使用 Cloudflare 獲取 Let's Encrypt SSL/TLS Wildcard 泛域名證書

2018-03-14

Let’s Encrypt 是一個於 2015 年第三季度推出的數位證書認證機構,將通過旨在消除當前手動建立和安裝證書的複雜過程的自動化流程,並推廣使全球資訊網伺服器的加密連接無所不在,為安全網站提供免費的 SSL/TLS 證書。

目前可以使用更簡單的 Cloudflare DNS 驗證方式獲取證書



安裝腳本

wget -O -  https://get.acme.sh | sh

配置 DNS APIKEY

Global API Key 去 Cloudflare 申請

export CF_Key="your_key"
export CF_Email="your_email"

獲取 ECC 證書 ?

./acme.sh  --issue -d you_domain  -d *.you_domain  --dns dns_cf --keylength ec-384
[Wed Mar 14 15:31:26 CST 2018] Registering account
[Wed Mar 14 15:31:27 CST 2018] Registered
[Wed Mar 14 15:31:27 CST 2018] ACCOUNT_THUMBPRINT='****'
[Wed Mar 14 15:31:27 CST 2018] Creating domain key
[Wed Mar 14 15:31:27 CST 2018] The domain key is here: /root/.acme.sh/you_domain_ecc/you_domain.key
[Wed Mar 14 15:31:27 CST 2018] Multi domain='DNS:you_domain,DNS:*.you_domain'
[Wed Mar 14 15:31:27 CST 2018] Getting domain auth token for each domain
[Wed Mar 14 15:31:28 CST 2018] Getting webroot for domain='you_domain'
[Wed Mar 14 15:31:28 CST 2018] Getting webroot for domain='*.you_domain'
[Wed Mar 14 15:31:28 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Wed Mar 14 15:31:30 CST 2018] Adding record
[Wed Mar 14 15:31:30 CST 2018] Added, OK
[Wed Mar 14 15:31:30 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Wed Mar 14 15:31:32 CST 2018] Adding record
[Wed Mar 14 15:31:32 CST 2018] Added, OK
[Wed Mar 14 15:31:32 CST 2018] Sleep 120 seconds for the txt records to take effect
[Wed Mar 14 15:33:33 CST 2018] Verifying:you_domain
[Wed Mar 14 15:33:36 CST 2018] Success
[Wed Mar 14 15:33:36 CST 2018] Verifying:*.you_domain
[Wed Mar 14 15:33:39 CST 2018] Success
[Wed Mar 14 15:33:39 CST 2018] Removing DNS records.
[Wed Mar 14 15:33:41 CST 2018] Verify finished, start to sign.
[Wed Mar 14 15:33:43 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
[Wed Mar 14 15:33:43 CST 2018] Your cert is in /root/.acme.sh/you_domain_ecc/you_domain.cer
[Wed Mar 14 15:33:43 CST 2018] Your cert key is in /root/.acme.sh/you_domain_ecc/you_domain.key
[Wed Mar 14 15:33:43 CST 2018] The intermediate CA cert is in /root/.acme.sh/you_domain_ecc/ca.cer
[Wed Mar 14 15:33:43 CST 2018] And the full chain certs is there: /root/.acme.sh/you_domain_ecc/fullchain.cer

參考資料:

https://github.com/Neilpang/acme.sh

Tags: https