note

Appearance

acme.sh 证书申请

关于 socat 错误提示

使用 webroot 模式。所以无需 socat。

安装报下面错误无视

[Thu Jan  8 08:58:30 PM CST 2026] It is recommended to install socat first.
[Thu Jan  8 08:58:30 PM CST 2026] We use socat for standalone server if you use standalone mode.
[Thu Jan  8 08:58:30 PM CST 2026] If you don't use standalone mode, just ignore this warning.
我的配置

腾讯云

sh
acme.sh --issue \
  -d q123q.cn \
  -d fed.q123q.cn \
  -d show.q123q.cn \
  -d demo.q123q.cn \
  -d w24.q123q.cn \
  -d w25.q123q.cn \
  -d wanx.q123q.cn \
  -w /mydata/web-static/letsencrypt
sh
acme.sh --install-cert -d q123q.cn \
  --key-file /mydata/nginx-proxy/ssl/acme.sh.key \
  --fullchain-file /mydata/nginx-proxy/ssl/fullchain.cer \
  --reloadcmd "docker-compose -f /mydata/nginx-proxy/docker-compose.yml restart"
nginx
server {
    listen 80;
    server_name q123q.cn fed.q123q.cn show.q123q.cn demo.q123q.cn w24.q123q.cn w25.q123q.cn wanx.q123q.cn;

    location /.well-known/acme-challenge/ {
        root /mydata/web-static/letsencrypt;
    }

    location / {
        return 200 'hello';
        add_header Content-Type text/plain;
    }
}

阿里云

sh
acme.sh --issue \
  -d q123q.cc \
  -d fed.q123q.cc \
  -d show.q123q.cc \
  -d demo.q123q.cc \
  -d w24.q123q.cc \
  -d w25.q123q.cc \
  -d wanx.q123q.cc \
  -w /mydata/web-static/letsencrypt
sh
acme.sh --install-cert -d q123q.cc \
  --key-file /mydata/nginx-proxy/ssl/acme.sh.key \
  --fullchain-file /mydata/nginx-proxy/ssl/fullchain.cer \
  --reloadcmd "docker-compose -f /mydata/nginx-proxy/docker-compose.yml restart"

申请时的 default.conf

nginx
server {
    listen 80;
    server_name q123q.cc fed.q123q.cc show.q123q.cc demo.q123q.cc w24.q123q.cc w25.q123q.cc wanx.q123q.cc;

    location /.well-known/acme-challenge/ {
        root /mydata/web-static/letsencrypt;
    }

    location / {
        return 200 'hello';
        add_header Content-Type text/plain;
    }
}

我的 acme.sh 是搭配 nginx-proxy 使用

有如下映射关系

yml
# /mydata/nginx-proxy
volumes:
  - ./conf:/etc/nginx/conf.d
  - ./ssl:/etc/nginx/ssl
  - ./logs:/var/log/nginx
  - /mydata/web-static:/mydata/web-static

安装

sh
# 安装 acme.sh
curl https://get.acme.sh | sh
github 安装超时

https://github.com/acmesh-official/acme.sh/wiki/Install-in-China

https://gitee.com/neilpang/acme.sh

git clone https://gitee.com/neilpang/acme.sh.git

cd acme.sh
./acme.sh --install -m my@example.com

生成临时证书

sh
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /mydata/nginx-proxy/ssl/acme.sh.key \
  -out /mydata/nginx-proxy/ssl/fullchain.cer \
  -subj "/CN=localhost"

避免 acme.sh.key 不存在而导致 nginx 502 错误

申请证书

使用 webroot 模式。

sh
mkdir /mydata/web-static/letsencrypt

确保需要 ssl 的域名的 nginx 配置了

location /.well-known/acme-challenge/ {
    root /mydata/web-static/letsencrypt;
}

提示

反斜杠 \ 后面不能有空格,否则 shell 会报错

sh
acme.sh --issue \
  -d fed.q123q.cn \
  -d w25.q123q.cn \
  -w /mydata/web-static/letsencrypt

-w 告诉 acme.sh 验证文件应该放到哪

对于 acme.sh ,第一个 -d 还是“主域名”,后续的所有证书 key 都在“主域名”文件里

申请到证书后需要 安装证书!
申请到证书后需要 安装证书!
申请到证书后需要 安装证书!

