syno-acme
syno-acme copied to clipboard
andyzhshg
syno-acme v0.2.1和v0.3.0更新时acme.sh-2.8.6无法更新的问题,已解决含代码
syno-acme v0.2.1更新时acme.sh出错:Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
acme.sh 已更新至 v3.0.2; syno-acme v0.2.1 和 v0.3.0 中,还采用 acme.sh v2.8.6,已无法更新证书;
问题根源: 最近由于群晖系统内置CA机构根证书过期的原因,导致更新Let's Encrypt域名证书时无法建立SSL连接,出现code:60错误 解决方法只需要升级群辉内置CA机构根证书即可解决
升级根证书方法:https://github.com/andyzhshg/syno-acme/issues/77#issuecomment-993339870
syno-acme小优化:https://github.com/andyzhshg/syno-acme/issues/77#issuecomment-984407513
按照这个步骤试了下,有一个小问题
在第四步和第五步中间需要在 ~/.acme.sh/account.conf 中添加 ZeroSSL 的邮箱信息:
ACCOUNT_EMAIL='[email protected]'
然后执行第五步,就会在日志中看到:
[Wed Dec 1 16:05:47 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90 [Wed Dec 1 16:05:51 CST 2021] Registered [Wed Dec 1 16:05:51 CST 2021] ACCOUNT_THUMBPRINT='xW-ukwACe0beTp7Ml_V05_ZePxDxZ1TpnH2Fmii6-9M'
说明 ZeroSSL 的邮箱账户注册已经成功并且开始生成证书了。
按照这个步骤试了下,有一个小问题 在第四步和第五步中间需要在 ~/.acme.sh/account.conf 中添加 ZeroSSL 的邮箱信息:
ACCOUNT_EMAIL='[email protected]'然后执行第五步,就会在日志中看到:[Wed Dec 1 16:05:47 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90 [Wed Dec 1 16:05:51 CST 2021] Registered [Wed Dec 1 16:05:51 CST 2021] ACCOUNT_THUMBPRINT='xW-ukwACe0beTp7Ml_V05_ZePxDxZ1TpnH2Fmii6-9M'说明 ZeroSSL 的邮箱账户注册已经成功并且开始生成证书了。
我是用Putty进入acme.sh的目录,并执行了 “ acme.sh --register-account -m 你的邮箱 --server zerossl ” 命令,执行后再cert-up.sh update 就能获得,应该是执行后会自动添加记录,不需要再添加ACCOUNT_EMAIL='[email protected]'
按照这个步骤试了下,有一个小问题 在第四步和第五步中间需要在 ~/.acme.sh/account.conf 中添加 ZeroSSL 的邮箱信息:
ACCOUNT_EMAIL='[email protected]'然后执行第五步,就会在日志中看到:[Wed Dec 1 16:05:47 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90 [Wed Dec 1 16:05:51 CST 2021] Registered [Wed Dec 1 16:05:51 CST 2021] ACCOUNT_THUMBPRINT='xW-ukwACe0beTp7Ml_V05_ZePxDxZ1TpnH2Fmii6-9M'说明 ZeroSSL 的邮箱账户注册已经成功并且开始生成证书了。我是用Putty进入acme.sh的目录,并执行了 “ acme.sh --register-account -m 你的邮箱 --server zerossl ” 命令,执行后再cert-up.sh update 就能获得,应该是执行后会自动添加记录,不需要再添加ACCOUNT_EMAIL='[email protected]'
感谢你们二位,我综合了一下成功了。另外,是不是也可以用#75 里 jikkyfu 的代码,毕竟acme后续版本可能随时更新
感谢你们二位,我综合了一下成功了。另外,是不是也可以用#75 里 jikkyfu 的代码,毕竟acme后续版本可能随时更新
他的代码注释多余且重复,ACME_SH_ADDRESS带了''号所以请求会出错,我给一份,相对原码改动较少
# ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address` version=`wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g'` ACME_SH_ADDRESS=https://github.com/acmesh-official/acme.sh/archive/${version}.tar.gz相当于只把32行给注释了,并替换为以上两行代码,获取最新发布的版本号,并指定对应版本的下载地址,ACME_SH_ADDRESS地址可以自行修改,不能用引号
只是为了方便告知我修改了哪里而已,这个核对源代码很简单就能看出来不是?要尊重别人的劳动成果。
只是为了方便告知我修改了哪里而已,这个核对源代码很简单就能看出来不是?要尊重别人的劳动成果。
兄弟抱歉了,我以后一定注意言语,我采用的是直链地址,你写的获取最新版本号的方法,确实值得我学习
最简单的方法
第一步: 去 ZeroSSL 官网用邮箱注册一个账号,注册时ZeroSSL有请求谷歌服务,可能需要翻墙才能完成注册
第二步: 修改 cert-up.sh 文件中的 ACME_SH_ADDRESS 地址,替换成acme.sh最新3.0.0+的地址,或国内镜像地址
ACME_SH_ADDRESS=https://github.com/acmesh-official/acme.sh/archive/3.0.1.tar.gz第三步: 在 config 配置文件中,加入你在 ZeroSSL 注册的邮箱信息
# ZeroSSL registered email export ACCOUNT_EMAIL="[email protected]"第四步: 设置好定时任务更新任务,同时运行一次,即可完成 ZeroSSL 证书更新
依据这里https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA 可以用这个注册 acme.sh --register-account -m [email protected] --server zerossl
依据这里https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA 可以用这个注册 acme.sh --register-account -m [email protected] --server zerossl
我上面有尝试过,现在已经优化了,详细调整如下:
一、在 config 配置文件中,增加 证书服务商的设置项 和 注册邮箱 新版 acme.sh v3.0.0+ 中将证书服务商默认为 ZeroSSL ,所以增加配置选项,可选择 zerossl 或 letsencrypt
# 证书服务商 zerossl 和 letsencrypt
export CERT_SERVER=letsencrypt
# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="[email protected]"
