acme 使用

申请通配符

可以不需要 ip 服务器，只用证明域名是你的。

https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_cf 这些提供商可以自动添加记录，不在这些运营商的需要手动添加 txt 记录

当前使用通用的方式，手动添加记录。可以添加多个， -d *.grafana.eu.org -d grafana.eu.org

[office-k8s-01][email protected]:~# acme.sh --issue --dns -d *.grafana.eu.org  
[Wed Jul  2 17:03:47 CST 2025] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
[office-k8s-01][email protected]:~# acme.sh --issue --dns -d *.grafana.eu.org --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Jul  2 17:04:59 CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Jul  2 17:04:59 CST 2025] Creating domain key
[Wed Jul  2 17:04:59 CST 2025] The domain key is here: /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.key
[Wed Jul  2 17:04:59 CST 2025] Single domain='*.grafana.eu.org'
[Wed Jul  2 17:07:15 CST 2025] Getting webroot for domain='*.grafana.eu.org'
[Wed Jul  2 17:07:15 CST 2025] Add the following TXT record:
[Wed Jul  2 17:07:15 CST 2025] Domain: '_acme-challenge.grafana.eu.org'
[Wed Jul  2 17:07:15 CST 2025] TXT value: 'u4aSBaAlbetG1Wkr_PNffvGgxj6vHZujFNyLyFeVMC0'
[Wed Jul  2 17:07:15 CST 2025] Please make sure to prepend '_acme-challenge.' to your domain
[Wed Jul  2 17:07:15 CST 2025] so that the resulting subdomain is: _acme-challenge.grafana.eu.org
[Wed Jul  2 17:07:15 CST 2025] Please add the TXT records to the domains, and re-run with --renew.
[Wed Jul  2 17:07:15 CST 2025] Please add '--debug' or '--log' to see more information.
[Wed Jul  2 17:07:15 CST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh


## 手动添加 _acme-challenge.grafana.eu.org TXT u4aSBaAlbetG1Wkr_PNffvGgxj6vHZujFNyLyFeVMC0

[office-k8s-01][email protected]:~# acme.sh --issue --dns -d *.grafana.eu.org --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
[Wed Jul  2 17:09:12 CST 2025] The domain '*.grafana.eu.org' seems to already have an ECC cert, let's use it.
[Wed Jul  2 17:09:12 CST 2025] Renewing: '*.grafana.eu.org'
[Wed Jul  2 17:09:12 CST 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Wed Jul  2 17:09:15 CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Jul  2 17:09:15 CST 2025] Single domain='*.grafana.eu.org'
[Wed Jul  2 17:09:15 CST 2025] Verifying: *.grafana.eu.org
[Wed Jul  2 17:09:50 CST 2025] Processing. The CA is processing your order, please wait. (1/30)
[Wed Jul  2 17:10:21 CST 2025] Success
[Wed Jul  2 17:10:21 CST 2025] Verification finished, beginning signing.
[Wed Jul  2 17:10:21 CST 2025] Let's finalize the order.
[Wed Jul  2 17:10:21 CST 2025] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/JoDGS0BAiPIBTdNwRu5oNA/finalize'
[Wed Jul  2 17:10:55 CST 2025] Order status is 'processing', let's sleep and retry.
[Wed Jul  2 17:10:55 CST 2025] Sleeping for 15 seconds then retrying
[Wed Jul  2 17:11:11 CST 2025] Polling order status: https://acme.zerossl.com/v2/DV90/order/JoDGS0BAiPIBTdNwRu5oNA
[Wed Jul  2 17:11:14 CST 2025] Downloading cert.
[Wed Jul  2 17:11:14 CST 2025] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/XUI_bZ_CfvW42--xLMj_ZA'
[Wed Jul  2 17:11:15 CST 2025] Cert success.
-----BEGIN CERTIFICATE-----
MIIECTCCA4+gAwIBAgIRAIfRQ6hPRFKW6tFOW1q96hwwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNTA3MDIwMDAwMDBaFw0yNTA5
MzAyMzU5NTlaMB4xHDAaBgNVBAMMEyouZG9rcGxveS5ob255LmxvdmUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAT0F8Z5AEOIWX67yb/l3qGj6ngiu+RUg8dzeke/
Zq4+367XS0bvDf4hvFkCDj+hwkxjaf6vmOeeQVU4MbZJmhq2o4ICfzCCAnswHwYD
VR0jBBgwFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFEcm3Rj4kxRu
Lj5cfEZXtoqSoImCMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEB
AgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeB
DAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3Nz
bC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5j
cnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20w
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sA
OhQSdgosrLvIKgAAAZfKZ12zAAAEAwBHMEUCIQDdy145LFaIJPu7+GAw5CDH17Qj
0LspxH2Is7nzJ23/EgIga0ICn4NvC+1zn+4CuYUwhgjLoSH4m38VpJeY+So4HJ0A
dgAN4fIwK9MNwUBiEgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZfKZ12JAAAEAwBH
MEUCIQC6cx5ub4tepIZtpCoZ8srAwdviK9hS5bIRHABf3tx7swIgSZFJx/+SXMuR
24mtUIjGNAw04viIJsjyC4Utr0hIq5UwHgYDVR0RBBcwFYITKi5kb2twbG95Lmhv
bnkubG92ZTAKBggqhkjOPQQDAwNoADBlAjBeqUcSFagFKtxmKnhiw1zJMUIh5RIj
t6CftSj9bvcxv8W8p8posPEsVv++PnZVEhMCMQCfecDMrxKZPgBajDc8TKVgjGNR
1K5f6KEC5udPC264J4cm0JXROAXsxqPIbj9r/Y0=
-----END CERTIFICATE-----
[Wed Jul  2 17:11:15 CST 2025] Your cert is in: /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.cer
[Wed Jul  2 17:11:15 CST 2025] Your cert key is in: /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.key
[Wed Jul  2 17:11:15 CST 2025] The intermediate CA cert is in: /root/.acme.sh/*.grafana.eu.org_ecc/ca.cer
[Wed Jul  2 17:11:15 CST 2025] And the full-chain cert is in: /root/.acme.sh/*.grafana.eu.org_ecc/fullchain.cer

