基于 acme.sh 自动更新 APISIX SSL 证书
基于 acme.sh 自动更新 APISIX SSL 证书
安装 openssl , jq
略
安装acme.sh
curl https://get.acme.sh | sh -s email=my@example.com
my@example.com 替换成自己的邮箱,用于ZeroSSL.com 账号注册,acme.sh 默认CA 已经更新为ZeroSSL了,而ZeroSSL 需要邮箱地址注册,如果不写邮箱或者写个错误的邮箱,会报上面的错误
[Mon Jul 12 15:53:31 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Jul 12 15:53:31 CST 2021] No EAB credentials found for ZeroSSL, let's get one
[Mon Jul 12 15:53:31 CST 2021] acme.sh is using ZeroSSL as default CA now.
[Mon Jul 12 15:53:31 CST 2021] Please update your account with an email address first.
[Mon Jul 12 15:53:31 CST 2021] acme.sh --register-account -m my@example.com
[Mon Jul 12 15:53:31 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Mon Jul 12 15:53:31 CST 2021] Please add '--debug' or '--log' to check more details.
[Mon Jul 12 15:53:31 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Error: Create Let's Encrypt SSL Certificate failed!
如果不想用ZeroSSL 可以使用以下命令
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
申请证书,并添加renew-hook
$ acme.sh --issue --staging -d demo.domain --renew-hook "/root/.acme.sh/renew-hook-update-apisix.sh -h http://apisix-admin:port -p /root/.acme.sh/demo.domain/demo.domain.cer -k /root/.acme.sh/demo.domain/demo.domain.key -a xxxxxxxxxxxxx"
- -h: apisix的host (eg:127.0.0.1:9080)
- -p: pem 证书
- -k: 证书key
- -a: apisix的密钥
- -t on 开启debug模式
更新证书
acme.sh --renew --domain demo.domain
如果要强制更新,添加 --forces