acme.sh 使用 Let's Encrypt 颁发 HTTPS 证书

设置默认 CA

acme.sh --set-default-ca --server letsencrypt

命令

acme.sh --issue -d test.example.com -w /var/www/html --force

输出

root@local:~# acme.sh --issue -d test.example.com -w /var/www/html --force
[Sun Sep 21 06:32:32 AM CST 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Sep 21 06:32:32 AM CST 2025] Single domain='test.example.com'
[Sun Sep 21 06:32:36 AM CST 2025] Getting webroot for domain='test.example.com'
[Sun Sep 21 06:32:36 AM CST 2025] Verifying: test.example.com
[Sun Sep 21 06:32:37 AM CST 2025] Pending. The CA is processing your order, please wait. (1/30)
[Sun Sep 21 06:32:41 AM CST 2025] Pending. The CA is processing your order, please wait. (2/30)
[Sun Sep 21 06:32:46 AM CST 2025] Pending. The CA is processing your order, please wait. (3/30)
[Sun Sep 21 06:32:50 AM CST 2025] Pending. The CA is processing your order, please wait. (4/30)
[Sun Sep 21 06:32:54 AM CST 2025] Success
[Sun Sep 21 06:32:54 AM CST 2025] Verification finished, beginning signing.
[Sun Sep 21 06:32:54 AM CST 2025] Let's finalize the order.
[Sun Sep 21 06:32:54 AM CST 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/'
[Sun Sep 21 06:32:56 AM CST 2025] Downloading cert.
[Sun Sep 21 06:32:56 AM CST 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/'
[Sun Sep 21 06:32:57 AM CST 2025] Cert success.
-----BEGIN CERTIFICATE-----
aaaa
-----END CERTIFICATE-----
[Sun Sep 21 06:32:57 AM CST 2025] Your cert is in: /root/.acme.sh/test.example.com_ecc/test.example.com.cer
[Sun Sep 21 06:32:57 AM CST 2025] Your cert key is in: /root/.acme.sh/test.example.com_ecc/test.example.com.key
[Sun Sep 21 06:32:57 AM CST 2025] The intermediate CA cert is in: /root/.acme.sh/test.example.com_ecc/ca.cer

安装到 Nginx

创建文件夹

mkdir -p /etc/nginx/ssl/test.example.com

安装到Nginx

acme.sh --install-cert -d test.example.com \
--key-file       /etc/nginx/ssl/test.example.com/test.example.com.key  \
--fullchain-file  /etc/nginx/ssl/test.example.com/fullchain.cer \
--reloadcmd     "service nginx force-reload"

输出

root@local:~# acme.sh --install-cert -d test.example.com \
> --key-file       /etc/nginx/ssl/test.example.com/test.example.com.key  \
> --fullchain-file  /etc/nginx/ssl/test.example.com/fullchain.cer \
> --reloadcmd     "service nginx force-reload"
[Sun Sep 21 06:35:45 AM CST 2025] The domain 'test.example.com' seems to already have an ECC cert, let's use it.
[Sun Sep 21 06:35:45 AM CST 2025] Installing key to: /etc/nginx/ssl/test.example.com/test.example.com.key
[Sun Sep 21 06:35:45 AM CST 2025] Installing full chain to: /etc/nginx/ssl/test.example.com/fullchain.cer
[Sun Sep 21 06:35:45 AM CST 2025] Running reload cmd: service nginx force-reload
[Sun Sep 21 06:35:45 AM CST 2025] Reload successful

修改 Nginx 配置

注意：加ssl和server_name。

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name test.example.com;
    ssl_certificate "/etc/nginx/ssl/test.example.com/fullchain.cer";
    ssl_certificate_key "/etc/nginx/ssl/test.example.com/test.example.com.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
}

重启 Nginx

nginx -s reload

官方文档

https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E