证书操作手册
openssl
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -text -noout
openssl x509 -text -noout -in cert.pem
openssl x509 -text -noout -in cert.pem | grep -E 'Not Before|Not After|DNS:'
openssl x509 -checkend 86400 -noout -in cert.pem && echo "OK" || echo "EXPIRED"
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out key.pem
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem
openssl req -new -key key.pem -out csr.pem -subj "/CN=example.com"
cat > san.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com
EOF
openssl req -new -key key.pem -out csr.pem -config san.cnf
openssl req -new -x509 -days 365 -key key.pem -out cert.pem -subj "/CN=localhost"
openssl verify -CAfile ca-bundle.crt cert.pem
openssl x509 -fingerprint -sha256 -noout -in cert.pem
acme.sh
export Ali_Key="xxx" Ali_Secret="yyy"
acme.sh --issue --dns dns_ali -d example.com -d '*.example.com'
acme.sh --install-cert -d example.com \
--cert-file /etc/caddy/certs/example.crt \
--key-file /etc/caddy/certs/example.key \
--fullchain-file /etc/caddy/certs/example-fullchain.crt \
--reloadcmd "systemctl reload caddy"
acme.sh --renew -d example.com --force
acme.sh --cron
acme.sh --list
certbot
certbot certonly --dns-tencentcloud \
--dns-tencentcloud-credentials /etc/letsencrypt/tencentcloud.ini \
--dns-tencentcloud-propagation-seconds 30 \
-d example.com
certbot renew --dry-run
certbot certificates
故障排查
openssl x509 -text -noout -in cert.pem | grep "Not After"
openssl verify -CAfile ca-bundle.crt cert.pem