From 419f50ce8171c689d9060933ee835287cd9c18a4 Mon Sep 17 00:00:00 2001 From: xzx3344521 Date: Fri, 16 Jan 2026 12:44:56 +0800 Subject: [PATCH] Rename and enhance SSL certificate application script --- ssl | 111 ++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 59 insertions(+), 52 deletions(-) diff --git a/ssl b/ssl index 0aa6c34..f102ff5 100644 --- a/ssl +++ b/ssl @@ -1,75 +1,82 @@ -cat << 'EOF' > cert_apply.sh +cat << 'EOF' > cert_factory_interactive.sh #!/bin/bash -# --- 1. 获取用户输入 --- -read -p "请输入您要申请的域名 (例如: ui.shanghi.net): " DOMAIN +# ========================================== +# 跳板机 SSL 证书申请工厂 (交互版) +# ========================================== -# 简单的非空检查 +# --- 1. 交互式输入 --- +echo "----------------------------------------------------" +read -p "请输入您要申请的域名 (例如: ui.shanghi.net): " DOMAIN +echo "----------------------------------------------------" + +# 空值检查 if [ -z "$DOMAIN" ]; then - echo "错误:域名不能为空!" + echo "❌ 错误:域名不能为空,脚本已退出。" exit 1 fi -# 确认信息 -echo "----------------------------------------" -echo "准备为域名: $DOMAIN 申请证书" -echo "存放路径: /data/$DOMAIN.key" -echo "----------------------------------------" -read -p "确认无误请按回车继续,取消请按 Ctrl+C ..." +# --- 2. 关键提醒 (跳板机模式专用) --- +echo "⚠️ 【重要提醒】 ⚠️" +echo "您正在使用跳板机模式。在继续之前,请务必确认:" +echo "👉 域名 [$DOMAIN] 的 DNS 解析目前必须指向本机 IP!" +echo " (拿到证书后,您再改回 NAT 机器的 IP)" +echo "" +read -p "确认解析已生效?按回车继续 (或按 Ctrl+C 取消)..." -# --- 2. 基础配置 --- -CERT_BASE_DIR="/data" -EMAIL="my@example.com" # 默认邮箱,不需要每次改 +# --- 3. 环境准备 --- +CERT_DIR="/data" +mkdir -p "$CERT_DIR" -# 确保目录存在 -mkdir -p $CERT_BASE_DIR - -# --- 3. 环境检查 (安装 socat) --- -# 只有未安装时才尝试安装 +echo "[1/3] 正在检查环境与清理端口..." +# 安装 socat if ! command -v socat &> /dev/null; then - echo "正在安装 socat (Standalone模式依赖)..." - if [ -f /usr/bin/apt ]; then - apt update && apt install socat -y - elif [ -f /usr/bin/yum ]; then - yum install socat -y - fi -else - echo "检测到 socat 已安装,跳过安装步骤。" + echo " -> 安装 socat..." + if [ -f /usr/bin/apt ]; then apt update && apt install socat -y >/dev/null; fi + if [ -f /usr/bin/yum ]; then yum install socat -y >/dev/null; fi fi -# --- 4. 核心申请逻辑 --- -# 检查 80 端口是否被占用 (简单的防呆检查) +# 清理 80 端口 (防止 Nginx 等占用) if lsof -Pi :80 -sTCP:LISTEN -t >/dev/null ; then - echo "警告:检测到 80 端口被占用!" - echo "Standalone 模式需要占用 80 端口。请先停止 Nginx/Apache,或确保没有服务占用 80。" - read -p "是否强制尝试继续? (y/n): " force_run - if [ "$force_run" != "y" ]; then - echo "脚本已终止。" - exit 1 - fi + echo " -> 发现 80 端口被占用,正在释放..." + fuser -k 80/tcp >/dev/null 2>&1 fi +# 开放防火墙 +iptables -I INPUT -p tcp --dport 80 -j ACCEPT >/dev/null 2>&1 -echo "正在向 CA 机构申请证书..." -~/.acme.sh/acme.sh --issue -d "$DOMAIN" --standalone --email "$EMAIL" --force \ ---install-cert -d "$DOMAIN" \ ---key-file "$CERT_BASE_DIR/$DOMAIN.key" \ ---fullchain-file "$CERT_BASE_DIR/$DOMAIN.crt" \ ---reloadcmd "echo \"\$(date): 证书 $DOMAIN 已更新\" >> /var/log/acme_renewal.log" +# --- 4. 开始申请 --- +echo "[2/3] 正在向 CA 机构申请证书 (需等待几秒)..." +~/.acme.sh/acme.sh --issue -d "$DOMAIN" --standalone --force -# --- 5. 结果反馈 --- +# --- 5. 结果处理 --- if [ $? -eq 0 ]; then + echo "[3/3] 申请成功!正在导出文件..." + + # 安装证书到 /data 目录 + ~/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \ + --key-file "$CERT_DIR/$DOMAIN.key" \ + --fullchain-file "$CERT_DIR/$DOMAIN.crt" + echo "" - echo "========================================================" - echo " ✅ 证书申请成功!" - echo " 域名: $DOMAIN" - echo " 公钥 (crt): $CERT_BASE_DIR/$DOMAIN.crt" - echo " 私钥 (key): $CERT_BASE_DIR/$DOMAIN.key" - echo "========================================================" + echo "🎉 ======================================= 🎉" + echo " 证书申请成功!已保存到本机 /data" + echo "===========================================" + echo "📂 私钥 (Key): $CERT_DIR/$DOMAIN.key" + echo "📄 公钥 (Crt): $CERT_DIR/$DOMAIN.crt" + echo "===========================================" + echo "💡 下一步提示:" + echo "现在您可以把这两个文件复制到您的 NAT 机器上了。" + echo "scp -P <端口> $CERT_DIR/$DOMAIN.* root@:/您的路径/" + echo "===========================================" else echo "" - echo " ❌ 申请失败。" - echo "请检查:1. 域名解析是否生效? 2. 防火墙是否放行了 80 端口?" + echo "❌ 申请失败!" + echo "常见原因:" + echo "1. 域名解析还没生效,或者解析的不是这台机器的 IP。" + echo "2. 云服务商的安全组(防火墙)没有放行 80 端口。" fi EOF -chmod +x cert_apply.sh +# 赋予权限并运行 +chmod +x cert_factory_interactive.sh +./cert_factory_interactive.sh