由于 Godaddy 停止了免费的支持ACME SSL 证书签发(DNS 模式),
不得不改用 DNS Alias 模式, 让阿里云 为Godaddy 管理的域名,代理合作签发SSL证书
默认的机构,ZEROSSL,一个初创企业,早已超负荷运转,多数时间已经无法正常签发了。改用Google的证书机构,相对门槛较高,需要有Google帐户,而且国内访问受限,所以签发都一直顺畅。
#!/bin/bash
#
# Godaddy Domain:
DOMAIN=zhenglei.net
DNSAPI=dns_gd
# Aliyun Domain as Proxy:
DOMAIN_PROXY=778065.xyz
DNSAPI_PROXY=dns_ali
# Setup CNAME record mapping of _acme-challenge between ${DOMAIN} and ${DOMAIN_PROXY}
# _acme-challenge.zhenglei.net CNAME==> _acme-challenge.778065.xyz
# _acme-challenge.blog.zhenglei.net CNAME==> _acme-challenge.778065.xyz
# ...
# nslookup -type=CNAME _acme-challenge.zhenglei.net
# nslookup -type=CNAME _acme-challenge.blog.zhenglei.net
# Aliyun key & secret to generate acme cert
# dnsapi=dns_ali
Ali_Key="Your Aliyun Key"
Ali_Secret="Your Aliyun Secret"
export Ali_Key=${Ali_Key}
export Ali_Secret=${Ali_Secret}
# Godaddy key & secret to generate acme cert
# dnsapi=dns_gd
GD_Key="Your Godaddy Key"
GD_Secret="Your Godaddy Secret"
#
# Using alias dns mode of acme.sh
M=" --challenge-alias ${DOMAIN_PROXY} "
N=" --challenge-alias no "
#
#
# IP PROTOCOL
IP=--listen-v6
#
#
#
DNSSLEEP=40
# Init
source /root/env.sh
ACME_SH=/root/.acme.sh/acme.sh
#
#
DSUB=""
DSUB+=" -d ${DOMAIN} ${M}"
DSUB+=" -d ${DOMAIN_PROXY} ${N}"
DSUB+=" -d blog.${DOMAIN} ${M}"
DSUB+=" -d blog.${DOMAIN_PROXY} ${N}"
DSUB+=" -d blog1.${DOMAIN} ${M} "
DSUB+=" -d blog2.${DOMAIN} ${M} "
DSUB+=" -d gallery.${DOMAIN} ${M} "
DSUB+=" -d gallery.${DOMAIN_PROXY} ${N} "
DSUB+=" -d gallery1.${DOMAIN} ${M} "
DSUB+=" -d gallery2.${DOMAIN} ${M} "
DSUB+=" -d music.${DOMAIN} ${M} "
DSUB+=" -d music.${DOMAIN_PROXY} ${N} "
DSUB+=" -d music1.${DOMAIN} ${M} "
DSUB+=" -d music2.${DOMAIN} ${M} "
DSUB+=" -d mpd.${DOMAIN} ${M} "
DSUB+=" -d mpd.${DOMAIN_PROXY} ${N} "
DSUB+=" -d mympd.${DOMAIN} ${M} "
DSUB+=" -d mympd.${DOMAIN_PROXY} ${N} "
DSUB+=" -d stream.${DOMAIN} ${M} "
DSUB+=" -d stream.${DOMAIN_PROXY} ${N} "
DSUB+=" -d video.${DOMAIN} ${M} "
DSUB+=" -d video.${DOMAIN_PROXY} ${N} "
DSUB+=" -d *.${DOMAIN} ${M} "
DSUB+=" -d *.${DOMAIN_PROXY} ${N} "
P=""
P+=" --dns ${DNSAPI_PROXY} "
P+=" --dnssleep ${DNSSLEEP} "
P+=" -k ec-384 "
P+=" --force "# Issue:
echo "${ACME_SH} --issue ${P} ${DSUB}"
${ACME_SH} --issue ${P} ${DSUB}
# Install
INST_PATH=/opt/local/cert/acme_zhenglei.net
INST_CER=${INST_PATH}/fullchain.cer
INST_KEY=${INST_PATH}/zhenglei.net.key
# P+=" --debug "
# P+=" --log "
# Issue:
echo "${ACME_SH} --issue ${P} ${DSUB}"
${ACME_SH} --issue ${P} ${DSUB}
# Install
INST_PATH=/opt/local/cert/acme_zhenglei.net
INST_CER=${INST_PATH}/fullchain.cer
INST_KEY=${INST_PATH}/zhenglei.net.key
OPENRESTY=/opt/local/etc/init.d/openresty
${ACME_SH} --install-cert -d ${DOMAIN} \
--key-file ${INST_KEY} \
--fullchain-file ${INST_CER} \
--reloadcmd "${OPENRESTY} stop ; ${OPENRESTY} start"https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode