acme.sh 实现了 acme 协议，可以从 Let's Encrypt 生成免费的证书，内含完整源代码

# An ACME Shell script: acme.sh - An ACME protocol client written purely in Shell (Unix shell) language. - Full ACME protocol implementation. - Support ECDSA certs - Support SAN and wildcard certs - Simple, powerful and very easy to use. You only need 3 minutes to learn it. - Bash, dash and sh compatible. - Purely written in Shell with no dependencies on python. - Just one script to issue, renew and install your certificates automatically. - DOES NOT require `root/sudoer` access. - Docker ready - IPv6 ready - Cron job notifications for renewal or error etc. It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates. # Supported modes - Webroot mode - Standalone mode - Standalone tls-alpn mode - Apache mode - Nginx mode - DNS mode # 1. How to install ### 1. Install online ```bash curl https://get.acme.sh | sh -s email=my@example.com ``` Or: ```bash wget -O - https://get.acme.sh | sh -s email=my@example.com ``` ### 2. Or, Install from git Clone this project and launch installation: ```bash git clone https: cd ./acme.sh ./acme.sh --install -m my@example.com ``` You `don't have to be root` then, although `it is recommended`. The installer will perform 3 actions: 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. All certs will be placed in this folder too. 2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. 3. Create daily cron job to check and renew the certs if needed. Cron entry example: ```bash 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null ``` After the installation, you must close the current terminal and reopen it to make the alias take effect. Ok, you are ready to issue certs now. Show help message: ```sh root@v1:~# acme.sh -h ``` # 2. Just issue a cert **Example 1:** Single domain. ```bash acme.sh --issue -d example.com -w /home/wwwroot/example.com ``` or: ```bash acme.sh --issue -d example.com -w /home/username/public_html ``` or: ```bash acme.sh --issue -d example.com -w /var/www/html ``` **Example 2:** Multiple domains in the same cert. ```bash acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com ``` The parameter `/home/wwwroot/example.com` or `/home/username/public_html` or `/var/www/html` is the web root folder where you host your website files. You **MUST** have `write access` to this folder. Second argument **"example.com"** is the main domain you want to issue the cert for. You must have at least one domain there. You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`. The certs will be placed in `~/.acme.sh/example.com/` The certs will be renewed automatically every **60** days. # 3. Install the cert to Apache/Nginx etc. After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. **Apache** example: ```bash acme.sh --install-cert -d example.com \ --cert-file /path/to/certfile/in/apache/cert.pem \ --key-file /path/to/keyfile/in/apache/key.pem \ --fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \ --reloadcmd "service apache2 force-reload" ``` **Nginx** example: ```bash acme.sh --install-cert -d example.com \ --key-file /path/to/keyfile/in/nginx/key.pem \ --fullchain-file /path/to/fullchain/nginx/cert.pem \ --reloadcmd "service nginx force-reload" ``` Only the domain is required, all the other parameters are optional. The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permission. Install/copy the cert/key to the production Apache or Nginx path. The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. **Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.** # 4. Use Standalone server to issue cert **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. ```bash acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com ```