π·πΊ Π ΡΡΡΠΊΠΈΠΉ | πΊπΈ English
ΠΠ°Π±ΠΎΡ bash-ΡΠΊΡΠΈΠΏΡΠΎΠ² Π΄Π»Ρ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ SSL ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ Π½Π° Linux ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ Ρ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΌ ΠΏΡΠΎΠ΄Π»Π΅Π½ΠΈΠ΅ΠΌ.
ΠΡΠΎΡ ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΠΉ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΡ Π΄Π»Ρ ΠΏΡΠΎΡΡΠΎΠ³ΠΎ ΠΈ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΠ·ΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ SSL ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ:
# Π‘ΠΊΠ°ΡΠ°ΡΡ ΡΠΊΡΠΈΠΏΡ
wget https://github.com/teslaproduuction/TLScript/raw/main/cert_manager.sh
chmod +x cert_manager.sh
# ΠΠ°ΠΏΡΡΡΠΈΡΡ ΠΈΠ½ΡΠ΅ΡΠ°ΠΊΡΠΈΠ²Π½ΠΎΠ΅ ΠΌΠ΅Π½Ρ
sudo ./cert_manager.sh
# ΠΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΠΏΡΡΠΌΡΠ΅ ΠΊΠΎΠΌΠ°Π½Π΄Ρ
sudo ./cert_manager.sh install # Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ
sudo ./cert_manager.sh issue # ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ- β HTTP Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΡ (ΠΏΠΎΡΡ 80)
- β Cloudflare DNS Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΡ
- β AWS Route53 DNS Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΡ
- β Google Cloud DNS Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΡ
- β DigitalOcean DNS Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΡ
- β ZeroSSL ΠΊΠ°ΠΊ Π°Π»ΡΡΠ΅ΡΠ½Π°ΡΠΈΠ²Π½ΡΠΉ CA
- β Standalone ΡΠ΅ΠΆΠΈΠΌ (ΠΏΠΎΡΡ 80)
- β Webroot ΡΠ΅ΠΆΠΈΠΌ (ΡΡΡΠ΅ΡΡΠ²ΡΡΡΠΈΠΉ Π²Π΅Π±-ΡΠ΅ΡΠ²Π΅Ρ)
- β Cloudflare DNS ΠΏΠ»Π°Π³ΠΈΠ½
- β AWS Route53 DNS ΠΏΠ»Π°Π³ΠΈΠ½
- β Google Cloud DNS ΠΏΠ»Π°Π³ΠΈΠ½
- β DigitalOcean DNS ΠΏΠ»Π°Π³ΠΈΠ½
- β ΠΡΠ·ΡΠ² ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
- β ΠΡΠΈΠ½ΡΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΠ΅ ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
- β ΠΡΠΎΡΠΌΠΎΡΡ Π²ΡΠ΅Ρ ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½Π½ΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
- β ΠΠ΅Π½Π΅ΡΠ°ΡΠΈΡ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
- β ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠ°Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ° Π²ΡΠ΅Ρ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠ΅ΠΉ
- β ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° cron Π΄Π»Ρ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΏΡΠΎΠ΄Π»Π΅Π½ΠΈΡ
- β ΠΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΡΠΎΡΠ΅ΡΡΠ° ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ
- β ΠΠ²ΡΠΎΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ acme.sh ΠΈ certbot
- Ubuntu 20.04+
- Debian 11+
- CentOS 8+
- Fedora 36+
- Arch Linux
- AlmaLinux 9+
- Rocky Linux 9+
- Oracle Linux 8+
sudo ./cert_manager.shΠΡ ΡΠ²ΠΈΠ΄ΠΈΡΠ΅ ΡΠ°ΠΊΠΎΠ΅ ΠΌΠ΅Π½Ρ:
SSL Certificate Management Script
0. Exit Script
βββββββββββββββββββββββββββββββββββββββ
ACME.SH Methods (Let's Encrypt/ZeroSSL)
1. Issue via acme.sh (HTTP validation)
2. Issue via acme.sh (Cloudflare DNS)
3. Issue via acme.sh (AWS Route53 DNS)
4. Issue via acme.sh (Google Cloud DNS)
5. Issue via acme.sh (DigitalOcean DNS)
6. Issue via acme.sh (ZeroSSL CA)
βββββββββββββββββββββββββββββββββββββββ
CERTBOT Methods
11. Issue via Certbot (Standalone)
12. Issue via Certbot (Webroot)
13. Issue via Certbot (Cloudflare DNS)
14. Issue via Certbot (AWS Route53 DNS)
15. Issue via Certbot (Google Cloud DNS)
16. Issue via Certbot (DigitalOcean DNS)
βββββββββββββββββββββββββββββββββββββββ
Certificate Management
21. Revoke Certificate
22. Force Renew Certificate
23. List All Certificates
βββββββββββββββββββββββββββββββββββββββ
Other Options
31. Generate Self-Signed Certificate
32. Install Dependencies
33. Setup Automatic Renewal
34. Check Auto-Renewal Status
Please enter your selection:
Please enter your selection [0-8]: 1
[INF] Installing required dependencies...
