VPS侦探论坛 › LNMP一键安装包 › 怎么修改 lnmp onlyssl ** DNS签发泛域名证书CA为ZeroSSL呢

木风木 发表于 2021-10-10 11:32:04

怎么修改 lnmp onlyssl ** DNS签发泛域名证书CA为ZeroSSL呢

军哥：现在使用DNS 泛域名签发证书的默认CA为Let's Encrypt，我想使用ZeroSSL的CA来签发，
怎么修改 lnmp onlyssl ** 签发泛域名证书CA为ZeroSSL呢？


求修改方式！
谢谢！

木风木 发表于 2021-10-10 11:53:12

使用了
/usr/local/acme.sh/acme.sh --set-default-ca--server zerossl
之后
运行 lnmp onlyssl cloudns
之后还是使用默认 Let's Encrypt... 的CA签发证书
Removing exist domain certificate...
Starting create SSL Certificate use Let's Encrypt...

Using CA: https://acme-v02.api.letsencrypt.org/directory
Creating domain key
The domain key is here: /usr/local/nginx/conf/ssl/**.com/**.com.key
Multi domain='DNS:loewan.com,DNS:*.**.com'
Getting domain auth token for each domain
Getting webroot for domain='**.com'
Getting webroot for domain='*.**.com'
loewan.com is already verified, skip dns-01.
*.loewan.com is already verified, skip dns-01.
Verify finished, start to sign.
Lets finalize the order.
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/116013285/30765437680'
Downloading cert.
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/034719741cd96bec1d7e7700b6b2faa8b0f4'
Cert success.
Your cert is in: /usr/local/nginx/conf/ssl/**.com/**.com.cer
Your cert key is in: /usr/local/nginx/conf/ssl/**.com/**.com.key
The intermediate CA cert is in: /usr/local/nginx/conf/ssl/**.com/ca.cer
And the full chain certs is there: /usr/local/nginx/conf/ssl/**.com/fullchain.cer
Run reload cmd: /etc/init.d/nginx reload
Reload nginx...done
Reload success

licess 发表于 2021-10-10 20:17:06

需要修改 /bin/lnmp 脚本 Add_Dns_SSL_Only 部分中的代码，另外还需要提前用命令/usr/local/acme.sh/acme.sh --server zerossl --register-account--accountemail 邮箱
先注册

木风木 发表于 2021-10-13 13:37:19

    if [ "${provider}" != "" ]; then
      /usr/local/acme.sh/acme.sh ${acme_sh_sudo} --server zerossl --issue ${letsdomain} --dns ${dns_provider} --reloadcmd "/etc/init.d/nginx reload"
      lets_status=$?
    else
      /usr/local/acme.sh/acme.sh ${acme_sh_sudo} --server zerossl --issue ${letsdomain} --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please


是直接修改这两处 --server zerossl 吗？

木风木 发表于 2021-10-13 13:51:49

Polling order status: https://acme.zerossl.com/v2/DV90/order/2p1pQ7jGRCk_vITgVE_YNQ
Sign error, wrong status
{"status":"invalid","expires":"2022-01-11T05:46:11Z","identifiers":[{"type":"dns","value":"xxx.com"},{"type":"dns","value":"*.xxx.com"}],"authorizations":["https://acme.zerossl.com/v2/DV90/authz/ekpDawkeXOevM_L8d1E_OA","https://acme.zerossl.com/v2/DV90/authz/iZC_wpAXFP5m-DDchBw8mA"],"finalize":"https://acme.zerossl.com/v2/DV90/order/2p1pQ7jGRCk_vITgVE_YNQ/finalize"}


是不是 zerossl 无法签发泛域名证书了呢？

licess 发表于 2021-10-13 15:43:49

木风木 发表于 2021-10-13 13:51
是不是 zerossl 无法签发泛域名证书了呢？

是的
Buypass不支持泛域名，zerosssl支持泛域名
提供完整的acme.sh.log看一下

木风木 发表于 2021-10-13 20:03:42

licess 发表于 2021-10-13 15:43
是的
Buypass不支持泛域名，zerosssl支持泛域名
提供完整的acme.sh.log看一下

麻烦军哥帮忙检查一下，万分感谢！

木风木 发表于 2021-10-13 21:11:33

参考了网上的资料教程，最终发现，原来是域名下面有别的CAA记录，
解决办法也很简单：
删除CAA记录，或者添加 zerosssl的CAA记录

**.com. 3600 IN CAA 0 issue "sectigo.com"
**.com. 3600 IN CAA 0 issuewild "sectigo.com"

查看完整版本: 怎么修改 lnmp onlyssl ** DNS签发泛域名证书CA为ZeroSSL呢