通过设置 CERT_SERVER 为 zerossl 或 letsencrypt 来决定证书服务商 设置为 zerossl 时:必须设置 ACCOUNT_EMAIL,并以 ZeroSSL 提供证书服务更新 设置为 letsencrypt 时:以 Let's Encrypt 提供证书服务更新,如果出现code:60错误,无法建立SSL连接,请升级群辉内置CA机构根证书
二、在 cert-up.sh 文件中修改 installAcme () {} 方法,并增加 versionLt () {} 方法 解决重复下载安装的问题,并增加自动效验acme.sh新版,有新版则自动升级acme.sh
versionLt () { test "$(echo "$@" | tr " " "\n" | sort -rV | head -n 1)" != "$1"; }
installAcme () {
ALLOW_INSTALL=false
ACME_SH_FILE=${ACME_BIN_PATH}/acme.sh
ACME_SH_NEW_VERSION=$(wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
ACME_SH_ADDRESS=https://mirror.ghproxy.com/https://github.com/acmesh-official/acme.sh/archive/${ACME_SH_NEW_VERSION}.tar.gz
if [ -z "${ACME_SH_NEW_VERSION}" ]; then
echo 'unable to get new version number'
return 0
fi
if [ ! -f "${ACME_SH_FILE}" ]; then
ALLOW_INSTALL=true
echo 'acme not installed, start install'
else
ACME_SH_VERSION=$(cat ${ACME_SH_FILE} | grep "VER=*" | head -n 1 | awk -F "=" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
if versionLt ${ACME_SH_VERSION} ${ACME_SH_NEW_VERSION}; then
ALLOW_INSTALL=true
echo 'acme has a new version, start updating'
else
echo 'skip acme installation'
fi
fi
if [ ${ALLOW_INSTALL} == true ]; then
echo 'in progress...'
mkdir -p ${TEMP_PATH}
cd ${TEMP_PATH}
echo 'begin downloading acme.sh tool...'
# ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address`
SRC_TAR_NAME=acme.sh.tar.gz
curl -L -o ${SRC_TAR_NAME} ${ACME_SH_ADDRESS}
SRC_NAME=`tar -tzf ${SRC_TAR_NAME} | head -1 | cut -f1 -d"/"`
tar zxvf ${SRC_TAR_NAME}
echo 'begin installing acme.sh tool...'
cd ${SRC_NAME}
./acme.sh --install --nocron --home ${ACME_BIN_PATH}
echo 'done installAcme'
rm -rf ${TEMP_PATH}
fi
return 0
}
三、在 cert-up.sh 文件中修改 generateCrt () {} 方法 增加 ZeroSSL 账户自动注册代码,在 ... acme.sh --force --log --issue 后面增加 --server ${CERT_SERVER}
generateCrt () {
echo 'begin generateCrt'
cd ${BASE_ROOT}
source ./config
# add register zerossl account
if [ ${CERT_SERVER} == 'zerossl' ]; then
echo 'register zerossl account'
${ACME_BIN_PATH}/acme.sh --register-account -m ${ACCOUNT_EMAIL} --server zerossl
fi
echo 'begin updating default cert by acme.sh tool'
source ${ACME_BIN_PATH}/acme.sh.env
# ${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --log --issue --server ${CERT_SERVER} --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \
--certpath ${CRT_PATH}/cert.pem \
--key-file ${CRT_PATH}/privkey.pem \
--fullchain-file ${CRT_PATH}/fullchain.pem
if [ -s "${CRT_PATH}/cert.pem" ]; then
echo 'done generateCrt'
return 0
else
echo '[ERR] fail to generateCrt'
echo "begin revert"
revertCrt
exit 1;
fi
}
四、设置好定时任务更新任务,同时运行一次,即可自动完成证书更新
楼下附带最终代码,选择对应的版本进行复制代码
有大佬愿意整理一份可用的文件方便下载吗
最终代码: 其中 cert-up.sh 按自己 syno-acme v0.2.1 / v0.3.0 DSM 7.0 测试版 对应的版本进行复制代码
1、在 config 配置文件代码
# 你主域名,如 baidu.com sina.com.cn 等
export DOMAIN=your_domain
# DNS类型,根据域名服务商而定
export DNS=dns_xxx
# DNS API 生效等待时间 值(单位:秒)
# 某些域名服务商的API生效时间较大,需要将这个值加大(比如900)
export DNS_SLEEP=120
# 阿里云 DNS=dns_ali
export Ali_Key="LTqIA87hOKdjevsf5"
export Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2"
# Dnspod DNS=dns_dp
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"
# Godaddy DNS=dns_gd
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"
# AWS DNS=dns_aws
export AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
export AWS_SECRET_ACCESS_KEY="xxxxxxx"
# Linode DNS=dns_linode
export LINODE_API_KEY="xxxxxxxx"
# 证书服务商 zerossl 和 letsencrypt
export CERT_SERVER=letsencrypt
# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="[email protected]"
2、syno-acme v0.2.1版中 cert-up.sh 文件代码