[INF] Dependencies installed successfully
Installing acme.sh...
[INF] Install acme.sh succeed
Please enter your domain name: example.com
[DEG] Your domain is: example.com, checking it...
[INF] Your domain is ready for issuing certificate now...
Please choose which port to use, default will be 80 port: 80
[INF] Will use port: 80 to issue certificates, please make sure this port is open...
[INF] Issue certificates succeed, installing certificates...
[INF] Install certificates succeed
[INF] Setting up automatic certificate renewal...
[INF] Auto renewal cron job added successfully
[INF] Automatic certificate renewal setup completed
[INF] Certificate installation completed successfully!
[INF] Certificate files are located at: /root/cert/example.com
[INF] Private key: /root/cert/example.com/privkey.pem
[INF] Full chain: /root/cert/example.com/fullchain.pem
Please enter your selection [0-8]: 2
[DEG] ******Instructions for use******
[INF] This Acme script requires the following data:
[INF] 1. Cloudflare Registered email
[INF] 2. Cloudflare Global API Key
[INF] 3. The domain name that has been resolved DNS to the current server by Cloudflare
[INF] 4. The script applies for a certificate. The default installation path is /root/cert
Confirmed? [y/n]: y
Please set a domain name:
Input your domain here: example.com
[DEG] Your domain name is set to: example.com
Please set the API key:
Input your key here: your_cloudflare_api_key_here
[DEG] Your API key is: your_cloudflare_api_key_here
Please set up registered email:
Input your email here: your@email.com
[DEG] Your registered email address is: your@email.com
[INF] Certificate issued Successfully, Installing...
[INF] Certificate installed Successfully
[INF] Auto renewal cron job added successfully
[INF] The certificate is installed and auto-renewal is turned on. Certificate files location:
total 16K
-rw-r--r-- 1 root root 1.8K Jan 15 10:30 ca.cer
-rw-r--r-- 1 root root 3.8K Jan 15 10:30 example.com.cer
-rw-r--r-- 1 root root 1.7K Jan 15 10:30 example.com.key
-rw-r--r-- 1 root root 5.5K Jan 15 10:30 fullchain.cer
Please enter your selection [0-8]: 8
[INF] Checking automatic renewal status...
[INF] Auto renewal cron job is configured:
30 2 * * * ~/.acme.sh/acme.sh --cron --home ~/.acme.sh > /var/log/acme_renewal.log 2>&1
[INF] acme.sh auto-upgrade is enabled
[INF] Last renewal log entries:
[Sat Jan 15 02:30:01 UTC 2024] Renewing domain: example.com
[Sat Jan 15 02:30:01 UTC 2024] Domain example.com renewed successfully
[Sat Jan 15 02:30:02 UTC 2024] Cert success.
