April 8, 2025Apr 8 安裝acme.sh + Google Public CA 自動續簽SSL憑證到Google網站,建立 專案 (projects),或是 新增 專案,並記下它的專案IDhttps://console.cloud.google.com/home/dashboard進入Cloud Shell 終端機【以下指令在 Google Cloud Shell 執行】 指派 IAM 權限 gcloud projects add-iam-policy-binding 你的專案ID \ --member=user:你的電子郵件位址 \ --role=roles/publicca.externalAccountKeyCreator啟用 Public CA API gcloud services enable publicca.googleapis.com 建立 External Account Binding(EAB)金鑰 gcloud publicca external-account-keys create 成功後會看到訊息 Created an external account key [b64MacKey: XXXXXXXXXXXXXX keyId: XXXXXXXXXXXXXXXXXXXXX] 記下 b64MacKey 與 keyId 您必須在取得 EAB 密鑰後的 7 天內使用。 如果未在 7 天內使用 EAB 密鑰,該密鑰就會失效。 使用 EAB 密鑰註冊的 ACME 帳戶不會過期。還原 Cloud Shell API 設定,完成後即可關閉 Cloud Shell gcloud config unset api_endpoint_overrides/publicca【以下指令在你的VPS執行】 產生dhparam.pem mkdir -p /etc/nginx/ssl openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 ------------------------------------- acme.sh 預設安裝在/root/ 目錄 ------------------------------------- 安裝acme.sh curl https://get.acme.sh | sh -s email=你的email 安裝完,將顯示訊息 bash has been found. Changing the shebang to use bash as preferred. OK Install success! 重新載入環境 source ~/.bashrc 啟用自動更新 acme.sh --upgrade --auto-upgrade 將顯示訊息 Already up to date! Upgrade successful! 切換為使用Google Public CA acme.sh --set-default-ca --server google HTTP-01驗證前要確定 80 port 對外可連線 使用HTTP-01驗證 (Nginx) mkdir -p /var/www/google 修改 域名.com.conf vi /etc/nginx/sites-available/域名.com.conf 前面的步驟有寫了幾行,現在刪掉,並更改為 server { listen 80; listen [::]:80; server_name 域名.com; location /.well-known/acme-challenge { root /var/www/google; } location / { rewrite ^/(.*)$ https://$host/$1 permanent; } } ESC儲存並離開 :wq 重新載入Nginx nginx -t systemctl reload nginx 註冊 acme.sh 帳號 (使用 EAB) acme.sh --register-account -m email --server google \ --eab-kid 輸入你的keyId \ --eab-hmac-key 輸入你的b64MacKey 成功會顯示訊息 Account key creation OK. Registering account: https://dv.acme-v02.api.pki.goog/directory Registered ACCOUNT_THUMBPRINT='xxxxxxxxxxx' 申請 ECC SSL憑證 acme.sh --issue --ecc -d 域名.com -w /var/www/google 成功後,憑證位置如下 Your cert is in: /root/.acme.sh/域名.com_ecc/域名.com.cer Your cert key is in: /root/.acme.sh/域名.com_ecc/域名.com.key The intermediate CA cert is in: /root/.acme.sh/域名.com_ecc/ca.cer And the full-chain cert is in: /root/.acme.sh/域名.com_ecc/fullchain.cer 安裝ECC憑證,Google Public CA 的 ECC 憑證 有效期為 60 天 acme.sh --install-cert --ecc -d 域名.com \ 依次敲入 --key-file /etc/nginx/ssl/域名.com.key \ --fullchain-file /etc/nginx/ssl/fullchain.cer \ --reloadcmd "systemctl reload nginx" 成功的話,將顯示 Installing key to: /etc/nginx/ssl/域名.com.key Installing full chain to: /etc/nginx/ssl/fullchain.cer Running reload cmd: systemctl reload nginx Reload successful 檢查SSL憑證狀態 acme.sh --list 可以得知SSL憑證到期日,將會自動續簽 Main_Domain KeyLength SAN_Domains Profile CA Created Renew 域名.com "ec-256" no Google.com 2025-12-18 2026-02-15 Edited January 19Jan 19 by Jack
Create an account or sign in to comment