证书详情

1. 证书内容（单证书） /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.cer 仅包含你域名的证书（无 CA）
2. 证书私钥 /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.key 证书对应的私钥，部署时用于服务器握手
3. 中间证书（CA） /root/.acme.sh/*.grafana.eu.org_ecc/ca.cer Let’s Encrypt 的中间证书
4. 完整链证书（fullchai） /root/.acme.sh/*.grafana.eu.org_ecc/fullchain.cer

一般使用 2 和 4

更新

[office-k8s-01][email protected]:~# /root/.acme.sh/acme.sh --renew -d "*.grafana.eu.org"  --force --home "/root/.acme.sh"  --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri Sep 26 15:13:53 CST 2025] The domain '*.grafana.eu.org' seems to already have an ECC cert, let's use it.
[Fri Sep 26 15:13:53 CST 2025] Renewing: '*.grafana.eu.org'
[Fri Sep 26 15:13:53 CST 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Fri Sep 26 15:13:57 CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Sep 26 15:13:57 CST 2025] Single domain='*.grafana.eu.org'
[Fri Sep 26 15:14:04 CST 2025] Getting webroot for domain='*.grafana.eu.org'
[Fri Sep 26 15:14:04 CST 2025] Add the following TXT record:
[Fri Sep 26 15:14:04 CST 2025] Domain: '_acme-challenge.grafana.eu.org'
[Fri Sep 26 15:14:04 CST 2025] TXT value: 'WnQ-RrNUIFXXt2beMTgTFxI46nfe0KjcGmXKk8enbXs'
[Fri Sep 26 15:14:04 CST 2025] Please make sure to prepend '_acme-challenge.' to your domain
[Fri Sep 26 15:14:04 CST 2025] so that the resulting subdomain is: _acme-challenge.grafana.eu.org
[Fri Sep 26 15:14:04 CST 2025] Please add the TXT records to the domains, and re-run with --renew.
[Fri Sep 26 15:14:04 CST 2025] Please add '--debug' or '--log' to see more information.
[Fri Sep 26 15:14:04 CST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Fri Sep 26 15:14:04 CST 2025] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

更新 txt 记录

[office-k8s-01][email protected]:~# nslookup -q=TXT _acme-challenge.grafana.eu.org
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
_acme-challenge.grafana.eu.org	text = "WnQ-RrNUIFXXt2beMTgTFxI46nfe0KjcGmXKk8enbXs"

Authoritative answers can be found from:

