general environments

By default, acme will only update~/.acme.sh/yourdomainThe certificates in the path are only used internally by ACME (the folder structure may be changed as needed). It is not recommended to use them directly, so do not use the cp command directly to copy the certificate files in the path to other locations.

如果需要将证书部署到其他位置,正规的方式是使用官方的”install”参数,详细指定证书文件需要拷贝到的目标位置,以将”tangwudi.com”的证书部署到Nginx中为例(实际路径请自行替换):

acme.sh --install-cert -d tangwudi.com \ --key-file /path/to/keyfile/in/nginx/key.pem \ --fullchain-file /path/to/fullchain/nginx/cert. pem \ --reloadcmd "service nginx force-reload"

Deploying to Apache is the same:

acme.sh --install-cert -d tangwudi.com \ --cert-file /path/to/certfile/in/apache/cert.pem \ --key-file /path/to/keyfile/in/apache/ key.pem \ --fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \ --reloadcmd "service apache2 force-reload"

The number of SSL certificates required for Nginx is different from that for Apache.

Nginx: Usually only 2 files are required (certificate file + private key), and the intermediate certificate can be merged into the certificate file.
Apache: Usually 3 files are required (certificate file + private key + intermediate certificate), and the intermediate certificate needs to be configured separately.


其实”install”参数本质上也是拷贝,只不过使用”install”参数相当于告诉acme,域名”tangwudi.com”的证书具体拷贝到哪里去了,以后acme在更新~/.acme.sh/tangwudi.comWhen updating the certificates under the path, the certificates with specific copy destinations will also be associated and updated.

Of course, don't forget to use the certificate in the Nginx or Apache configuration. Take Nginx as an example:

server { listen 443 ssl; ssl_certificate /path/to/fullchain/nginx/cert.pem; ssl_certificate_key /path/to/keyfile/in/nginx/key.pem; }

Certificate deployment involving Docker environment

You should have discovered that the key to the above command is actually not related to whether it is deployed to Nginx or Apache. The only thing that is relevant to Nginx and Apache is the last parameter.--reloadcmd "service nginx force-reload"和”--reloadcmd "service apache2 force-reload"That's it.

In other words, the real key is just the following command (remember which certificate files will be updated when the certificate is updated?):

acme.sh --install-cert -d tangwudi.com \ --cert-file /path/to/certfile/in/apache/cert.pem \ --key-file /path/to/keyfile/in/apache/ key.pem \ --fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \

To further sublimate, in essence, Acme only cares about the validity of the certificate file corresponding to the domain name and the directory where the certificate file that needs to be updated is located. As for where the certificate is used (Nginx, Apache deployed in source code mode, Nginx, Apache deployed in Docker mode, or simply a certificate in a certain directory), Acme does not care at all.

但是嘛,由于不推荐直接使用拷贝的方式来移动证书,只能使用”install”参数,那么问题就来了:直接指定路径的方式只适合acme、Nginx或者Apache均直接部署的环境,而一些其他非常规的环境,比如:acme以脚本方式部署在宿主机上,Nginx或者Apache却采用docker方式部署(容器内部的证书文件夹没有挂载出来);或者acme本身也是docker方式运行等等。

基于各种复杂的部署环境,acme不得不为了传递证书操碎了心(–install-cert方式有局限性),简单举例,为了传递证书进docker方式部署的Nginx,需要给Nginx打”label”,然后使用export命令设置环境变量,最后使用acme.sh的--deployand--deploy-hook dockerparameter:

docker run --rm -it -d --label=sh.acme.autoload.domain=tangwudi.com nginx:latest # The label value to find the container export DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=tangwudi.com # The target file path in the container. # The files will be copied to the position in the container. export DEPLOY_DOCKER_CONTAINER_KEY_FILE="/etc/nginx/ssl/example.com/key.pem" export DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/example.com/cert.pem" export DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/example.com/ca.pem" export DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/example.com/full.pem" # The command to reload the service in the container. export DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="service nginx force-reload" acme.sh --deploy --deploy-hook docker -d example.com

I will just mention this part, and I won't say much. Generally, you won't encounter it. If you really need it, you can directly refer to the link on the official github:deploy-to-docker-containers.

acme.sh operation and maintenance

acme.sh upgrade

If you need to upgrade acme (script installation), just use the following command:

acme.sh --upgrade

To enable automatic updates:

acme.sh --upgrade --auto-upgrade

To turn off automatic updates:

acme.sh --upgrade --auto-upgrade 0

To upgrade acme in docker mode, just follow the normal process of docker upgrade, and I won’t go into details here.

acme.sh debug mode

如果acme执行出现错误,除了查看日志以外,也可以使用”–debug 2″参数起开debug模式:

acme.sh --issue -d www.tangwudi.com --webroot /home/wwwroot/www.tangwudi.com/ --debug 2

acme.sh view certificate information

If you need to view the certificate information of the domain name, use the following command:

acme.sh --info -d tangwudi.com

Summarize

In fact, the general use of acme.sh is very simple, and there is no need for such a long explanation. Moreover, I just wanted to solve the problem of updating the derp server certificate on the cloud server. In theory, it can be done with a few commands.

However, out of habit, I still went to the homepage of acme.sh on GitHub and found that there are quite a lot of things. Most of the tutorials on the Internet are about the configuration of the most basic scenarios. A lot of content is not mentioned (because it is generally not used), and the principles are also rarely involved. So I thought about it and thought it would be better to write a more detailed tutorial so that if you encounter less basic scenarios in the future, you can still use it as a manual.

However, I still have a lot of content that I haven't mentioned (because I really don't feel it's useful~). Friends who are interested can take a look at the official documents at the following address:acme.sh github official address.

The content of the blog is original. Please indicate the source when reprinting! For more blog articles, you can go toSitemapUnderstand. The RSS address of the blog is:https://blog.tangwudi.com/feed, welcome to subscribe; if necessary, you can joinTelegram GroupDiscuss the problem together.

Comments

  1. Windows Edge 129.0.0.0
    4 months ago
    2024-9-30 13:54:27

    Once every three months is really annoying. I now directly give my domain name to Cloudflare for hosting.

    • Owner
      Yawata
      Macintosh Chrome 129.0.0.0
      4 months ago
      2024-9-30 15:16:37

      Even though I had been using ohttps to automatically renew certificates, I still gave up on registering my domain name and transferred it to cloudflare at the beginning of the year. In terms of overall solutions, there is really no domestic supplier that can compete with cloudflare's Free plan.

  2. Windows Edge 129.0.0.0
    4 months ago
    2024-9-30 10:15:10

    Very comprehensive, but if there is a CDN, you still have to do it manually -.-

    • Owner
      actor
      Macintosh Chrome 129.0.0.0
      4 months ago
      2024-9-30 10:25:08

      I have already written about how to update CDN in another article (Home Data Center Series SSL Certificate One-Stop Management Tool OHTTPS Usage Tutorial), this update method is not suitable for the scenario in this article, so I hesitated for a long time and decided to use acme.sh. But you reminded me, I added a sentence in the article~.

Send Comment Edit Comment


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠(ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ°Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
Emoticons
Emoji
Little Dinosaur
flower!
Previous
Next
       

This site has disabled the right mouse button and various shortcut keys. The code block content can be copied directly by clicking the copy button in the upper right corner

en_US