添加域名

使用 --upgrade 重新申请

sh
acme.sh --upgrade --issue \
  -d example.com \
  -d www.example.com

也可以上面的步骤重新申请,进行一次覆盖。

安装证书

sh
acme.sh --install-cert -d fed.q123q.cn \
  --key-file /mydata/nginx-proxy/ssl/acme.sh.key \
  --fullchain-file /mydata/nginx-proxy/ssl/fullchain.cer \
  --reloadcmd "docker-compose -f /mydata/nginx-proxy/docker-compose.yml restart"

这里的 -d 只需要写主域名就可以了。
let's encrypt 的主域名是第一个 -d 域名,不是一级域名。

如果是 ecc 证书,需要添加 --ecc

sh
acme.sh --install-cert -d fed.q123q.cn \
  --key-file /mydata/nginx-proxy/ssl/acme.sh.key \
  --fullchain-file /mydata/nginx-proxy/ssl/fullchain.cer \
  --ecc \
  --reloadcmd "docker-compose -f /mydata/nginx-proxy/docker-compose.yml restart"

nginx 使用

sh
    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/acme.sh.key;

续签

sh
acme.sh --renew -d example.com --force

其他命令

查看已经安装了的证书

sh
acme.sh --list

证书格式选择

警告

这里仅仅是伪代码示例

RSA

sh
acme.sh --issue -d example.com -w /var/www/html --keylength 2048

--keylength 2048 → RSA 密钥长度(可选 2048、3072、4096)

ECC

sh
acme.sh --issue -d example.com -w /var/www/html --keylength ec-256

ECC 证书安装时候,需要告诉 nginx 证书类型

sh
acme.sh --install-cert -d example.com \
--key-file       /etc/nginx/ssl/example.com.key \
--fullchain-file /etc/nginx/ssl/example.com.cer \
--ecc \
--reloadcmd     "systemctl reload nginx"

ZeroSSL

默认使用 ZeroSSL ,可以通过 --server 切换到 Let’s Encrypt

ZeroSSL 需要用邮箱注册一下

sh
root@iZ2vcht3hyn19phxb28w41Z:/opt/nginx# acme.sh --register-account -m 694666422@qq.com

[Sun Aug 17 10:31:52 PM CST 2025] No EAB credentials found for ZeroSSL, let's obtain them
[Sun Aug 17 10:31:54 PM CST 2025] Registering account: https://acme.zerossl.com/v2/DV90
[Sun Aug 17 10:32:00 PM CST 2025] Registered
[Sun Aug 17 10:32:00 PM CST 2025] ACCOUNT_THUMBPRINT='RaR0OkiGmV3-3yH5tjMn6EoLDfGNzfyz1nNKk5huBCY'

Let's Encrypt

注册

sh
root@iZ2vcht3hyn19phxb28w41Z:/opt/nginx# acme.sh --register-account -m 694666422@qq.com --server https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 17 11:13:23 PM CST 2025] Account key creation OK.
[Sun Aug 17 11:13:23 PM CST 2025] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Sun Aug 17 11:13:25 PM CST 2025] Registered
[Sun Aug 17 11:13:25 PM CST 2025] ACCOUNT_THUMBPRINT='AU1pgZs5UUfikeThNZAhDMtxEs8yyuoFth0AVN__N4I'

申请证书的时候,一定要指定 server

sh
acme.sh --issue \
  -d hlx.q123q.cc \
  -d w25.q123q.cc \
  -w /opt/static/letsencrypt \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --force

