This is an old revision of the document!
ACME
acme.sh
installation
[root@vps ~]# mkdir acme [root@vps ~]# cd acme [root@vps acme]# wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [root@vps acme]# tar zxvf master.tar.gz acme.sh-master/ acme.sh-master/.github/ [root@vps acme]# cd acme.sh-master/ [root@vps acme.sh-master]# ./acme.sh --install --nocron [jeu. nov. 4 21:37:30 CET 2021] It is recommended to install socat first. [jeu. nov. 4 21:37:30 CET 2021] We use socat for standalone server if you use standalone mode. [jeu. nov. 4 21:37:30 CET 2021] If you don't use standalone mode, just ignore this warning. [jeu. nov. 4 21:37:30 CET 2021] Installing to /root/.acme.sh [jeu. nov. 4 21:37:30 CET 2021] Installed to /root/.acme.sh/acme.sh [jeu. nov. 4 21:37:30 CET 2021] Installing alias to '/root/.bashrc' [jeu. nov. 4 21:37:30 CET 2021] OK, Close and reopen your terminal to start using acme.sh [jeu. nov. 4 21:37:30 CET 2021] Installing alias to '/root/.cshrc' [jeu. nov. 4 21:37:30 CET 2021] Installing alias to '/root/.tcshrc' [jeu. nov. 4 21:37:30 CET 2021] Good, bash is found, so change the shebang to use bash as preferred. [jeu. nov. 4 21:37:31 CET 2021] OK
À ce stade, le client est installé dans /root/.acme.sh/ et nulle part ailleurs.
clé DDNS API gandi
[root@vps ~]# export GANDI_LIVEDNS_KEY=“SECRETSECRETKEY”
passage en LiveDNS Gandi
si le domaine est ancien, il est probablemnt sur les anciens serveur de noms gandi (non dynamiques) :
- a.dns.gandi.net
- b.dns.gandi.net
- c.dns.gandi.net
passage en dynamique :
register email
[root@vps ~]# ~/.acme.sh/acme.sh --register-account -m admin@domain.fr [jeu. nov. 4 22:45:12 CET 2021] No EAB credentials found for ZeroSSL, let's get one [jeu. nov. 4 22:45:13 CET 2021] Registering account: https://acme.zerossl.com/v2/DV90 [jeu. nov. 4 22:45:14 CET 2021] Registered [jeu. nov. 4 22:45:14 CET 2021] ACCOUNT_THUMBPRINT='secret-SECRET-SE-K__CRET'
packages curl et jq
pour lancer les requetes web en cli et parser du json nous avons besoin de ces 2 packages
[root@vps ~]# yum install curl jq
parametres API Gandi
On postionne les vrariables shell necessaires à l'appel de l'API LiveDNS de Gandi
#recuperer notre adresse IP depuis les servers Akamai
MY_IP=$(curl -s http://whatismyip.akamai.com/)
# Gandi livedn API KEY
APIKEY="................."
# Domain static hebergé chez Gandi
DOMAIN="mondomain.fr"
# Dynamic Subdomain
SUBDOMAIN="acme"
#Get the current Zone for the provided domain
CURRENT_ZONE_HREF=$(curl -s -H "X-Api-Key: $APIKEY" https://dns.api.gandi.net/api/v5/domains/$DOMAIN | jq -r '.zone_records_href')
# Update the A reccord of the Dynamic Subdomain by PUTing on the current zone
curl -D- -X PUT -H "Content-Type: application/json" \
-H "X-Api-Key: $APIKEY" \
-d "{\"rrset_name\": \"$SUBDOMAIN\",
\"rrset_type\": \"A\",
\"rrset_ttl\": 1200,
\"rrset_values\": [\"$MY_IP\"]}" \
$CURRENT_ZONE_HREF/$SUBDOMAIN/A
exemple d'excution
exemple complet d'execution
[root@vps ~]# ~/.acme.sh/acme.sh --dns dns_gandi_livedns --issue --keylength 2048 -d wp.mondomain.fr [lun. nov. 8 22:05:41 CET 2021] Using CA: https://acme.zerossl.com/v2/DV90 [lun. nov. 8 22:05:41 CET 2021] Single domain='wp.mondomain.fr' [lun. nov. 8 22:05:41 CET 2021] Getting domain auth token for each domain [lun. nov. 8 22:05:44 CET 2021] Getting webroot for domain='wp.mondomain.fr' [lun. nov. 8 22:05:44 CET 2021] Adding txt value: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain: _acme-challenge.wp.mondomain.fr [lun. nov. 8 22:05:47 CET 2021] Adding record success [lun. nov. 8 22:05:47 CET 2021] The txt record is added: Success. [lun. nov. 8 22:05:47 CET 2021] Let's check each DNS record now. Sleep 20 seconds first. [lun. nov. 8 22:06:08 CET 2021] You can use '--dnssleep' to disable public dns checks. [lun. nov. 8 22:06:08 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [lun. nov. 8 22:06:08 CET 2021] Checking wp.mondomain.fr for _acme-challenge.wp.mondomain.fr [lun. nov. 8 22:06:08 CET 2021] Domain wp.mondomain.fr '_acme-challenge.wp.mondomain.fr' success. [lun. nov. 8 22:06:08 CET 2021] All success, let's return [lun. nov. 8 22:06:08 CET 2021] Verifying: wp.mondomain.fr [lun. nov. 8 22:06:09 CET 2021] Processing, The CA is processing your order, please just wait. (1/30) [lun. nov. 8 22:06:12 CET 2021] Success [lun. nov. 8 22:06:12 CET 2021] Removing DNS records. [lun. nov. 8 22:06:12 CET 2021] Removing txt: 2ulRNvSECRET-bd0ySECRETurebtXp4EQHjQ2I_Oc for domain: _acme-challenge.wp.domain.fr [lun. nov. 8 22:06:13 CET 2021] Removing record success [lun. nov. 8 22:06:13 CET 2021] Removed: Success [lun. nov. 8 22:06:13 CET 2021] Verify finished, start to sign. [lun. nov. 8 22:06:13 CET 2021] Lets finalize the order. [lun. nov. 8 22:06:13 CET 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw/finalize' [lun. nov. 8 22:06:14 CET 2021] Order status is processing, lets sleep and retry. [lun. nov. 8 22:06:14 CET 2021] Retry after: 15 [lun. nov. 8 22:06:30 CET 2021] Polling order status: https://acme.zerossl.com/v2/DV90/order/LIcDLSECRETk1k-GreSECsw [lun. nov. 8 22:06:31 CET 2021] Downloading cert. [lun. nov. 8 22:06:31 CET 2021] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/IHUd8SECRET-SECRETuyQ' [lun. nov. 8 22:06:32 CET 2021] Cert success. -----BEGIN CERTIFICATE----- MIIGbjCCBFagAwIBAgIQXCJ7bhctS2//O7AEKEyxjSECRETTTTTTTTTTTTTTTTTT MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIxMTEwODAwMDAwMFoXDTIy MDIwNjIzNTk1OVowGzEZMBcGA1UEAxMQZHdwLmFkYXZvY2F0cy5mcjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFs/ZO6adqnKMoiU+6PHL1DTRLqAS1I 2hBbZelSxne8KsvRa5PJEzDWU4FqBwm0Taw5qjqc038Zjx3RY7u6hPsbNiEhEHI8 2wKDKFLWHrhDf2vJJaKDBv9HjdshsWBkpbat/YpsxnpsQdqSggptJp55qwieYwg9 6yim8IqqKrhyrYGd9EFrhwNVq6quFAX5gqs+JciO2XbusSVnPi2MK73roehM3X54 fH4Y/iOOgwRHHtN0x71cMliMyXMwgoKub1HRtDL5imWTDOiGqeahDi0c/bi8Vlv9 PIG2qAXWbP8lnLzwfjx+anBnWNVh0t9sIWOt3LeIL4XGruO/7BPjOf0CAwEAAaOC AnwwggJ4MB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoamMB0GA1UdDgQW BBQrezIoyZZQTu52pziiSInSqOjkiTAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/ BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0 BgsrBgEEAbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29t L0NQUzAIBgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0 cDovL3plcm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FEb21haW5TZWN1 cmVTaXRlQ0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNl Y3RpZ28uY29tMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYARqVV63X6kSAwtaKJ afTzfREsQXS+/Um4havy/HD+bUcAAAF9AV9/kAAABAMARzBFAiEA1KtJL+fu81JN NFVhqmM/OhOXECS0w9+pYDtT4KJJncACIBfirTesQOhQtXiquDS56Y+lGgKBYE2w oVFMprD7wUTDAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF9 AV9/VwAABAMARzBFAiAVx9E4IfWnUQaj1vvLcTKpaxCwvsxgVemoMDUPa2i+sAIh AKwyG6Y5bTX8x3uaOIEMaB7vm/YAk0TKNQLU50VfU18fMBsGA1UdEQQUMBKCEGR3 cC5hZGF2b2NhdHMuZnIwDQYJKoZIhvcNAQEMBQADggIBACwnQQBrxA5GXWVUPpFY L/Ko1bJvWk0vsrvNO3JNar//143MaSxhp+Bf+d+e6guvKJHfSZ65oen6zX8LfrTw uDMBI6rus9lDBa7jxCRjilxm6WmF0l3uOYiZsV3Ie169qVJaRpUQTO9Ed/5qaI1t nHD7apUgwM1ZRuKGEaSncs2WPZDnOPNKf0QeGu2lyplA0X1QXYUJqlCY2FEOKurk 18r1U9E5TO522HpS+N4ycgKjZKIvnAJWqvHMbCoL7MCvETCdAGG7mhzvXOEUNFMR lyDfKk7Rcc5ZVxkJheyyO0vHLqKVdCAcB3kW1RZ8r8mmhXO4spX+dHzkk/KWvrrF VPcGqtyjiqtXXdtpO1ALDD+cyMPyoKaemUvfkz8Amf6psm4h/4lb/HgrnFf1E/vV ZXekr3ynlDwTnwUU3YH5+puEorNDxX8X+wl9l3rAMS3AsVpwm4YgFVLgcWTwoq7Q mxpL5qTsrSmrn7iaAqFr+3v0GBFLley2j6FHaQnPuvMoVmPK0hliJGGkAer2HZab cYkq9EZdfAswZX5UYTLNBHcYX0eqYM1ZDFpIF69piusa1rS0BPWaTTo+rIvkiefO DYRjQRD0hnFd34oTW7J/wo4BZK0Mz+tBq7eDOxR0KM3oUaLg/C+QSECRETTTTTTT xETgUMXEPkdtUPmM4AJvQYXk -----END CERTIFICATE----- [lun. nov. 8 22:06:32 CET 2021] Your cert is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.cer [lun. nov. 8 22:06:32 CET 2021] Your cert key is in: /root/.acme.sh/wp.mondomain.fr/wp.mondomain.fr.key [lun. nov. 8 22:06:32 CET 2021] The intermediate CA cert is in: /root/.acme.sh/wp.mondomain.fr/ca.cer [lun. nov. 8 22:06:32 CET 2021] And the full chain certs is there: /root/.acme.sh/wp.mondomain.fr/fullchain.cer
references
clients
