acme.sh 颁发 HTTPS 证书

安装 acme.sh

普通用户和root用户都可以安装使用。

curl https://get.acme.sh | sh -s email=my@example.com

或

wget -O -  https://get.acme.sh | sh -s email=my@example.com

注意：完成后提示-bash: acme.sh: command not found，需手动执行：

source ~/.bashrc

可能出现的错误

root@local:~# wget -O -  https://get.acme.sh | sh
--2025-09-20 22:01:55--  https://get.acme.sh/
Resolving get.acme.sh (get.acme.sh)... 104.21.34.62
Connecting to get.acme.sh (get.acme.sh)|104.21.34.62|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘STDOUT’

-                                                   [ <=>                                                                                                   ]   1.01K  --.-KB/s    in 0s      

2025-09-20 22:01:57 (32.7 MB/s) - written to stdout [1032]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  222k  100  222k    0     0   5183      0  0:00:43  0:00:43 --:--:-- 17429
[Sat Sep 20 10:02:41 PM CST 2025] Installing from online archive.
[Sat Sep 20 10:02:41 PM CST 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat Sep 20 10:04:12 PM CST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56
[Sat Sep 20 10:04:12 PM CST 2025] Download error.
Install error
中国大陆用户请参考:
https://github.com/acmesh-official/acme.sh/wiki/Install-in-China

https://gitee.com/neilpang/acme.sh

下载代码后手动执行命令

./acme.sh --install

安装内容

自动完成了以下几件事。

把 acme.sh 安装到你的 home 目录下。

~/.acme.sh/

创建了一个 shell 的 alias

例如.bashrc，方便任何路径下使用。

alias acme.sh=~/.acme.sh/acme.sh

创建了 cronjob 定时任务

使用crontab命令查看定时任务

crontab -l

先添加 Nginx 配置

先配置最简单的，必须要加server_name

server {
    listen 443;
    listen [::]:443;
    server_name test.example.com;
}

为 Nginx 颁发证书

注意：必须在Nginx中有需要颁发的域名的配置server_name。

acme.sh --issue --nginx -d test.example.com 

或者指定Nginx配置文件

acme.sh --issue -d test.example.com --nginx /www/server/nginx/conf/nginx.conf

复制证书

请勿直接使用`~/.acme.sh/·目录下的证书文件。

新建存放SSL证书的文件夹。

mkdir -p /etc/nginx/ssl/test.example.com

复制证书到目标文件夹。

acme.sh --install-cert -d test.example.com \
--key-file       /etc/nginx/ssl/test.example.com/test.example.com.key  \
--fullchain-file  /etc/nginx/ssl/test.example.com/fullchain.cer \
--reloadcmd     "service nginx force-reload"

输出

root@root:/etc/nginx/ssl# acme.sh --install-cert -d test.example.com \
> --key-file       /etc/nginx/ssl/test.example.com/test.example.com.key  \
> --fullchain-file  /etc/nginx/ssl/test.example.com/fullchain.cer \
> --reloadcmd     "service nginx force-reload"
[Mon Sep 15 16:24:46 CST 2025] The domain 'test.example.com' seems to already have an ECC cert, let's use it.
[Mon Sep 15 16:24:46 CST 2025] Installing key to: /etc/nginx/ssl/test.example.com/test.example.com.key
[Mon Sep 15 16:24:46 CST 2025] Installing full chain to: /etc/nginx/ssl/test.example.com/fullchain.cer
[Mon Sep 15 16:24:46 CST 2025] Running reload cmd: service nginx force-reload
[Mon Sep 15 16:24:46 CST 2025] Reload successful

查看证书列表

root@iZbp11ou4h3yoyu6yy69w1Z:/etc/nginx/conf.d# acme.sh --list
Main_Domain     KeyLength  SAN_Domains  CA           Created  Renew
hh.example.com  "ec-256"   no           ZeroSSL.com

Nginx 配置

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name test.example.com;
    ssl_certificate "/etc/nginx/ssl/test.example.com/fullchain.cer";
        ssl_certificate_key "/etc/nginx/ssl/test.example.com/test.example.com.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
    
    root /var/www/html;
    index index.html index.htm;
}

说明

默认情况下，证书每60天更新一次。

reloadcmd非常重要。证书会自动申请续签，但是如果没有正确的reloadcmd命令，证书可能无法被重新应用到Nginx，因为配置没有被重载。

查看已安装的证书信息

acme.sh --info -d test.example.com

官方文档

https://github.com/acmesh-official/acme.sh

https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E