【宝塔系列】宝塔SSL与acme.sh那些事

尽管8.23号宝塔软件出了重大安全漏洞,但是由于宝塔的易用性,部分站点我依然选择使用宝塔。

这篇文章主要记录下,宝塔在SSL配置上的一些操作。

在以前的版本中,宝塔使用acme.sh来申请LE安全证书。这也是国内绝大多数开发者使用的LE申请脚本。

我有个2018年建立的网站,网站程序这块很少更新,直到今年二月份的时候,收到一份邮件:

Hi,

According to our records, the software client you’re using to get Let’s
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address: xxx.xxx.xxx.xxx

User agent: acme.sh/2.8.0 (https://github.com/Neilpang/acme.sh) acme.sh/2.8.0 (https://github.com/Neilpang/acme.sh)

Hostname(s): “xxxx.com”,”www.xxxx.com”

Request time: 2020-02-23 06:50:00 UTC 2020-02-23 12:20:13 UTC

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you’re unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don’t know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there’s an existing solution for your question. If there isn’t, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1

As a reminder: In the future, Let’s Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you’re working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let’s Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don’t publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/about-the-api-announcements-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let’s Encrypt

大意是说,您目前使用的是ACMEv1协议,这个协议截止到2020.6.1将不再允许使用,请尽快更新到ACMEv2协议。

这有啥好说的,升级acme.sh。

先看下acme的路径。

然后在ca目录下可以看到目前使用的协议是V1版本。

接下来,我们升级acme.sh,十几秒就OK。

可以看到,从2.8.0升级到2.8.6。继续看下ca目录,变成V2协议了。

然后在下图ssl目录可以看到相关证书信息。

在宝塔7.4版本之后,官方已经弃用acme.sh脚本,开始使用自己开发的脚本。

具体解释,可以看下这个https://www.bt.cn/bbs/forum.php?mod=viewthread&tid=50395链接。

大同小异罢了。

未经允许不得转载:花果山天地 » 【宝塔系列】宝塔SSL与acme.sh那些事