#!/bin/bash
# path of this script
BASE_ROOT=$(cd "$(dirname "$0")";pwd)
# date time
DATE_TIME=`date +%Y%m%d%H%M%S`
# base crt path
CRT_BASE_PATH="/usr/syno/etc/certificate"
PKG_CRT_BASE_PATH="/usr/local/etc/certificate"
#CRT_BASE_PATH="/Users/carl/Downloads/certificate"
ACME_BIN_PATH=${BASE_ROOT}/acme.sh
TEMP_PATH=${BASE_ROOT}/temp
CRT_PATH_NAME=`cat ${CRT_BASE_PATH}/_archive/DEFAULT`
CRT_PATH=${CRT_BASE_PATH}/_archive/${CRT_PATH_NAME}
backupCrt () {
echo 'begin backupCrt'
BACKUP_PATH=${BASE_ROOT}/backup/${DATE_TIME}
mkdir -p ${BACKUP_PATH}
cp -r ${CRT_BASE_PATH} ${BACKUP_PATH}
cp -r ${PKG_CRT_BASE_PATH} ${BACKUP_PATH}/package_cert
echo ${BACKUP_PATH} > ${BASE_ROOT}/backup/latest
echo 'done backupCrt'
return 0
}
versionLt () { test "$(echo "$@" | tr " " "\n" | sort -rV | head -n 1)" != "$1"; }
installAcme () {
ALLOW_INSTALL=false
ACME_SH_FILE=${ACME_BIN_PATH}/acme.sh
ACME_SH_NEW_VERSION=$(wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
ACME_SH_ADDRESS=https://mirror.ghproxy.com/https://github.com/acmesh-official/acme.sh/archive/${ACME_SH_NEW_VERSION}.tar.gz
if [ -z "${ACME_SH_NEW_VERSION}" ]; then
echo 'unable to get new version number'
return 0
fi
if [ ! -f "${ACME_SH_FILE}" ]; then
ALLOW_INSTALL=true
echo 'acme not installed, start install'
else
ACME_SH_VERSION=$(cat ${ACME_SH_FILE} | grep "VER=*" | head -n 1 | awk -F "=" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
if versionLt ${ACME_SH_VERSION} ${ACME_SH_NEW_VERSION}; then
ALLOW_INSTALL=true
echo 'acme has a new version, start updating'
else
echo 'skip acme installation'
fi
fi
if [ ${ALLOW_INSTALL} == true ]; then
echo 'in progress...'
mkdir -p ${TEMP_PATH}
cd ${TEMP_PATH}
echo 'begin downloading acme.sh tool...'
# ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address`
SRC_TAR_NAME=acme.sh.tar.gz
curl -L -o ${SRC_TAR_NAME} ${ACME_SH_ADDRESS}
SRC_NAME=`tar -tzf ${SRC_TAR_NAME} | head -1 | cut -f1 -d"/"`
tar zxvf ${SRC_TAR_NAME}
echo 'begin installing acme.sh tool...'
cd ${SRC_NAME}
./acme.sh --install --nocron --home ${ACME_BIN_PATH}
echo 'done installAcme'
rm -rf ${TEMP_PATH}
fi
return 0
}
generateCrt () {
echo 'begin generateCrt'
cd ${BASE_ROOT}
source ./config
# add register zerossl account
if [ ${CERT_SERVER} == 'zerossl' ]; then
echo 'register zerossl account'
${ACME_BIN_PATH}/acme.sh --register-account -m ${ACCOUNT_EMAIL} --server zerossl
fi
echo 'begin updating default cert by acme.sh tool'
source ${ACME_BIN_PATH}/acme.sh.env
# ${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --log --issue --server ${CERT_SERVER} --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \
--certpath ${CRT_PATH}/cert.pem \
--key-file ${CRT_PATH}/privkey.pem \
--fullchain-file ${CRT_PATH}/fullchain.pem
if [ -s "${CRT_PATH}/cert.pem" ]; then
echo 'done generateCrt'
return 0
else
echo '[ERR] fail to generateCrt'
echo "begin revert"
revertCrt
exit 1;
fi
}
updateService () {
echo 'begin updateService'
echo 'cp cert path to des'
/bin/python2 ${BASE_ROOT}/crt_cp.py ${CRT_PATH_NAME}
echo 'done updateService'
}
reloadWebService () {
echo 'begin reloadWebService'
echo 'reloading new cert...'
/usr/syno/etc/rc.sysv/nginx.sh reload
echo 'relading Apache 2.2'
stop pkg-apache22
start pkg-apache22
reload pkg-apache22
echo 'done reloadWebService'
}
revertCrt () {
echo 'begin revertCrt'
BACKUP_PATH=${BASE_ROOT}/backup/$1
if [ -z "$1" ]; then
BACKUP_PATH=`cat ${BASE_ROOT}/backup/latest`
fi
if [ ! -d "${BACKUP_PATH}" ]; then
echo "[ERR] backup path: ${BACKUP_PATH} not found."
