背景
Let’s encrypt是目前流行的免费ssl证书提供商,它签出的证书一般3个月有效,是广大个人网站的首选。Let’s encrypt在2018年3月开放了泛域名证书,同一网站申请一个证书就可以用于所有的二级域名,使用起来更加方便了,但它的证书申请比较复杂,最简单的方式是通过 acme.sh脚本来申请。
安装
1
|
curl https://get.acme.sh | sh
|
申请证书
1
2
3
4
5
6
7
8
|
export DP_Id="ID数字"
export DP_Key="Token字符串"
./acme.sh --issue -d "edward.cf" -d "*.edward.cf" --dns dns_dp
--cert-file /usr/syno/etc/certificate/system/default/cert.pem
--key-file /usr/syno/etc/certificate/system/default/privkey.pem
--fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem
--reloadcmd "/usr/syno/sbin/synoservicectl --reload nginx"
--dnssleep 30
|
更新证书
1
|
./acme.sh --renew -d "edward.cf" -d "*.edward.cf"
|
nas自动更新所有证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
cert_root_dir="/usr/syno/etc/certificate"
package_cert_dir="/usr/local/etc/certificate"
default_cert_dir="$cert_root_dir/system/default"
#./acme.sh --install --nocron --home /usr/local/bin/acme.sh
./acme.sh --issue -d "edward.cf" -d "*.edward.cf" --dns dns_dp
--cert-file $default_cert_dir/cert.pem
--key-file $default_cert_dir/privkey.pem
--ca-file $default_cert_dir/chain.pem
--fullchain-file $default_cert_dir/fullchain.pem
--dnssleep 30
# find all subdirectories containing cert.pem files
pem_files=$(find $cert_root_dir -name cert.pem)
if [ ! -z "$pem_files" ]; then
for DIR in $pem_files; do
# replace all certificates, but not the ones in the default folder
if [[ $DIR != *"/default/"* ]]; then
rsync -avh "$default_cert_dir/" "$(dirname $DIR)/"
fi
done
fi
# reload
/usr/syno/sbin/synoservicectl --reload nginx
# update and restart all installed packages
pem_files=$(find $package_cert_dir -name cert.pem)
if [ ! -z "$pem_files" ]; then
for DIR in $pem_files; do
rsync -avh "$default_cert_dir/" "$(dirname $DIR)/"
/usr/syno/bin/synopkg restart $(echo $DIR | awk -F/ '{print $6}')
done
fi
|