域名证书自动更新-acme通用版

使用 acme.sh 申请并安装 SSL 证书

本文将辅助您通过 acme.sh 工具申请并安装 Let’s Encrypt 的免费 SSL 证书。

---

环境准备

• 可访问公网的服务器。
• 已安装 Nginx （本文以此，其它类似），并确保 80 端口可正常访问。
• 拥有域名解析权，确保域名指向服务器 IP。
• 愿意在你的服务器上面执行五条命令

---

SSL 检测工具–效果图

步骤 1：安装 acme.sh

执行以下命令安装 acme.sh：

curl https://get.acme.sh | sh

效果展示：

[root@instance-sp608fvo tmp]# curl https://get.acme.sh | sh% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0    399      0 --:--:--  0:00:02 --:--:--   399% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed
100  221k  100  221k    0     0  13834      0  0:00:16  0:00:16 --:--:-- 11956
[Thu Jun 12 12:33:51 CST 2025] Installing from online archive.
[Thu Jun 12 12:33:51 CST 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Thu Jun 12 12:33:59 CST 2025] Extracting master.tar.gz
[Thu Jun 12 12:33:59 CST 2025] It is recommended to install socat first.
[Thu Jun 12 12:33:59 CST 2025] We use socat for the standalone server, which is used for standalone mode.
[Thu Jun 12 12:33:59 CST 2025] If you don't want to use standalone mode, you may ignore this warning.
[Thu Jun 12 12:33:59 CST 2025] Installing to /root/.acme.sh
[Thu Jun 12 12:33:59 CST 2025] Installed to /root/.acme.sh/acme.sh
[Thu Jun 12 12:33:59 CST 2025] Installing alias to '/root/.bashrc'
[Thu Jun 12 12:33:59 CST 2025] Close and reopen your terminal to start using acme.sh
[Thu Jun 12 12:33:59 CST 2025] Installing alias to '/root/.cshrc'
[Thu Jun 12 12:33:59 CST 2025] Installing alias to '/root/.tcshrc'
[Thu Jun 12 12:33:59 CST 2025] Installing cron job
[Thu Jun 12 12:33:59 CST 2025] bash has been found. Changing the shebang to use bash as preferred.
[Thu Jun 12 12:34:01 CST 2025] OK
[Thu Jun 12 12:34:01 CST 2025] Install success!

步骤 2：设置默认 CA

指定使用 Let’s Encrypt 作为默认证书颁发机构：

source ~/.bashrc
acme.sh --set-default-ca --server letsencrypt

效果展示：

[root@instance-sp608fvo ~]# source ~/.bashrc
[root@instance-sp608fvo ~]# acme.sh --set-default-ca --server letsencrypt
[Thu Jun 12 12:40:46 CST 2025] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

步骤 3：申请证书

使用 --webroot 模式申请证书。确保域名已正确解析到服务器，并且 /usr/share/nginx/html 是 Nginx 的默认根目录。

acme.sh --issue  -d 域名比如baidu.com --webroot 80端口可访问地址比如/usr/share/nginx/html

示例：

acme.sh --issue -d     test.example.com --webroot /usr/share/nginx/html

效果展示：

[root@instance-sp608fvo nginx]# acme.sh --issue  -d     test.example.com --webroot /usr/share/nginx/html
[Thu Jun 12 12:49:54 CST 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Jun 12 12:49:54 CST 2025] Creating domain key
[Thu Jun 12 12:49:54 CST 2025] The domain key is here: /root/.acme.sh/    test.example.com_ecc/    test.example.com.key
[Thu Jun 12 12:49:54 CST 2025] Single domain='test.example.com'
[Thu Jun 12 12:50:01 CST 2025] Getting webroot for domain='test.example.com'
[Thu Jun 12 12:50:01 CST 2025] Verifying: test.example.com
[Thu Jun 12 12:50:03 CST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Thu Jun 12 12:50:08 CST 2025] Success
[Thu Jun 12 12:50:08 CST 2025] Verification finished, beginning signing.
[Thu Jun 12 12:50:08 CST 2025] Let's finalize the order.
[Thu Jun 12 12:50:08 CST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2459862082/393925191632'
[Thu Jun 12 12:50:12 CST 2025] Downloading cert.
[Thu Jun 12 12:50:12 CST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/06c810fa50377b7f67b3bafe5d77ae908659'
[Thu Jun 12 12:50:14 CST 2025] Cert success.

步骤 4：安装证书

将申请的证书安装到 Nginx，并设置自动重载配置。

acme.sh --install-cert -d <您的域名> \
--key-file /etc/pki/nginx/<您的域名>.key \
--fullchain-file /etc/pki/nginx/<您的域名>.pem \
--reloadcmd "nginx -s reload"

示例：

acme.sh --install-cert -d     test.example.com \
--key-file /etc/pki/nginx/    test.example.com.key \
--fullchain-file /etc/pki/nginx/    test.example.com.pem \
--reloadcmd "nginx -s reload"

效果展示：

[root@instance-sp608fvo nginx]# acme.sh --install-cert -d     test.example.com \
> --key-file /etc/pki/nginx/    test.example.com.key \
> --fullchain-file /etc/pki/nginx/    test.example.com.pem \
> --reloadcmd "nginx -s reload"
[Thu Jun 12 12:55:56 CST 2025] The domain 'test.example.com' seems to already have an ECC cert, let's use it.
[Thu Jun 12 12:55:56 CST 2025] Installing key to: /etc/pki/nginx/    test.example.com.key
[Thu Jun 12 12:55:56 CST 2025] Installing full chain to: /etc/pki/nginx/    test.example.com.pem
[Thu Jun 12 12:55:56 CST 2025] Running reload cmd: nginx -s reload
[Thu Jun 12 12:55:56 CST 2025] Reload successful

步骤 5：检查自动续期配置

查看 cron 任务

确保 acme.sh 的自动续期任务已添加到系统的定时任务中：

crontab -l
acme.sh --cron --home "/root/.acme.sh"

效果展示：

[root@instance-sp608fvo nginx]# crontab -l
* * * * * /opt/heyeAgent/bin/upgrade &>/dev/null
59 9 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[root@instance-sp608fvo nginx]# acme.sh --cron --home "/root/.acme.sh"
[Thu Jun 12 14:07:39 CST 2025] ===Starting cron===
[Thu Jun 12 14:07:39 CST 2025] Renewing: 'test.example.com'
[Thu Jun 12 14:07:39 CST 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Jun 12 14:07:39 CST 2025] Skipping. Next renewal time is: 2025-08-10T04:50:14Z
[Thu Jun 12 14:07:39 CST 2025] Add '--force' to force renewal.
[Thu Jun 12 14:07:39 CST 2025] Skipped     test.example.com_ecc
[Thu Jun 12 14:07:39 CST 2025] ===End cron===

如果需要强制续期，可以添加 --force 参数-未进行测试：

acme.sh --renew -d <您的域名> --force

完成

至此，已成功使用 acme.sh 为您的域名申请并安装了 SSL 证书。Nginx 将自动加载新的证书，并且 acme.sh 会在证书过期前自动续期。