return 1
fi
echo "${BACKUP_PATH}/certificate ${CRT_BASE_PATH}"
cp -rf ${BACKUP_PATH}/certificate/* ${CRT_BASE_PATH}
echo "${BACKUP_PATH}/package_cert ${PKG_CRT_BASE_PATH}"
cp -rf ${BACKUP_PATH}/package_cert/* ${PKG_CRT_BASE_PATH}
reloadWebService
echo 'done revertCrt'
}
updateCrt () {
echo '------ begin updateCrt ------'
backupCrt
installAcme
generateCrt
updateService
reloadWebService
echo '------ end updateCrt ------'
}
case "$1" in
update)
echo ""
echo "begin update cert"
updateCrt
;;
revert)
echo "begin revert"
revertCrt $2
;;
*)
echo "Usage: $0 {update|revert}"
exit 1
esac
3、syno-acme v0.3.0 DSM 7.0 测试版中 cert-up.sh 文件代码
#!/bin/bash
# path of this script
BASE_ROOT=$(cd "$(dirname "$0")";pwd)
# date time
DATE_TIME=`date +%Y%m%d%H%M%S`
# base crt path
CRT_BASE_PATH="/usr/syno/etc/certificate"
PKG_CRT_BASE_PATH="/usr/local/etc/certificate"
#CRT_BASE_PATH="/Users/carl/Downloads/certificate"
ACME_BIN_PATH=${BASE_ROOT}/acme.sh
TEMP_PATH=${BASE_ROOT}/temp
CRT_PATH_NAME=`cat ${CRT_BASE_PATH}/_archive/DEFAULT`
CRT_PATH=${CRT_BASE_PATH}/_archive/${CRT_PATH_NAME}
FIND_MAJORVERSION_FILE="/etc/VERSION"
FIND_MAJORVERSION_STR="majorversion=\"7\""
backupCrt () {
echo 'begin backupCrt'
BACKUP_PATH=${BASE_ROOT}/backup/${DATE_TIME}
mkdir -p ${BACKUP_PATH}
cp -r ${CRT_BASE_PATH} ${BACKUP_PATH}
cp -r ${PKG_CRT_BASE_PATH} ${BACKUP_PATH}/package_cert
echo ${BACKUP_PATH} > ${BASE_ROOT}/backup/latest
echo 'done backupCrt'
return 0
}
versionLt () { test "$(echo "$@" | tr " " "\n" | sort -rV | head -n 1)" != "$1"; }
installAcme () {
ALLOW_INSTALL=false
ACME_SH_FILE=${ACME_BIN_PATH}/acme.sh
ACME_SH_NEW_VERSION=$(wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
ACME_SH_ADDRESS=https://mirror.ghproxy.com/https://github.com/acmesh-official/acme.sh/archive/${ACME_SH_NEW_VERSION}.tar.gz
if [ -z "${ACME_SH_NEW_VERSION}" ]; then
echo 'unable to get new version number'
return 0
fi
if [ ! -f "${ACME_SH_FILE}" ]; then
ALLOW_INSTALL=true
echo 'acme not installed, start install'
else
ACME_SH_VERSION=$(cat ${ACME_SH_FILE} | grep "VER=*" | head -n 1 | awk -F "=" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
if versionLt ${ACME_SH_VERSION} ${ACME_SH_NEW_VERSION}; then
ALLOW_INSTALL=true
echo 'acme has a new version, start updating'
else
echo 'skip acme installation'
fi
fi
if [ ${ALLOW_INSTALL} == true ]; then
echo 'in progress...'
mkdir -p ${TEMP_PATH}
cd ${TEMP_PATH}
echo 'begin downloading acme.sh tool...'
# ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address`
SRC_TAR_NAME=acme.sh.tar.gz
curl -L -o ${SRC_TAR_NAME} ${ACME_SH_ADDRESS}
SRC_NAME=`tar -tzf ${SRC_TAR_NAME} | head -1 | cut -f1 -d"/"`
tar zxvf ${SRC_TAR_NAME}
echo 'begin installing acme.sh tool...'
cd ${SRC_NAME}
./acme.sh --install --nocron --home ${ACME_BIN_PATH}
echo 'done installAcme'
rm -rf ${TEMP_PATH}
fi
return 0
}
generateCrt () {
echo 'begin generateCrt'
cd ${BASE_ROOT}
source ./config
# add register zerossl account
if [ ${CERT_SERVER} == 'zerossl' ]; then
echo 'register zerossl account'
${ACME_BIN_PATH}/acme.sh --register-account -m ${ACCOUNT_EMAIL} --server zerossl
fi
echo 'begin updating default cert by acme.sh tool'
source ${ACME_BIN_PATH}/acme.sh.env
# ${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --log --issue --server ${CERT_SERVER} --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \
--certpath ${CRT_PATH}/cert.pem \
--key-file ${CRT_PATH}/privkey.pem \
--fullchain-file ${CRT_PATH}/fullchain.pem
if [ -s "${CRT_PATH}/cert.pem" ]; then
echo 'done generateCrt'
return 0
else
echo '[ERR] fail to generateCrt'
echo "begin revert"
revertCrt
exit 1;
fi
}
updateService () {
echo 'begin updateService'
echo 'cp cert path to des'
if [ `grep -c "$FIND_MAJORVERSION_STR" $FIND_MAJORVERSION_FILE` -ne '0' ];then
echo "MajorVersion = 7, use system default python2"
python2 ${BASE_ROOT}/crt_cp.py ${CRT_PATH_NAME}
else
echo "MajorVersion < 7"
/bin/python2 ${BASE_ROOT}/crt_cp.py ${CRT_PATH_NAME}
fi
echo 'done updateService'
}
reloadWebService () {
echo 'begin reloadWebService'
echo 'reloading new cert...'
