Warning: Trying to access array offset on value of type bool in /www/wwwroot/www.jarods.org/wp-content/themes/hera-0.1.6/modules/article.php on line 8

Warning: Trying to access array offset on value of type bool in /www/wwwroot/www.jarods.org/wp-content/themes/hera-0.1.6/modules/article.php on line 8


昨天晚上花了一个小时的时间把挖站否VPS监控SSL证书由原来的TrustAsia即赛门铁克(Symantec)个人DV SSL证书换成了letsencrypt免费SSL证书,原因是Chrome 70开始将开始不再信任 Symantec证书了,自己正在用的Chromium浏览器已经不能再打开Symantec证书的网站了。

赛门铁克(Symantec)个人DV SSL证书是在腾讯云申请的,实际上国内的阿里云、七牛云、又拍云等都提供了免费一年赛门铁克(Symantec)个人DV SSL证书。自己犯了错,干脆把之前的SSL产品趁“打烊”之前清仓大处理了?这也怪不得赛门铁克(Symantec)在国内搞了这么多的免费推广



  1. 免费SSL证书收集整理汇总-免费给网站添加Https安全加密访问
  2. CN2 GIA VPS主机收集整理汇总-电信,联通,移动三网CN2 GIA线路VPS主机
  3. 启用HSTS并加入HSTS Preload List让网站Https访问更加安全-附删除HSTS方法



  1. https://letsencrypt.org/
  2. https://github.com/Neilpang/acme.sh


curl https://get.acme.sh | sh


wget -O - https://get.acme.sh | sh


git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install


1.生成复制了acme.sh 到你的($HOME): ~/.acme.sh/目录下 ,后面所有的证书都会在这个目录生成.

2.Create alias for: acme.sh=~/.acme.sh/acme.sh. 注意:安装完成后你需要关闭再打开终端才可以让alias 生效。


你可以使用Crontab -l来查看当前的定时任务:

同时你也可以使用SFTP来查看acme.sh 文件夹。


2.1 单个域名SSL


acme.sh --issue -d wzfou.com -w /home/wwwroot/wzfou.com
acme.sh --issue -d wzfou.com -w /home/wwwroot/wzfou.com --keylength ec-256 


acme.sh --issue -d wzfou.com -w /home/wzfou/public_html
acme.sh --issue -d wzfou.com -w /home/wzfou/public_html --keylength ec-256


acme.sh --issue -d wzfou.com -w /var/www/html
acme.sh --issue -d wzfou.com -w /var/www/html --keylength ec-256

2.2 多个域名SSL

acme.sh --issue -d wzfou.com -d www.wzfou.com -d cp.wzfou.com -w /home/wwwroot/wzfou.com
acme.sh --issue -d wzfou.com -d www.wzfou.com -d cp.wzfou.com -w /home/wwwroot/wzfou.com --keylength ec-256 

2.3 泛域名SSL


acme.sh --issue --dns dns_dp -d wzfou.com -d *.wzfou.com
acme.sh --issue --dns dns_dp -d wzfou.com -d *.wzfou.com --keylength ec-256
 ec-256 (prime256v1, “ECDSA P-256”)
 ec-384 (secp384r1, “ECDSA P-384”)

2.4 无法验证域名?


这里acme.sh 提供了一个添加DNS API自动验证域名的方式,首先到你的域名DNS处获得API,这里我以NS1 DNS域名解析来作为演示,首先到官网后台获得API(其它的DNS,如DNSPOD、Cloudxns、阿里云DNS等使用API的方法见本文第四部分)。

然后是导入NS1.com API

export NS1_Key="fdmlfxxxxxxxfk"


acme.sh --issue --dns dns_nsone -d wzfou.com -d www.wzfou.com
acme.sh --issue --dns dns_nsone -d wzfou.com -d www.wzfou.com --keylength ec-256

使用DNS API验证域名的方式有一个好处就是不需要WEB访问就可以签发SSL证书,acme.sh 会在你的DNS域名解析处添加一个TXT记录,验证成功后会自动删除该TXT记录。

三、第三步:安装letsencrypt SSL证书

这一步部分其实可以根据各自的实际来执行了,为了让acme.sh 可以自动更新续期SSL证书,建议使用以下操作方法来执行,这样acme.sh 每次更新完了SSL证书后都自动按照你第一次安装SSL证书的方法执行一遍同步SSL证书的命令。

Apache 服务器安装letsencrypt SSL证书如下::

acme.sh --install-cert -d wzfou.com \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"

