2020-06-03 22:01:24 0 Comments Linux Boy.Lee

Generate Let's Encrypt wildcard SSL by acme.sh and DNSPod

Using acme.sh's dns mode and DNSPOD api to generate Let's Encrypt wildcard ssl. try use root account to do it, it can free you from some permission bugs.

 

{ 0. debug }

acme.sh has very good debug system, so if you got any error, just add "--debug 2" to your current command, and run again, then you can understand the error very easy and quick

acme.sh --issue -d yiilib.com -d '*.yiilib.com' --dns  dns_dp

acme.sh --issue -d yiilib.com -d '*.yiilib.com' --dns  dns_dp --debug 2

 

{ 1. Create DNSPOD Token}

we need a token to use DNSPOD api, open https://console.dnspod.cn/account/token to create a token, you must remember the ID and token after created, because the token only show once!!

 

{ 2. Install acme.sh }

curl https://get.acme.sh | sh

source ~/.bashrc 

 

{ 3. Generate SSL }

cd ~/.acme.sh

export DP_Id="DNSPOD ID get after created"
export DP_Key="DNSPOD Token get after created"

acme.sh --issue -d yiilib.com -d '*.yiilib.com' --dns  dns_dp

 

{ 4. copy SSL files to your path }

acme.sh  --installcert  -d  yiilib.com   \
        --key-file   /etc/nginx/ssl/yiilib.com/yiilib.com.key \
        --fullchain-file /etc/nginx/ssl/yiilib.com/fullchain.cer \
        --reloadcmd  "service nginx force-reload"

 

{ 5. nginx Config }

server {
    listen       80;
    server_name yiilib.com;
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    ssl_certificate /etc/nginx/ssl/yiilib.com/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/yiilib.com/yiilib.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ...
}


service nginx force-reload

 

{ 6. check SSL auto renew }

# crontab -l
47 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null


acme.sh --cron -f

 

{ 7. acme.sh auto upgrade }

the best way is set acme.sh to auto upgrade, if the DNS API changed, the acme.sh will broken untill you upgrade it, of cause you can do the upgrade when u want. in short if you got any problem with was working acme.sh, just try upgrade acme.sh and renew the SSL

 

acme.sh  --upgrade  --auto-upgrade

//disabled auto upgrade
acme.sh --upgrade --auto-upgrade 0

acme.sh --v

 

 

{ refs. }

https://www.jianshu.com/p/06e3aba8c62e

https://www.laozuo.org/11668.html