if [ `grep -c "$FIND_MAJORVERSION_STR" $FIND_MAJORVERSION_FILE` -ne '0' ];then
echo "MajorVersion = 7"
synow3tool --gen-all && systemctl reload nginx
else
echo "MajorVersion < 7"
/usr/syno/etc/rc.sysv/nginx.sh reload
fi
if [ `grep -c "$FIND_MAJORVERSION_STR" $FIND_MAJORVERSION_FILE` -ne '0' ];then
echo "MajorVersion = 7, no need to reload apache"
else
echo 'relading Apache on DSM 6.x'
stop pkg-apache22
start pkg-apache22
reload pkg-apache22
fi
echo 'done reloadWebService'
}
revertCrt () {
echo 'begin revertCrt'
BACKUP_PATH=${BASE_ROOT}/backup/$1
if [ -z "$1" ]; then
BACKUP_PATH=`cat ${BASE_ROOT}/backup/latest`
fi
if [ ! -d "${BACKUP_PATH}" ]; then
echo "[ERR] backup path: ${BACKUP_PATH} not found."
return 1
fi
echo "${BACKUP_PATH}/certificate ${CRT_BASE_PATH}"
cp -rf ${BACKUP_PATH}/certificate/* ${CRT_BASE_PATH}
echo "${BACKUP_PATH}/package_cert ${PKG_CRT_BASE_PATH}"
cp -rf ${BACKUP_PATH}/package_cert/* ${PKG_CRT_BASE_PATH}
reloadWebService
echo 'done revertCrt'
}
updateCrt () {
echo '------ begin updateCrt ------'
backupCrt
installAcme
generateCrt
updateService
reloadWebService
echo '------ end updateCrt ------'
}
case "$1" in
update)
echo "begin update cert"
updateCrt
;;
revert)
echo "begin revert"
revertCrt $2
;;
*)
echo "Usage: $0 {update|revert}"
exit 1
esac
感谢大佬 顺便问一下这个报错是干什么的 忘记说了我是 dsm7.0.1 python脚本是干啥的
done generateCrt
begin updateService
cp cert path to des
./cert-up.sh: line 84: /bin/python2: No such file or directory
done updateService
begin reloadWebService
reloading new cert...
[nginx] reloaded.
relading Apache 2.2
./cert-up.sh: line 93: stop: command not found
./cert-up.sh: line 94: start: command not found
./cert-up.sh: line 95: reload: command not found
done reloadWebService
------ end updateCrt ------
感谢大佬 顺便问一下这个报错是干什么的 忘记说了我是 dsm7.0.1 python脚本是干啥的
你复制的是syno-acme v0.2.1版中 cert-up.sh 文件的代码 在最终代码中,我已经添加了syno-acme v0.3.0 DSM 7.0 测试版的 cert-up.sh 文件代码 也麻烦你,修改一下,将引用中的代码给删除,以免重复,且可读性混乱
感谢大佬 顺便问一下这个报错是干什么的 忘记说了我是 dsm7.0.1 python脚本是干啥的
你复制的是syno-acme v0.2.1版中 cert-up.sh 文件的代码 在最终代码中,我已经添加了syno-acme v0.3.0 DSM 7.0 测试版的 cert-up.sh 文件代码 也麻烦你,修改一下,将引用中的代码给删除,以免重复,且可读性混乱
测试了下可以使用了 再次感谢
/volume1/docker/acme/cert-up.sh update >> /volume1/docker/acme/log.txt 2>&1
计划任务是不是这样弄得 用户选root 时间每月
有大佬愿意整理一份可用的文件方便下载吗
最终代码: 其中 cert-up.sh 按自己 syno-acme v0.2.1 / v0.3.0 DSM 7.0 测试版 对应的版本进行复制代码
1、在 config 配置文件代码
# 你主域名,如 baidu.com sina.com.cn 等 export DOMAIN=your_domain # DNS类型,根据域名服务商而定 export DNS=dns_xxx # DNS API 生效等待时间 值(单位:秒) # 某些域名服务商的API生效时间较大,需要将这个值加大(比如900) export DNS_SLEEP=120 # 阿里云 DNS=dns_ali export Ali_Key="LTqIA87hOKdjevsf5" export Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2" # Dnspod DNS=dns_dp export DP_Id="1234" export DP_Key="sADDsdasdgdsf" # Godaddy DNS=dns_gd export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export GD_Secret="asdfsdfsfsdfsdfdfsdf" # AWS DNS=dns_aws export AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje" export AWS_SECRET_ACCESS_KEY="xxxxxxx" # Linode DNS=dns_linode export LINODE_API_KEY="xxxxxxxx" # 证书服务商,zerossl 和 letsencrypt export CERT_SERVER=zerossl # 注册 ZeroSSL 账户邮箱 export ACCOUNT_EMAIL="[email protected]"2、syno-acme v0.2.1版中 cert-up.sh 文件代码
#!