小鱼开发
90 lines
3.0 KiB
Bash
90 lines
3.0 KiB
Bash
#!/bin/bash
|
|
# 美家卡智影 - acme.sh SSL 证书一键配置脚本
|
|
# ===========================================
|
|
# 针对国内服务器优化:
|
|
# • 使用 Gitee 镜像安装 acme.sh(避免 GitHub 超时)
|
|
# • 使用 Let's Encrypt 作为默认 CA(国内验证更稳定)
|
|
# • 使用 webroot 模式(无需修改 nginx 配置)
|
|
#
|
|
# 用法:
|
|
# chmod +x acme-setup.sh
|
|
# sudo ./acme-setup.sh dev.tapi.meijiaka.cn
|
|
|
|
set -e
|
|
|
|
DOMAIN="${1:-dev.tapi.meijiaka.cn}"
|
|
NGINX_SSL_DIR="/etc/nginx/ssl"
|
|
ACME_CHALLENGE_DIR="/var/www/acme-challenge"
|
|
|
|
echo "========================================"
|
|
echo " acme.sh SSL 证书配置"
|
|
echo " 域名: $DOMAIN"
|
|
echo "========================================"
|
|
|
|
# 0. 清理之前失败的残留(空的证书文件等)
|
|
echo "[0/6] 清理之前可能的残留..."
|
|
rm -f "$NGINX_SSL_DIR/$DOMAIN.crt"
|
|
rm -f "$NGINX_SSL_DIR/$DOMAIN.key"
|
|
rm -rf "$HOME/.acme.sh/${DOMAIN}_ecc"
|
|
|
|
# 1. 安装 acme.sh(如果未安装)
|
|
if [ ! -d "$HOME/.acme.sh" ]; then
|
|
echo "[1/6] 使用 Gitee 镜像安装 acme.sh..."
|
|
git clone https://gitee.com/neilpang/acme.sh.git /tmp/acme.sh 2>/dev/null || {
|
|
echo "Gitee 也失败了,尝试直接下载 release 包..."
|
|
curl -L -o /tmp/acme.sh.tar.gz https://gh.api.99988866.xyz/https://github.com/acmesh-official/acme.sh/archive/refs/tags/3.1.0.tar.gz
|
|
mkdir -p /tmp/acme.sh
|
|
tar -xzf /tmp/acme.sh.tar.gz -C /tmp/acme.sh --strip-components=1
|
|
}
|
|
cd /tmp/acme.sh
|
|
./acme.sh --install
|
|
export PATH="$HOME/.acme.sh:$PATH"
|
|
else
|
|
echo "[1/6] acme.sh 已安装"
|
|
fi
|
|
|
|
# 2. 设置默认 CA 为 Let's Encrypt
|
|
echo "[2/6] 设置 Let's Encrypt 为默认 CA..."
|
|
"$HOME/.acme.sh/acme.sh" --set-default-ca --server letsencrypt
|
|
|
|
# 3. 创建必要目录
|
|
echo "[3/6] 创建证书和验证目录..."
|
|
mkdir -p "$NGINX_SSL_DIR"
|
|
mkdir -p "$ACME_CHALLENGE_DIR"
|
|
|
|
# 4. 申请证书(webroot 模式 + force,覆盖之前失败的记录)
|
|
echo "[4/6] 申请证书: $DOMAIN..."
|
|
"$HOME/.acme.sh/acme.sh" --issue -d "$DOMAIN" -w "$ACME_CHALLENGE_DIR" --force
|
|
|
|
# 5. 安装证书到 nginx 目录
|
|
echo "[5/6] 安装证书到 nginx..."
|
|
"$HOME/.acme.sh/acme.sh" --install-cert -d "$DOMAIN" \
|
|
--key-file "$NGINX_SSL_DIR/$DOMAIN.key" \
|
|
--fullchain-file "$NGINX_SSL_DIR/$DOMAIN.crt" \
|
|
--reloadcmd "systemctl reload nginx"
|
|
|
|
# 6. 验证
|
|
echo "[6/6] 验证证书..."
|
|
"$HOME/.acme.sh/acme.sh" --info -d "$DOMAIN"
|
|
|
|
# 清理临时下载文件
|
|
rm -rf /tmp/acme.sh /tmp/acme.sh.tar.gz 2>/dev/null || true
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo " ✅ SSL 证书配置完成!"
|
|
echo "========================================"
|
|
echo " 证书路径:"
|
|
echo " $NGINX_SSL_DIR/$DOMAIN.crt"
|
|
echo " $NGINX_SSL_DIR/$DOMAIN.key"
|
|
echo ""
|
|
echo " 验证 HTTPS:"
|
|
echo " curl -I https://$DOMAIN/health"
|
|
echo ""
|
|
echo " 自动续签:"
|
|
echo " crontab -l | grep acme"
|
|
echo ""
|
|
echo " 手动续签测试:"
|
|
echo " ~/.acme.sh/acme.sh --renew -d $DOMAIN --dry-run"
|
|
echo "========================================"
|