3344/dock
1
0
Fork 0
Code Issues Packages Projects Releases 1 Wiki Activity

Rename and enhance SSL certificate application script

Browse Source
This commit is contained in:
xzx3344521
2026-01-16 12:44:56 +08:00
committed by GitHub
parent 28a65c7b33
commit 419f50ce81
1 changed files with 59 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
ssl
View File

@@ -1,75 +1,82 @@
cat << 'EOF' > cert_apply.sh
cat << 'EOF' > cert_factory_interactive.sh
#!/bin/bash
# --- 1. 获取用户输入 ---
read -p "请输入您要申请的域名 (例如: ui.shanghi.net): " DOMAIN
# ==========================================
# 跳板机 SSL 证书申请工厂 (交互版)
# ==========================================
# 简单的非空检查
# --- 1. 交互式输入 ---
echo "----------------------------------------------------"
read -p "请输入您要申请的域名 (例如: ui.shanghi.net): " DOMAIN
echo "----------------------------------------------------"
# 空值检查
if [ -z "$DOMAIN" ]; then
echo "错误:域名不能为空"
echo "错误:域名不能为空,脚本已退出。"
exit 1
fi
# 确认信息
echo "----------------------------------------"
echo "准备为域名: $DOMAIN 申请证书"
echo "存放路径: /data/$DOMAIN.key"
echo "----------------------------------------"
read -p "确认无误请按回车继续,取消请按 Ctrl+C ..."
# --- 2. 关键提醒 (跳板机模式专用) ---
echo "⚠️ 【重要提醒】 ⚠️"
echo "您正在使用跳板机模式。在继续之前,请务必确认:"
echo "👉 域名 [$DOMAIN] 的 DNS 解析目前必须指向本机 IP"
echo " (拿到证书后,您再改回 NAT 机器的 IP)"
echo ""
read -p "确认解析已生效?按回车继续 (或按 Ctrl+C 取消)..."
# --- 2. 基础配置 ---
CERT_BASE_DIR="/data"
EMAIL="my@example.com" # 默认邮箱,不需要每次改
# --- 3. 环境准备 ---
CERT_DIR="/data"
mkdir -p "$CERT_DIR"
# 确保目录存在
mkdir -p $CERT_BASE_DIR
# --- 3. 环境检查 (安装 socat) ---
# 只有未安装时才尝试安装
echo "[1/3] 正在检查环境与清理端口..."
# 安装 socat
if ! command -v socat &> /dev/null; then
echo "正在安装 socat (Standalone模式依赖)..."
if [ -f /usr/bin/apt ]; then
apt update && apt install socat -y
elif [ -f /usr/bin/yum ]; then
yum install socat -y
fi
else
echo "检测到 socat 已安装,跳过安装步骤。"
echo " -> 安装 socat..."
if [ -f /usr/bin/apt ]; then apt update && apt install socat -y >/dev/null; fi
if [ -f /usr/bin/yum ]; then yum install socat -y >/dev/null; fi
fi
# --- 4. 核心申请逻辑 ---
# 检查 80 端口是否被占用 (简单的防呆检查)
# 清理 80 端口 (防止 Nginx 等占用)
if lsof -Pi :80 -sTCP:LISTEN -t >/dev/null ; then
echo "警告:检测到 80 端口被占用"
echo "Standalone 模式需要占用 80 端口。请先停止 Nginx/Apache或确保没有服务占用 80。"
read -p "是否强制尝试继续? (y/n): " force_run
if [ "$force_run" != "y" ]; then
echo "脚本已终止。"
exit 1
fi
echo " -> 发现 80 端口被占用,正在释放..."
fuser -k 80/tcp >/dev/null 2>&1
fi
# 开放防火墙
iptables -I INPUT -p tcp --dport 80 -j ACCEPT >/dev/null 2>&1
echo "正在向 CA 机构申请证书..."
~/.acme.sh/acme.sh --issue -d "$DOMAIN" --standalone --email "$EMAIL" --force \
--install-cert -d "$DOMAIN" \
--key-file "$CERT_BASE_DIR/$DOMAIN.key" \
--fullchain-file "$CERT_BASE_DIR/$DOMAIN.crt" \
--reloadcmd "echo \"\$(date): 证书 $DOMAIN 已更新\" >> /var/log/acme_renewal.log"
# --- 4. 开始申请 ---
echo "[2/3] 正在向 CA 机构申请证书 (需等待几秒)..."
~/.acme.sh/acme.sh --issue -d "$DOMAIN" --standalone --force
# --- 5. 结果反馈 ---
# --- 5. 结果处理 ---
if [ $? -eq 0 ]; then
echo "[3/3] 申请成功!正在导出文件..."
# 安装证书到 /data 目录
~/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
--key-file "$CERT_DIR/$DOMAIN.key" \
--fullchain-file "$CERT_DIR/$DOMAIN.crt"
echo ""
echo "========================================================"
echo " 证书申请成功!"
echo " 域名: $DOMAIN"
echo " 公钥 (crt): $CERT_BASE_DIR/$DOMAIN.crt"
echo " 私钥 (key): $CERT_BASE_DIR/$DOMAIN.key"
echo "========================================================"
echo "🎉 ======================================= 🎉"
echo " 证书申请成功!已保存到本机 /data"
echo "==========================================="
echo "📂 私钥 (Key): $CERT_DIR/$DOMAIN.key"
echo "📄 公钥 (Crt): $CERT_DIR/$DOMAIN.crt"
echo "==========================================="
echo "💡 下一步提示:"
echo "现在您可以把这两个文件复制到您的 NAT 机器上了。"
echo "scp -P <端口> $CERT_DIR/$DOMAIN.* root@<NAT_IP>:/您的路径/"
echo "==========================================="
else
echo ""
echo " 申请失败"
echo "请检查1. 域名解析是否生效? 2. 防火墙是否放行了 80 端口?"
echo " 申请失败"
echo "常见原因:"
echo "1. 域名解析还没生效,或者解析的不是这台机器的 IP。"
echo "2. 云服务商的安全组(防火墙)没有放行 80 端口。"
fi
EOF
chmod +x cert_apply.sh
# 赋予权限并运行
chmod +x cert_factory_interactive.sh
./cert_factory_interactive.sh