/bin/bash # path of this script BASE_ROOT=$(cd "$(dirname "$0")";pwd) # date time DATE_TIME=`date +%Y%m%d%H%M%S` # base crt path CRT_BASE_PATH="/usr/syno/etc/certificate" PKG_CRT_BASE_PATH="/usr/local/etc/certificate" #CRT_BASE_PATH="/Users/carl/Downloads/certificate" ACME_BIN_PATH=${BASE_ROOT}/acme.sh TEMP_PATH=${BASE_ROOT}/temp CRT_PATH_NAME=`cat ${CRT_BASE_PATH}/_archive/DEFAULT` CRT_PATH=${CRT_BASE_PATH}/_archive/${CRT_PATH_NAME} backupCrt () { echo 'begin backupCrt' BACKUP_PATH=${BASE_ROOT}/backup/${DATE_TIME} mkdir -p ${BACKUP_PATH} cp -r ${CRT_BASE_PATH} ${BACKUP_PATH} cp -r ${PKG_CRT_BASE_PATH} ${BACKUP_PATH}/package_cert echo ${BACKUP_PATH} > ${BASE_ROOT}/backup/latest echo 'done backupCrt' return 0 } installAcme () { ACME_SH_FILE=${ACME_BIN_PATH}/acme.sh if [[ ! -f "$ACME_SH_FILE" ]]; then echo 'begin install Acme' mkdir -p ${TEMP_PATH} cd ${TEMP_PATH} echo 'begin downloading acme.sh tool...' # ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address` ACME_SH_VERSION=$(wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g') ACME_SH_ADDRESS=https://mirror.ghproxy.com/https://github.com/acmesh-official/acme.sh/archive/${ACME_SH_VERSION}.tar.gz SRC_TAR_NAME=acme.sh.tar.gz curl -L -o ${SRC_TAR_NAME} ${ACME_SH_ADDRESS} SRC_NAME=`tar -tzf ${SRC_TAR_NAME} | head -1 | cut -f1 -d"/"` tar zxvf ${SRC_TAR_NAME} echo 'begin installing acme.sh tool...' cd ${SRC_NAME} ./acme.sh --install --nocron --home ${ACME_BIN_PATH} echo 'done installAcme' rm -rf ${TEMP_PATH} else echo "Acme is already installed" fi return 0 } generateCrt () { echo 'begin generateCrt' cd ${BASE_ROOT} source ./config # add register zerossl account if [[ ${CERT_SERVER} == 'zerossl' ]]; then echo 'register zerossl account' ${ACME_BIN_PATH}/acme.sh --register-account -m ${ACCOUNT_EMAIL} --server zerossl fi echo 'begin updating default cert by acme.sh tool' source ${ACME_BIN_PATH}/acme.sh.env # ${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}" ${ACME_BIN_PATH}/acme.sh --force --log --issue --server ${CERT_SERVER} --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}" ${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \ --certpath ${CRT_PATH}/cert.pem \ --key-file ${CRT_PATH}/privkey.pem \ --fullchain-file ${CRT_PATH}/fullchain.pem if [ -s "${CRT_PATH}/cert.pem" ]; then echo 'done generateCrt' return 0 else echo '[ERR] fail to generateCrt' echo "begin revert" revertCrt exit 1; fi } updateService () { echo 'begin updateService' echo 'cp cert path to des' /bin/python2 ${BASE_ROOT}/crt_cp.py ${CRT_PATH_NAME} echo 'done updateService' } reloadWebService () { echo 'begin reloadWebService' echo 'reloading new cert...' /usr/syno/etc/rc.sysv/nginx.sh reload echo 'relading Apache 2.2' stop pkg-apache22 start pkg-apache22 reload pkg-apache22 echo 'done reloadWebService' } revertCrt () { echo 'begin revertCrt' BACKUP_PATH=${BASE_ROOT}/backup/$1 if [ -z "$1" ]; then BACKUP_PATH=`cat ${BASE_ROOT}/backup/latest` fi if [ ! -d "${BACKUP_PATH}" ]; then echo "[ERR] backup path: ${BACKUP_PATH} not found." return 1 fi echo "${BACKUP_PATH}/certificate ${CRT_BASE_PATH}" cp -rf ${BACKUP_PATH}/certificate/* ${CRT_BASE_PATH} echo "${BACKUP_PATH}/package_cert ${PKG_CRT_BASE_PATH}" cp -rf ${BACKUP_PATH}/package_cert/* ${PKG_CRT_BASE_PATH} reloadWebService echo 'done revertCrt' } updateCrt () { echo '------ begin updateCrt ------' backupCrt installAcme generateCrt updateService reloadWebService echo '------ end updateCrt ------' } case "$1" in update) echo "" echo "begin update cert" updateCrt ;; revert) echo "begin revert" revertCrt $2 ;; *) echo "Usage: $0 {update|revert}" exit 1 esac3、syno-acme v0.3.0 DSM 7.0 测试版中 cert-up.sh 文件代码
#!/bin/bash # path of this script BASE_ROOT=$(cd "$(dirname "$0")";pwd) # date time DATE_TIME=`date +%Y%m%d%H%M%S` # base crt path CRT_BASE_PATH="/usr/syno/etc/certificate" PKG_CRT_BASE_PATH="/usr/local/etc/certificate" #CRT_BASE_PATH="/Users/carl/Downloads/certificate" ACME_BIN_PATH=${BASE_ROOT}/acme.sh TEMP_PATH=${BASE_ROOT}/temp CRT_PATH_NAME=`cat ${CRT_BASE_PATH}/_archive/DEFAULT` CRT_PATH=${CRT_BASE_PATH}/_archive/${CRT_PATH_NAME} FIND_MAJORVERSION_FILE="/etc/VERSION" FIND_MAJORVERSION_STR="majorversion=\"7\"" backupCrt () { echo 'begin