参考：https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

这种方法官方是不推荐的，不能自动续期（即需要手动续签）

acme.sh的DNS手动模式生成证书

应该需要一个有公网ip的机器，至少我是这样，回头我再考证一下。

2018年12月10日测试：可以在虚拟机上使用，不需要公网IP

 

一、安装

curl https://get.acme.sh | sh

二、确保服务器的nginx和apache没有运行，别占用80端口（DNS手动模式不需要）

三、动手

命令就一行，出现了报错，要求在dns解析里加入两行txt解析

root@david-test:~/.acme.sh# acme.sh --issue -d bombstory.com -d *.bombstory.com --dns dns-01
[Wed Dec  5 11:58:54 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Wed Dec  5 11:58:54 UTC 2018] Getting domain auth token for each domain
[Wed Dec  5 11:58:56 UTC 2018] Getting webroot for domain='bombstory.com'
[Wed Dec  5 11:58:56 UTC 2018] Getting webroot for domain='*.bombstory.com'
[Wed Dec  5 11:58:57 UTC 2018] Can not find dns api hook for: dns-01
[Wed Dec  5 11:58:57 UTC 2018] You need to add the txt record manually.
[Wed Dec  5 11:58:57 UTC 2018] Add the following TXT record:
[Wed Dec  5 11:58:57 UTC 2018] Domain: '_acme-challenge.bombstory.com'
[Wed Dec  5 11:58:57 UTC 2018] TXT value: 'nuV36UCKAvU3KiWLFkAxNIQAVahmmnC5witMoOrk7MQ'
[Wed Dec  5 11:58:57 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec  5 11:58:57 UTC 2018] so the resulting subdomain will be: _acme-challenge.bombstory.com
[Wed Dec  5 11:58:57 UTC 2018] Can not find dns api hook for: dns-01
[Wed Dec  5 11:58:57 UTC 2018] You need to add the txt record manually.
[Wed Dec  5 11:58:57 UTC 2018] Add the following TXT record:
[Wed Dec  5 11:58:57 UTC 2018] Domain: '_acme-challenge.bombstory.com'
[Wed Dec  5 11:58:57 UTC 2018] TXT value: 'HKXRN73W33CZnDCsUgXxCDDrgsn5xMagUPaMZl4yjkU'
[Wed Dec  5 11:58:57 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Dec  5 11:58:57 UTC 2018] so the resulting subdomain will be: _acme-challenge.bombstory.com
[Wed Dec  5 11:58:57 UTC 2018] Please add the TXT records to the domains, and re-run with --renew.
[Wed Dec  5 11:58:57 UTC 2018] Please add '--debug' or '--log' to check more details.
[Wed Dec  5 11:58:57 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

四、解析DNS

如下图：

五、稍等一会儿，再次执行命令，这次执行后面要加--renew参数

root@david-test:~/.acme.sh# acme.sh --issue -d bombstory.com -d *.bombstory.com --dns dns-01 --renew
[Wed Dec  5 12:02:09 UTC 2018] Renew: 'bombstory.com'
[Wed Dec  5 12:02:10 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Wed Dec  5 12:02:10 UTC 2018] Getting domain auth token for each domain
[Wed Dec  5 12:02:10 UTC 2018] Verifying:bombstory.com
[Wed Dec  5 12:02:14 UTC 2018] Success
[Wed Dec  5 12:02:14 UTC 2018] Verifying:*.bombstory.com
[Wed Dec  5 12:02:17 UTC 2018] Pending
[Wed Dec  5 12:02:20 UTC 2018] Success
[Wed Dec  5 12:02:20 UTC 2018] Verify finished, start to sign.
[Wed Dec  5 12:02:22 UTC 2018] Cert success.
-----BEGIN CERTIFICATE-----
......此处省略一大段无用输出......
-----END CERTIFICATE-----
[Wed Dec  5 12:02:22 UTC 2018] Your cert is in  /root/.acme.sh/bombstory.com/bombstory.com.cer 
[Wed Dec  5 12:02:22 UTC 2018] Your cert key is in  /root/.acme.sh/bombstory.com/bombstory.com.key 
[Wed Dec  5 12:02:22 UTC 2018] The intermediate CA cert is in  /root/.acme.sh/bombstory.com/ca.cer 
[Wed Dec  5 12:02:22 UTC 2018] And the full chain certs is there:  /root/.acme.sh/bombstory.com/fullchain.cer 

六、其中，需要用到的文件有两个：

一个key：/root/.acme.sh/bombstory.com/bombstory.com.key

一个证书：/root/.acme.sh/bombstory.com/fullchain.cer

 

---

2018年12月10日更新

使用DNS手动模式生成的证书续签：

一、两条DNS解析记录别删

二、该证书是4天前做的，还有85天

ops@zabbix2:~$ zabbix_get -s 127.0.0.1 -k https.remaining[bombstory.com]
85

三、手动续签：

root@david-test:~/.acme.sh# acme.sh --renew -d bombstory.com --force
[Mon Dec 10 05:14:54 UTC 2018] Renew: 'bombstory.com'
[Mon Dec 10 05:14:55 UTC 2018] Multi domain='DNS:bombstory.com,DNS:*.bombstory.com'
[Mon Dec 10 05:14:55 UTC 2018] Getting domain auth token for each domain
[Mon Dec 10 05:14:57 UTC 2018] Getting webroot for domain='bombstory.com'
[Mon Dec 10 05:14:57 UTC 2018] Getting webroot for domain='*.bombstory.com'
[Mon Dec 10 05:14:57 UTC 2018] bombstory.com is already verified, skip dns-01.
[Mon Dec 10 05:14:57 UTC 2018] *.bombstory.com is already verified, skip dns-01.
[Mon Dec 10 05:14:57 UTC 2018] Verify finished, start to sign.
[Mon Dec 10 05:15:00 UTC 2018] Cert success.
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
[Mon Dec 10 05:15:00 UTC 2018] Your cert is in  /root/.acme.sh/bombstory.com/bombstory.com.cer 
[Mon Dec 10 05:15:00 UTC 2018] Your cert key is in  /root/.acme.sh/bombstory.com/bombstory.com.key 
[Mon Dec 10 05:15:00 UTC 2018] The intermediate CA cert is in  /root/.acme.sh/bombstory.com/ca.cer 
[Mon Dec 10 05:15:00 UTC 2018] And the full chain certs is there:  /root/.acme.sh/bombstory.com/fullchain.cer 
root@david-test:~/.acme.sh# sz /root/.acme.sh/bombstory.com/fullchain.cer

四、替换证书文件，reload nginx

root@bombstory:/etc/nginx/ssl# ls -l
total 12
-rw-r--r-- 1 root root 1675 Dec  5 19:51 bombstory.com.key
-rw-r--r-- 1 root root 3575 Dec 10 13:15 fullchain.cer
-rw-r--r-- 1 root root 3575 Dec  5 20:02 fullchain.cerbak
root@bombstory:/etc/nginx/ssl# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@bombstory:/etc/nginx/ssl# nginx -s reload

五、再次查看，成功

ops@zabbix2:~$ zabbix_get -s 127.0.0.1 -k https.remaining[bombstory.com]
89