Nginx 服务器安装letsencrypt SSL证书e:

acme.sh --install-cert -d wzfou.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx force-reload"


acme.sh --install-cert -d ping.wzfou.com --ecc \
--cert-file /etc/pki/tls/certs/ping.wzfou.com.cer \
--key-file /etc/pki/tls/certs/ping.wzfou.com.key \
--fullchain-file /etc/pki/tls/certs/fullchain.cer \
--reloadcmd "/etc/init.d/httpd force-reload"

执行命令后,我们就可以在路径中看到已经复制过来的证书还有Key等文件了,下次acme.sh 执行更新SSL证书时也会同样执行上述的命令。否则,需要自己手动复制粘贴证书。


如果你发现letsencrypt SSL证书不能定时更新,你也可以自己手动强制更新:

acme.sh --renew -d example.com --force

如果是ECC cert,使用以下命令:

acme.sh --renew -d example.com --force --ecc

目前wzfou.com用的就是letsencrypt SSL证书。

四、附录:各大DNS API获取与签发SSL


  1. 附录参考自:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
  2. DNS解析服务汇总:https://wzfou.com/mianfei-dns/
  3. 签发泛域名SSL时请把命令部分:-d www.example.com 改成 :-d *.example.com

4.1 CloudFlare DNS API

First you need to login to your CloudFlare account to get your API key.

export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_cf -d example.com -d www.example.com

The CF_Key and CF_Email will be saved in ~/.acme.sh/account.conf and will be reused when needed.


First you need to login to your DNSPod account to get your API Key and ID.

export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_dp -d example.com -d www.example.com

The DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

4.3 CloudXNS DNS API

First you need to login to your CloudXNS account to get your API Key and Secret.

export CX_Key="1234"
export CX_Secret="sADDsdasdgdsf"

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_cx -d example.com -d www.example.com

The CX_Key and CX_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

4.4 阿里云Aliyun DNS API

First you need to login to your 阿里云 Aliyun account to get your API key. https://ak-console.aliyun.com/#/accesskey

export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export Ali_Secret="jlsdflanljkljlfdsaklkjflsa"

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_ali -d example.com -d www.example.com

The Ali_Key and Ali_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

4.5 GoDaddy DNS API

First you need to login to your GoDaddy account to get your API Key and Secret. https://developer.godaddy.com/keys/

Please create a Production key, instead of a Test key.

export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_gd -d example.com -d www.example.com

The GD_Key and GD_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

4.6 PowerDNS DNS API

First you need to login to your PowerDNS account to enable the API and set your API-Token in the configuration. https://doc.powerdns.com/md/httpapi/README/

export PDNS_Url="http://ns.example.com:8081"
export PDNS_ServerId="localhost"
export PDNS_Token="0123456789ABCDEF"
export PDNS_Ttl=60

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_pdns -d example.com -d www.example.com

The PDNS_Url, PDNS_ServerId, PDNS_Token and PDNS_Ttl will be saved in ~/.acme.sh/account.confand will be reused when needed.

4.7 Amazon Route53 DNS API



To issue a cert:

acme.sh --issue --dns dns_aws -d example.com -d www.example.com

The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

4.8 Linode DNS API

First you need to login to your Linode account to get your API Key. https://manager.linode.com/profile/api

Then add an API key with label ACME and copy the new key.

export LINODE_API_KEY="..."

Due to the reload time of any changes in the DNS records, we have to use the dnssleep option to wait at least 15 minutes for the changes to take effect.

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_linode --dnssleep 900 -d example.com -d www.example.com

The LINODE_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

4.9 DigitalOcean DNS API (native)

You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/help/api/

export DO_API_KEY="75310dc4ca779ac39a19f6355db573b49ce92ae126553ebd61ac3a3ae34834cc"

Ok, let’s issue a cert now:

acme.sh --issue --dns dns_dgon -d example.com -d www.example.com

4.10 Namesilo DNS API

You’ll need to generate an API key at https://www.namesilo.com/account_api.php Optionally you may restrict the access to an IP range there.

export Namesilo_Key="xxxxxxxxxxxxxxxxxxxxxxxx"

And now you can issue certs with:

acme.sh --issue --dns dns_namesilo --dnssleep 900 -d example.com -d www.example.com

4.11 使用自定义API

If your API is not supported yet, you can write your own DNS API.

Let’s assume you want to name it ‘myapi’:

  1. Create a bash script named ~/.acme.sh/dns_myapi.sh,
  2. In the script you must have a function named dns_myapi_add() which will be called by acme.sh to add the DNS records.
  3. Then you can use your API to issue cert like this:
acme.sh --issue --dns dns_myapi -d example.com -d www.example.com



没有VPS主机的同学该如何使用letsencrypt免费SSL证书呢?方法一:手动在线申请,三个在线免费SSL证书申请地址; 方法二:直接用Cpanel、DirectAdmin面板自带的SSL申请。


  1. This post has no comment yet