backupCrt' BACKUP_PATH=${BASE_ROOT}/backup/${DATE_TIME} mkdir -p ${BACKUP_PATH} cp -r ${CRT_BASE_PATH} ${BACKUP_PATH} cp -r ${PKG_CRT_BASE_PATH} ${BACKUP_PATH}/package_cert echo ${BACKUP_PATH} > ${BASE_ROOT}/backup/latest echo 'done backupCrt' return 0 } installAcme () { ACME_SH_FILE=${ACME_BIN_PATH}/acme.sh if [[ ! -f "$ACME_SH_FILE" ]]; then echo 'begin install Acme' mkdir -p ${TEMP_PATH} cd ${TEMP_PATH} echo 'begin downloading acme.sh tool...' # ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address` ACME_SH_VERSION=$(wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g') ACME_SH_ADDRESS=https://mirror.ghproxy.com/https://github.com/acmesh-official/acme.sh/archive/${ACME_SH_VERSION}.tar.gz SRC_TAR_NAME=acme.sh.tar.gz curl -L -o ${SRC_TAR_NAME} ${ACME_SH_ADDRESS} SRC_NAME=`tar -tzf ${SRC_TAR_NAME} | head -1 | cut -f1 -d"/"` tar zxvf ${SRC_TAR_NAME} echo 'begin installing acme.sh tool...' cd ${SRC_NAME} ./acme.sh --install --nocron --home ${ACME_BIN_PATH} echo 'done installAcme' rm -rf ${TEMP_PATH} else echo "Acme is already installed" fi return 0 } generateCrt () { echo 'begin generateCrt' cd ${BASE_ROOT} source ./config # add register zerossl account if [[ ${CERT_SERVER} == 'zerossl' ]]; then echo 'register zerossl account' ${ACME_BIN_PATH}/acme.sh --register-account -m ${ACCOUNT_EMAIL} --server zerossl fi echo 'begin updating default cert by acme.sh tool' source ${ACME_BIN_PATH}/acme.sh.env # ${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}" ${ACME_BIN_PATH}/acme.sh --force --log --issue --server ${CERT_SERVER} --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}" ${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \ --certpath ${CRT_PATH}/cert.pem \ --key-file ${CRT_PATH}/privkey.pem \ --fullchain-file ${CRT_PATH}/fullchain.pem if [ -s "${CRT_PATH}/cert.pem" ]; then echo 'done generateCrt' return 0 else echo '[ERR] fail to generateCrt' echo "begin revert" revertCrt exit 1; fi } updateService () { echo 'begin updateService' echo 'cp cert path to des' if [ `grep -c "$FIND_MAJORVERSION_STR" $FIND_MAJORVERSION_FILE` -ne '0' ];then echo "MajorVersion = 7, use system default python2" python2 ${BASE_ROOT}/crt_cp.py ${CRT_PATH_NAME} else echo "MajorVersion < 7" /bin/python2 ${BASE_ROOT}/crt_cp.py ${CRT_PATH_NAME} fi echo 'done updateService' } reloadWebService () { echo 'begin reloadWebService' echo 'reloading new cert...' if [ `grep -c "$FIND_MAJORVERSION_STR" $FIND_MAJORVERSION_FILE` -ne '0' ];then echo "MajorVersion = 7" synow3tool --gen-all && systemctl reload nginx else echo "MajorVersion < 7" /usr/syno/etc/rc.sysv/nginx.sh reload fi if [ `grep -c "$FIND_MAJORVERSION_STR" $FIND_MAJORVERSION_FILE` -ne '0' ];then echo "MajorVersion = 7, no need to reload apache" else echo 'relading Apache on DSM 6.x' stop pkg-apache22 start pkg-apache22 reload pkg-apache22 fi echo 'done reloadWebService' } revertCrt () { echo 'begin revertCrt' BACKUP_PATH=${BASE_ROOT}/backup/$1 if [ -z "$1" ]; then BACKUP_PATH=`cat ${BASE_ROOT}/backup/latest` fi if [ ! -d "${BACKUP_PATH}" ]; then echo "[ERR] backup path: ${BACKUP_PATH} not found." return 1 fi echo "${BACKUP_PATH}/certificate ${CRT_BASE_PATH}" cp -rf ${BACKUP_PATH}/certificate/* ${CRT_BASE_PATH} echo "${BACKUP_PATH}/package_cert ${PKG_CRT_BASE_PATH}" cp -rf ${BACKUP_PATH}/package_cert/* ${PKG_CRT_BASE_PATH} reloadWebService echo 'done revertCrt' } updateCrt () { echo '------ begin updateCrt ------' backupCrt installAcme generateCrt updateService reloadWebService echo '------ end updateCrt ------' } case "$1" in update) echo "begin update cert" updateCrt ;; revert) echo "begin revert" revertCrt $2 ;; *) echo "Usage: $0 {update|revert}" exit 1 esac
反馈一下,在白群DSM 7.0.1-42218里面测试通过。感谢感谢!