然后重新执行

[office-k8s-01][email protected]:~# /root/.acme.sh/acme.sh --renew -d "*.grafana.eu.org" --force --home "/root/.acme.sh"  --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri Sep 26 15:24:57 CST 2025] The domain '*.grafana.eu.org' seems to already have an ECC cert, let's use it.
[Fri Sep 26 15:24:57 CST 2025] Renewing: '*.grafana.eu.org'
[Fri Sep 26 15:24:57 CST 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Fri Sep 26 15:24:58 CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Sep 26 15:24:58 CST 2025] Single domain='*.grafana.eu.org'
[Fri Sep 26 15:24:58 CST 2025] Verifying: *.grafana.eu.org
[Fri Sep 26 15:25:02 CST 2025] Processing. The CA is processing your order, please wait. (1/30)
[Fri Sep 26 15:25:12 CST 2025] Success
[Fri Sep 26 15:25:12 CST 2025] Verification finished, beginning signing.
[Fri Sep 26 15:25:12 CST 2025] Let's finalize the order.
[Fri Sep 26 15:25:12 CST 2025] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/7N_P3dm1FWxlEZezBm3DOQ/finalize'
[Fri Sep 26 15:25:13 CST 2025] Order status is 'processing', let's sleep and retry.
[Fri Sep 26 15:25:13 CST 2025] Sleeping for 15 seconds then retrying
[Fri Sep 26 15:25:29 CST 2025] Polling order status: https://acme.zerossl.com/v2/DV90/order/JoDGS0BAiPIBTdNwRu5oNA
[Fri Sep 26 15:25:32 CST 2025] Downloading cert.
[Fri Sep 26 15:25:32 CST 2025] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/XUI_bZ_CfvW42--xLMj_ZA'
[Fri Sep 26 15:25:36 CST 2025] Cert success.
-----BEGIN CERTIFICATE-----
MIIECTCCA4+gAwIBAgIRAIfRQ6hPRFKW6tFOW1q96hwwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNTA3MDIwMDAwMDBaFw0yNTA5
MzAyMzU5NTlaMB4xHDAaBgNVBAMMEyouZG9rcGxveS5ob255LmxvdmUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAT0F8Z5AEOIWX67yb/l3qGj6ngiu+RUg8dzeke/
Zq4+367XS0bvDf4hvFkCDj+hwkxjaf6vmOeeQVU4MbZJmhq2o4ICfzCCAnswHwYD
VR0jBBgwFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFEcm3Rj4kxRu
Lj5cfEZXtoqSoImCMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEB
AgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeB
DAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3Nz
bC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5j
cnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20w
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sA
OhQSdgosrLvIKgAAAZfKZ12zAAAEAwBHMEUCIQDdy145LFaIJPu7+GAw5CDH17Qj
0LspxH2Is7nzJ23/EgIga0ICn4NvC+1zn+4CuYUwhgjLoSH4m38VpJeY+So4HJ0A
dgAN4fIwK9MNwUBiEgnqVS78R3R8sdfpMO8OQh60fk6qNAAAAZfKZ12JAAAEAwBH
MEUCIQC6cx5ub4tepIZtpCoZ8srAwdviK9hS5bIRHABf3tx7swIgSZFJx/+SXMuR
24mtUIjGNAw04viIJsjyC4Utr0hIq5UwHgYDVR0RBBcwFYITKi5kb2twbG95Lmhv
bnkubG92ZTAKBggqhkjOPQQDAwNoADBlAjBeqUcSFagFKtxmKnhiw1zJMUIh5RIj
t6CftSj9bvcxv8W8p8posPEsVv++PnZVEhMCMQCfecDMrxKZPgBajDc8TKVgjGNR
1K5f6KEC5udPC264J4cm0JXROAXsxqPIbj9r/Y0=
-----END CERTIFICATE-----
[Fri Sep 26 15:25:36 CST 2025] Your cert is in: /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.cer
[Fri Sep 26 15:25:36 CST 2025] Your cert key is in: /root/.acme.sh/*.grafana.eu.org_ecc/*.grafana.eu.org.key
[Fri Sep 26 15:25:36 CST 2025] The intermediate CA cert is in: /root/.acme.sh/*.grafana.eu.org_ecc/ca.cer
[Fri Sep 26 15:25:36 CST 2025] And the full-chain cert is in: /root/.acme.sh/*.grafana.eu.org_ecc/fullchain.cer

[office-k8s-01][email protected]:~# openssl x509 -in /root/.acme.sh/*.grafana.eu.org_ecc/fullchain.cer -noout -dates
notBefore=Sep 26 00:00:00 2025 GMT
notAfter=Dec 25 23:59:59 2025 GMT

和 nginx 搭配使用

acme.sh --install-cert -d test.com --ecc \
--key-file /root/.acme.sh/grafana.eu.org_ecc/grafana.eu.org.key \
--fullchain-file /root/.acme.sh/grafana.eu.org_ecc/fullchain.cer \
--reloadcmd "docker restart nginx"

nginx 的配置

server {
    listen 443 ssl;
    server_name grafana.eu.org;

    ssl_certificate /root/.acme.sh/grafana.eu.org_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/grafana.eu.org_ecc/grafana.eu.org.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_redirect off;
        proxy_pass http://127.0.0.1:5244;

        client_max_body_size 20000m;
    }
}

# 强制 HTTP 自动跳转到 HTTPS（可选）
server {
    listen 80;
    server_name grafana.eu.org;
    return 301 https://$host$request_uri;
}