Namesilo 域名+ acme.sh脚本实现免费SSL证书
环境说明
- ubuntu
- docker
- docker-compose
- acme.sh 3.0.7
Docker-compose scripts
services:
acme.sh:
image: neilpang/acme.sh:3.0.7
container_name: acme.sh
hostname: acme.sh
restart: always
command: daemon
network_mode: host
environment:
- Namesilo_Key=your_namesilo_api_key
volumes:
- ./out:/acme.sh
- /etc/nginx/conf.d/ssl:/etc/nginx/conf.d/ssl #挂载需要证书的目录
- /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime
deploy:
resources:
limits:
memory: 512MNamesilo_Key 获取方法参考Namesilo API KEY 获取用于生成免费SSL证书-Xqlee's Blog
Start Scripts
deploy.sh
#!/bin/sh
work_path=$(dirname $0)
cd ${work_path}
work_path=$(pwd)
echo $work_path
docker-compose --compatibility build;docker-compose --compatibility down;docker-compose --compatibility up -d;docker image prune -f
执行脚本:
chmod 755 deploy.sh
./deploy.sh
SSL 证书生成脚本
install-key.sh
#!/bin/sh
#Use Auge
# sudo ./install-key.sh *.example.com >> ./acme.log
domain_name=$1
echo $domain_name
# 申请签名账号
sudo docker exec acme.sh --register-account -m domain@example.com --server zerossl
#sudo docker exec acme.sh --set-default-ca --server letsencrypt --issue --dns dns_namesilo -d $domain_name --log
# 申请dns验证域名所有权
sudo docker exec acme.sh --issue --dns dns_namesilo -d $domain_name
# 申请域名证书并(可选)安装证书到指定位置并执行一个重载命令(一般用于重启nginx)
sudo docker exec acme.sh \
acme.sh --install-cert -d $domain_name\
--key-file /etc/nginx/conf.d/ssl/$domain_name.key \
--fullchain-file /etc/nginx/conf.d/ssl/$domain_name.crt \
# --reloadcmd "nginx -s reload"
特别提示:
--key-file--fullchain-file参数前后不要有非常规空格否则可能导致错误 Unknown parameter : --key-file在docker容器情况,
--key-file--fullchain-file路径必须是挂载的路径哟,参考docker-compose.yml挂载部分配置,否则报错no file or directory
--reloadcmd特别注意,容器内部是无法调用其他容器命令或者调用宿主机命令的,所以这里注释了,该参数适合主机部署acme方案
执行脚本:
chmod install-key.sh
./install-key.sh *.text.com
执行时间根据dns刷新时间而定,namesilo一般来说10分钟内搞定。搞定后证书存放主机的out目录
定时执行
将脚本 install-key.sh 添加到crontab 任务中。在执行crontab key任务一定时间后重载nginx配置
# m h dom mon dow command
#ssl get *.example.com
30 20 * * * sudo sh /opt/docker/acme.sh/install-key.sh *.example.com>> /opt/docker/acme.sh/acme.log
# reload nginx , after ssl task
00 21 * * * sudo nginx -s reload
#reload docker nginx
#sudo docker exec -it nginx /bin/bash -c "nginx -s reload"
将out目录映射到docker nginx容器,或者主机nginx目录软链接out目录到nginx的conf.d下也可以。
nginx conf 配置部分
#blog.example.com
server {
listen 80;
server_name blog.example.com;
location / {
#HTTPS 301
rewrite ^(.*)$ https://blog.example.com/$1 permanent;
}
}
#ssl blog.example.com
server {
listen 443 ssl;
server_name blog.example.com;
#ssl
ssl_certificate conf.d/ssl/*.example.com_ecc/fullchain.cer;
ssl_certificate_key conf.d/ssl/*.example.com_ecc/*.example.com.key;
location / {
proxy_pass http://example:8080/;
}
}
acme 版本不同证书的目录不同,
有些版本是 *.exmple.com/fullchina.cer
新版本是:*.exmple.com_ecc/fullchina.cer
https://www.syntaxspace.com/article/2406291057214633.html
评论