VPS侦探论坛

 找回密码
 注册
查看: 355|回复: 7

怎么修改 lnmp onlyssl ** DNS签发泛域名证书CA为ZeroSSL呢

[复制链接]
发表于 2021-10-10 11:32:04 | 显示全部楼层 |阅读模式



军哥:现在使用DNS 泛域名签发证书的默认CA为Let's Encrypt,我想使用ZeroSSL的CA来签发,
怎么修改 lnmp onlyssl ** 签发泛域名证书CA为ZeroSSL呢?


求修改方式!
谢谢!
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
 楼主| 发表于 2021-10-10 11:53:12 | 显示全部楼层


使用了
/usr/local/acme.sh/acme.sh --set-default-ca  --server zerossl
之后
运行 lnmp onlyssl cloudns
之后还是使用默认 Let's Encrypt... 的CA签发证书
  1. Removing exist domain certificate...
  2. Starting create SSL Certificate use Let's Encrypt...

  3. [Sun Oct 10 10:51:12 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
  4. [Sun Oct 10 10:51:12 CST 2021] Creating domain key
  5. [Sun Oct 10 10:51:13 CST 2021] The domain key is here: /usr/local/nginx/conf/ssl/**.com/**.com.key
  6. [Sun Oct 10 10:51:13 CST 2021] Multi domain='DNS:loewan.com,DNS:*.**.com'
  7. [Sun Oct 10 10:51:13 CST 2021] Getting domain auth token for each domain
  8. [Sun Oct 10 10:51:16 CST 2021] Getting webroot for domain='**.com'
  9. [Sun Oct 10 10:51:16 CST 2021] Getting webroot for domain='*.**.com'
  10. [Sun Oct 10 10:51:17 CST 2021] loewan.com is already verified, skip dns-01.
  11. [Sun Oct 10 10:51:17 CST 2021] *.loewan.com is already verified, skip dns-01.
  12. [Sun Oct 10 10:51:17 CST 2021] Verify finished, start to sign.
  13. [Sun Oct 10 10:51:17 CST 2021] Lets finalize the order.
  14. [Sun Oct 10 10:51:17 CST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/116013285/30765437680'
  15. [Sun Oct 10 10:51:20 CST 2021] Downloading cert.
  16. [Sun Oct 10 10:51:20 CST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/034719741cd96bec1d7e7700b6b2faa8b0f4'
  17. [Sun Oct 10 10:51:21 CST 2021] Cert success.
  18. [Sun Oct 10 10:51:21 CST 2021] Your cert is in: /usr/local/nginx/conf/ssl/**.com/**.com.cer
  19. [Sun Oct 10 10:51:21 CST 2021] Your cert key is in: /usr/local/nginx/conf/ssl/**.com/**.com.key
  20. [Sun Oct 10 10:51:21 CST 2021] The intermediate CA cert is in: /usr/local/nginx/conf/ssl/**.com/ca.cer
  21. [Sun Oct 10 10:51:21 CST 2021] And the full chain certs is there: /usr/local/nginx/conf/ssl/**.com/fullchain.cer
  22. [Sun Oct 10 10:51:21 CST 2021] Run reload cmd: /etc/init.d/nginx reload
  23. Reload nginx...  done
  24. [Sun Oct 10 10:51:21 CST 2021] Reload success
复制代码
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
发表于 2021-10-10 20:17:06 | 显示全部楼层



需要修改 /bin/lnmp 脚本 Add_Dns_SSL_Only 部分中的代码,另外还需要提前用命令  /usr/local/acme.sh/acme.sh --server zerossl --register-account  --accountemail 邮箱
先注册
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
 楼主| 发表于 2021-10-13 13:37:19 | 显示全部楼层



  1.     if [ "${provider}" != "" ]; then
  2.         /usr/local/acme.sh/acme.sh ${acme_sh_sudo} --server zerossl --issue ${letsdomain} --dns ${dns_provider} --reloadcmd "/etc/init.d/nginx reload"
  3.         lets_status=$?
  4.     else
  5.         /usr/local/acme.sh/acme.sh ${acme_sh_sudo} --server zerossl --issue ${letsdomain} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
复制代码


是直接修改这两处 --server zerossl 吗?
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
 楼主| 发表于 2021-10-13 13:51:49 | 显示全部楼层

  1. [Wed 13 Oct 2021 01:48:47 PM CST] Polling order status: https://acme.zerossl.com/v2/DV90/order/2p1pQ7jGRCk_vITgVE_YNQ
  2. [Wed 13 Oct 2021 01:48:48 PM CST] Sign error, wrong status
  3. [Wed 13 Oct 2021 01:48:48 PM CST] {"status":"invalid","expires":"2022-01-11T05:46:11Z","identifiers":[{"type":"dns","value":"xxx.com"},{"type":"dns","value":"*.xxx.com"}],"authorizations":["https://acme.zerossl.com/v2/DV90/authz/ekpDawkeXOevM_L8d1E_OA","https://acme.zerossl.com/v2/DV90/authz/iZC_wpAXFP5m-DDchBw8mA"],"finalize":"https://acme.zerossl.com/v2/DV90/order/2p1pQ7jGRCk_vITgVE_YNQ/finalize"}
复制代码


是不是 zerossl 无法签发泛域名证书了呢?

美国VPS、VPN、域名代购:http://shop63846532.taobao.com/

发表于 2021-10-13 15:43:49 | 显示全部楼层

木风木 发表于 2021-10-13 13:51
是不是 zerossl 无法签发泛域名证书了呢?

是的
Buypass不支持泛域名,zerosssl支持泛域名
提供完整的acme.sh.log看一下
 楼主| 发表于 2021-10-13 20:03:42 | 显示全部楼层

licess 发表于 2021-10-13 15:43
是的
Buypass不支持泛域名,zerosssl支持泛域名
提供完整的acme.sh.log看一下

麻烦军哥帮忙检查一下,万分感谢!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
 楼主| 发表于 2021-10-13 21:11:33 | 显示全部楼层



参考了网上的资料教程,最终发现,原来是域名下面有别的CAA记录,
解决办法也很简单:
删除CAA记录,或者添加 zerosssl的CAA记录

  1. **.com. 3600 IN CAA 0 issue "sectigo.com"
  2. **.com. 3600 IN CAA 0 issuewild "sectigo.com"
复制代码
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|VPS侦探 ( 鲁ICP备16040043号-1 )

GMT+8, 2021-10-26 07:09 , Processed in 0.094617 second(s), 31 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表