12-09:大佬,按照你的最终教程一步一步来做的,但是一直失败,执行cert-up脚本的时候,看到日志打印Processing, The CA is processing your order, please just wait. (1/30),30次之后,显示域名:timeout,然后就失败了; 12-11:今天我尝试把之前的syno-acme v0.2.1文件夹整个删除之后,然后重新解压这个压缩包,然后按照教程重新配置config和cert-up文件,然后执行更新,成功更新了证书,目前已经可以正常使用了,跟我有相同问题的同学可以尝试一下我这种方法,还是感谢lihong大佬提供的代码,感谢
大佬,按照你的最终教程一步一步来做的,但是一直失败,执行cert-up脚本的时候,看到日志打印Processing, The CA is processing your order, please just wait. (1/30),30次之后,显示域名:timeout,然后就失败了,大佬能指点指点吗
同问,注册了zeroSSL,一直这样,目前还是先换成letsencrypt用着了
大佬,按照你的最终教程一步一步来做的,但是一直失败,执行cert-up脚本的时候,看到日志打印Processing, The CA is processing your order, please just wait. (1/30),30次之后,显示域名:timeout,然后就失败了,大佬能指点指点吗
同问,注册了zeroSSL,一直这样,目前还是先换成letsencrypt用着了
朋友你试试我上面说的新方法,我目前也已经搞好了
大佬,按照你的最终教程一步一步来做的,但是一直失败,执行cert-up脚本的时候,看到日志打印Processing, The CA is processing your order, please just wait. (1/30),30次之后,显示域名:timeout,然后就失败了,大佬能指点指点吗
同问,注册了zeroSSL,一直这样,目前还是先换成letsencrypt用着了
朋友你试试我上面说的新方法,我目前也已经搞好了
了解。逛了一圈还是决定继续支持Let's Encrypt了,ZeroSSL有点商业气息太重,联系一下acme切换默认CA到ZeroSSL这件事,背后大概率是有商业推手在整这个事
了解。逛了一圈还是决定继续支持Let's Encrypt了,ZeroSSL有点商业气息太重,联系一下acme切换默认CA到ZeroSSL这件事,背后大概率是有商业推手在整这个事
看了 KennanChan 在另一个问题中,提到群晖系统内置根证书过期了,无法建立SSL连接,升级根证书,帮了大忙 通过更新了AC机构根证书,将配置设为 CERT_SERVER=letsencrypt ,并重新执行更新,成功更新了Let's Encrypt证书。 之前认为是更新证书服务器背墙或被屏蔽了,现简要整理升级方法
方法一:
直接一条SSH命令更新 CA 库
sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem
如果无法链接 https://curl.se/ca/cacert.pem 时,请选用方法二手动翻墙下载并更新
方法二:
1、下载CA机构根证书 下载地址 https://curl.se/ca/cacert.pem 如无法下载请翻墙
2、将 cacert.pem 文件上传到群辉某个目录
3、执行以下2条SSH命令更新 CA 库 请替换以下 /volume1/nas/cacert.pem 为你的文件路径地址
cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak
cp /volume1/nas/cacert.pem /etc/ssl/certs/ca-certificates.crt
以上方法可以利用 Putty 或 “任务计划 新增 触发的任务 用户定义的脚本” 来执行SSH命令备份和更新根证书
了解一下,逛一圈还是决定继续让我们的 EncryptacmeZeroSSL 商业太重了,联系我把 CA 转给 CA 到,再看一下,Zero 有商业推手在整这个 SSL 事情
KennanChan 在另一个问题中,提到群晖系统建立根证书过渡了,无法升级SSL,帮帮大忙 更新了根证书,将配置CERT_SERVER=加密证书,并重新启动了执行更新,成功更新了Let's Encrypt 证书。 之前认为是更新证书服务器背着或被墙屏蔽了,现轻松整理升级方法
方法一:
直接一条SSH命令更新CA库
sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem如果无法链接https://curl.se/ca/cacert.pem时,请更新解决方法并下载二手动翻墙
方法二:
1、下载CA机构根证书 下载地址https://curl.se/ca/cacert.pem 如无法下载请翻墙
2、将cert.pem文件上传到群辉目录ca
3、执行以下2条SSH命令更新CA库 请替换以下/volume1/nas/cacert.pem为你的文件路径地址
cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak cp /volume1/nas/cacert.pem /etc/ssl/certs/ca-certificates.crt以上可以使用 Putty 或“任务计划新增触发方法的任务用户定义的脚本”来执行SSH命令备份和更新根证书
百度和谷歌了一圈全是说的你这个解决方法 但是我执行完成功之后还是会报60的ssl错误
使用:https://github.com/moteta/syno-acme/releases/tag/v0.3.1.1 手动下载acme.sh,设置cloudfare,letsencrypt
begin update cert ------ begin updateCrt ------ begin backupCrt done backupCrt unable to get new version number begin generateCrt begin updating default cert by acme.sh tool /volume2/docker/acme/cert-up.sh: line 80: /volume2/docker/acme/acme.sh/acme.sh.env: No such file or directory [Sun Sep 11 20:27:57 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Sun Sep 11 20:27:57 CST 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory [Sun Sep 11 20:27:58 CST 2022] Register account Error: { "type": "urn:ietf:params:acme:error:invalidEmail", "detail": "Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden", "status": 400 }
使用:https://github.com/moteta/syno-acme/releases/tag/v0.3.1.1 手动下载acme.sh,设置cloudfare,letsencrypt
begin update cert ------ begin updateCrt ------ begin backupCrt done backupCrt unable to get new version number begin generateCrt begin updating default cert by acme.sh tool /volume2/docker/acme/cert-up.sh: line 80: /volume2/docker/acme/acme.sh/acme.sh.env: No such file or directory [Sun Sep 11 20:27:57 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Sun Sep 11 20:27:57 CST 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory [Sun Sep 11 20:27:58 CST 2022] Register account Error: { "type": "urn:ietf:params:acme:error:invalidEmail", "detail": "Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden", "status": 400 }
你是不是没有改config文件里的email配置