日志记录

安装

sh
root@iZ2vcht3hyn19phxb28w41Z:~# curl https://get.acme.sh | sh

[Sun Aug 17 10:20:52 PM CST 2025] Installing from online archive.
[Sun Aug 17 10:20:52 PM CST 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sun Aug 17 10:20:54 PM CST 2025] Extracting master.tar.gz
[Sun Aug 17 10:20:54 PM CST 2025] It is recommended to install socat first.
[Sun Aug 17 10:20:54 PM CST 2025] We use socat for the standalone server, which is used for standalone mode.
[Sun Aug 17 10:20:54 PM CST 2025] If you don't want to use standalone mode, you may ignore this warning.
[Sun Aug 17 10:20:54 PM CST 2025] Installing to /root/.acme.sh
[Sun Aug 17 10:20:54 PM CST 2025] Installed to /root/.acme.sh/acme.sh
[Sun Aug 17 10:20:54 PM CST 2025] Installing alias to '/root/.bashrc'
[Sun Aug 17 10:20:54 PM CST 2025] Close and reopen your terminal to start using acme.sh
[Sun Aug 17 10:20:54 PM CST 2025] Installing cron job
no crontab for root
no crontab for root
[Sun Aug 17 10:20:54 PM CST 2025] bash has been found. Changing the shebang to use bash as preferred.
[Sun Aug 17 10:20:56 PM CST 2025] OK
[Sun Aug 17 10:20:56 PM CST 2025] Install success!

因为是使用 Nginx Webroot 模式,所以不需要 socat。

证书申请

sh
root@iZ2vcht3hyn19phxb28w41Z:/opt/nginx/logs# acme.sh --issue   -d hlx.q123q.cc   -d w25.q123q.cc   -w /opt/static/letsencrypt
[Sun Aug 17 10:42:59 PM CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Aug 17 10:42:59 PM CST 2025] Multi domain='DNS:hlx.q123q.cc,DNS:w25.q123q.cc'
[Sun Aug 17 10:43:10 PM CST 2025] Getting webroot for domain='hlx.q123q.cc'
[Sun Aug 17 10:43:10 PM CST 2025] Getting webroot for domain='w25.q123q.cc'
[Sun Aug 17 10:43:10 PM CST 2025] Verifying: hlx.q123q.cc
[Sun Aug 17 10:43:13 PM CST 2025] Processing. The CA is processing your order, please wait. (1/30)
[Sun Aug 17 10:43:19 PM CST 2025] Success
[Sun Aug 17 10:43:19 PM CST 2025] Verifying: w25.q123q.cc
[Sun Aug 17 10:43:21 PM CST 2025] Processing. The CA is processing your order, please wait. (1/30)
[Sun Aug 17 10:43:26 PM CST 2025] Success
[Sun Aug 17 10:43:26 PM CST 2025] Verification finished, beginning signing.
[Sun Aug 17 10:43:26 PM CST 2025] Let's finalize the order.
[Sun Aug 17 10:43:26 PM CST 2025] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/d3I_cF8OLXO-2dhZdBAN5Q/finalize'
[Sun Aug 17 10:43:30 PM CST 2025] Order status is 'processing', let's sleep and retry.
[Sun Aug 17 10:43:30 PM CST 2025] Sleeping for 15 seconds then retrying
[Sun Aug 17 10:43:46 PM CST 2025] Polling order status: https://acme.zerossl.com/v2/DV90/order/d3I_cF8OLXO-2dhZdBAN5Q
[Sun Aug 17 10:43:48 PM CST 2025] Downloading cert.
[Sun Aug 17 10:43:48 PM CST 2025] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/fIYy65Xz-gmaIHmrY8_VNg'
[Sun Aug 17 10:43:53 PM CST 2025] Cert success.
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
[Sun Aug 17 10:43:53 PM CST 2025] Your cert is in: /root/.acme.sh/hlx.q123q.cc_ecc/hlx.q123q.cc.cer
[Sun Aug 17 10:43:53 PM CST 2025] Your cert key is in: /root/.acme.sh/hlx.q123q.cc_ecc/hlx.q123q.cc.key
[Sun Aug 17 10:43:53 PM CST 2025] The intermediate CA cert is in: /root/.acme.sh/hlx.q123q.cc_ecc/ca.cer
[Sun Aug 17 10:43:53 PM CST 2025] And the full-chain cert is in: /root/.acme.sh/hlx.q123q.cc_ecc/fullchain.cer

其他

文件说明
fed.q123q.cc.cer网站证书(公钥)
fed.q123q.cc.key私钥
ca.cer中间 CA 证书
fullchain.cer网站证书 + 中间 CA 组合,用于 Nginx/Apache

通常 Nginx 使用 fullchain.cer 和 key 配置即可