Π‘ΠΊΡΠΈΠΏΡ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅Ρ ΠΏΡΡΠΌΠΎΠΉ Π²ΡΠ·ΠΎΠ² ΡΡΠ½ΠΊΡΠΈΠΉ ΡΠ΅ΡΠ΅Π· ΠΊΠΎΠΌΠ°Π½Π΄Π½ΡΡ ΡΡΡΠΎΠΊΡ:
| ΠΠΎΠΌΠ°Π½Π΄Π° | ΠΠΏΠΈΡΠ°Π½ΠΈΠ΅ |
|---|---|
install |
Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ Π²ΡΠ΅ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ (acme.sh, certbot) |
issue |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· HTTP (acme.sh) |
cloudflare |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· Cloudflare DNS (acme.sh) |
route53 |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· AWS Route53 DNS (acme.sh) |
gcloud |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· Google Cloud DNS (acme.sh) |
digitalocean |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· DigitalOcean DNS (acme.sh) |
zerossl |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· ZeroSSL CA (acme.sh) |
certbot-standalone |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· Certbot standalone |
certbot-webroot |
ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ΅Π· Certbot webroot |
self-signed |
Π‘ΠΎΠ·Π΄Π°ΡΡ ΡΠ°ΠΌΠΎΠΏΠΎΠ΄ΠΏΠΈΡΠ°Π½Π½ΡΠΉ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ |
revoke |
ΠΡΠΎΠ·Π²Π°ΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ |
renew |
ΠΡΠΈΠ½ΡΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΠΎΠ±Π½ΠΎΠ²ΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ |
list |
ΠΠΎΠΊΠ°Π·Π°ΡΡ Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ |
check |
ΠΡΠΎΠ²Π΅ΡΠΈΡΡ ΡΡΠ°ΡΡΡ Π°Π²ΡΠΎΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ |
setup-renewal |
ΠΠ°ΡΡΡΠΎΠΈΡΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΠΏΡΠΎΠ΄Π»Π΅Π½ΠΈΠ΅ |
ΠΡΠΎΠ΅ΠΊΡ Π²ΠΊΠ»ΡΡΠ°Π΅Ρ ΠΊΠΎΠΌΠΏΠ»Π΅ΠΊΡΠ½ΡΡ ΡΠΈΡΡΠ΅ΠΌΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΡΠ΅Π· GitHub Actions:
-
ΠΡΠ½ΠΎΠ²Π½ΡΠ΅ ΡΠ΅ΡΡΡ (
test.yml) - Π²ΡΠΏΠΎΠ»Π½ΡΡΡΡΡ ΠΏΡΠΈ ΠΊΠ°ΠΆΠ΄ΠΎΠΌ push/PR:- β ShellCheck Π°Π½Π°Π»ΠΈΠ· ΠΊΠΎΠ΄Π°
- β ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΡΠΈΠ½ΡΠ°ΠΊΡΠΈΡΠ° Bash
- β Π’Π΅ΡΡΡ Π±Π°Π·ΠΎΠ²ΠΎΠΉ ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎΡΡΠΈ
- β ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠ΅ΠΉ
- β ΠΠ½Π°Π»ΠΈΠ· Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
- β ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ°ΡΠΈΠΈ
- β ΠΠ½ΡΠ΅Π³ΡΠ°ΡΠΈΠΎΠ½Π½ΡΠ΅ ΡΠ΅ΡΡΡ
- β Π’Π΅ΡΡΡ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ
-
ΠΡΠ»ΡΡΠΈΠΏΠ»Π°ΡΡΠΎΡΠΌΠ΅Π½Π½ΡΠ΅ ΡΠ΅ΡΡΡ (
multi-os-test.yml):- Ubuntu 20.04, 22.04, 24.04
- Debian 11, 12
- CentOS Stream 8, 9
- AlmaLinux 9
- Rocky Linux 9
- Fedora 38, 39, 40
- Arch Linux
- openSUSE Tumbleweed
-
ΠΠ»ΡΡΠ΅ΡΠ½Π°ΡΠΈΠ²Π½ΡΠ΅ ΡΠ΅ΡΡΡ (
alt-os-test.yml):- Amazon Linux 2023
- Oracle Linux 8, 9
- Red Hat UBI 8, 9
- Alpine Linux
- BusyBox
-
ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΠΊΠ°ΡΠ΅ΡΡΠ²Π° ΠΊΠΎΠ΄Π° (
code-quality.yml):- ShellCheck Ρ ΡΠ°Π·Π½ΡΠΌΠΈ ΡΡΠΎΠ²Π½ΡΠΌΠΈ ΡΡΡΠΎΠ³ΠΎΡΡΠΈ
- Π‘ΠΊΠ°Π½ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ
- ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΡΡΠΈΠ»Ρ ΠΊΠΎΠ΄Π°
- ΠΠ½Π°Π»ΠΈΠ· Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠ΅ΠΉ
ΠΠ΅ΡΠ΅Π΄ ΠΊΠΎΠΌΠΌΠΈΡΠΎΠΌ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄ΡΠ΅ΡΡΡ Π·Π°ΠΏΡΡΡΠΈΡΡ Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠ΅ ΡΠ΅ΡΡΡ:
# ΠΡΠΎΠ²Π΅ΡΠΊΠ° ΡΠΈΠ½ΡΠ°ΠΊΡΠΈΡΠ°
bash -n cert_manager.sh
# ShellCheck Π°Π½Π°Π»ΠΈΠ· (ΡΡΠ΅Π±ΡΠ΅Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ shellcheck)
shellcheck -S warning cert_manager.sh
# ΠΠ°Π·ΠΎΠ²ΡΠΉ ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠΉ ΡΠ΅ΡΡ
echo "0" | sudo ./cert_manager.shsudo ./cert_manager.sh issue
# ΠΠ²Π΅Π΄ΠΈΡΠ΅ Π΄ΠΎΠΌΠ΅Π½: example.com
# ΠΠ²Π΅Π΄ΠΈΡΠ΅ ΠΏΠΎΡΡ (ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ 80): 80sudo ./cert_manager.sh cloudflare
# ΠΠ²Π΅Π΄ΠΈΡΠ΅ Π΄ΠΎΠΌΠ΅Π½: example.com
# ΠΠ²Π΅Π΄ΠΈΡΠ΅ Cloudflare API Key: your_api_key
# ΠΠ²Π΅Π΄ΠΈΡΠ΅ email: your@email.comsudo ./cert_manager.sh check
# ΠΠΎΠΊΠ°ΠΆΠ΅Ρ ΡΡΠ°ΡΡΡ cron Π·Π°Π΄Π°ΡΠΈ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠ΅ Π»ΠΎΠ³ΠΈ/root/cert/ # ΠΠΈΡΠ΅ΠΊΡΠΎΡΠΈΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
βββ example.com/
β βββ privkey.pem # ΠΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
β βββ fullchain.pem # ΠΠΎΠ»Π½Π°Ρ ΡΠ΅ΠΏΠΎΡΠΊΠ° ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΎΠ²
~/.acme.sh/ # Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° acme.sh
/var/log/acme_renewal.log # ΠΠΎΠ³ Π°Π²ΡΠΎΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ
Π‘ΠΊΡΠΈΠΏΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ:
- Π£ΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅Ρ cron Π·Π°Π΄Π°ΡΡ Π΄Π»Ρ Π΅ΠΆΠ΅Π΄Π½Π΅Π²Π½ΠΎΠΉ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π² 2:30 Π½ΠΎΡΠΈ
- ΠΠΊΠ»ΡΡΠ°Π΅Ρ Π°Π²ΡΠΎΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ acme.sh
- ΠΠΎΠ³ΠΈΡΡΠ΅Ρ Π²ΡΠ΅ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΈ ΠΏΡΠΎΠ΄Π»Π΅Π½ΠΈΡ
Cron Π·Π°Π΄Π°ΡΠ° Π²ΡΠ³Π»ΡΠ΄ΠΈΡ ΡΠ°ΠΊ:
30 2 * * * ~/.acme.sh/acme.sh --cron --home ~/.acme.sh > /var/log/acme_renewal.log 2>&1- Π’ΡΠ΅Π±ΡΠ΅Ρ ΠΏΡΠ°Π²Π° root Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ
- Π‘Π΅ΡΡΠΈΡΠΈΠΊΠ°ΡΡ ΡΠΎΡ
ΡΠ°Π½ΡΡΡΡΡ Π² Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΉ Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΠΈ
/root/cert/ - ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΠΎΡΠΈΡΠΈΠ°Π»ΡΠ½ΡΠΉ ΠΊΠ»ΠΈΠ΅Π½Ρ acme.sh
- ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅Ρ ΡΠΎΠ»ΡΠΊΠΎ Π΄ΠΎΠ²Π΅ΡΠ΅Π½Π½ΡΠ΅ ΡΠ΅Π½ΡΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ (Let's Encrypt)
- Linux ΡΠ΅ΡΠ²Π΅Ρ Ρ ΠΎΠ΄Π½ΠΈΠΌ ΠΈΠ· ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°Π΅ΠΌΡΡ Π΄ΠΈΡΡΡΠΈΠ±ΡΡΠΈΠ²ΠΎΠ²
- ΠΡΠ°Π²Π° root
- ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅
- ΠΠΎΠΌΠ΅Π½ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΡΠΊΠ°Π·ΡΠ²Π°ΡΡ Π½Π° Π²Π°Ρ ΡΠ΅ΡΠ²Π΅Ρ
- ΠΠΎΡΡ 80 Π΄ΠΎΠ»ΠΆΠ΅Π½ Π±ΡΡΡ ΡΠ²ΠΎΠ±ΠΎΠ΄Π΅Π½
- ΠΠΎΠΌΠ΅Π½ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Cloudflare ΠΊΠ°ΠΊ DNS
- Cloudflare Global API Key
- Email Π°ΠΊΠΊΠ°ΡΠ½ΡΠ° Cloudflare
# ΠΠ°ΠΉΡΠΈ ΠΏΡΠΎΡΠ΅ΡΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΠΈΠΉ ΠΏΠΎΡΡ
sudo lsof -i :80
# ΠΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ Π²Π΅Π±-ΡΠ΅ΡΠ²Π΅Ρ Π²ΡΠ΅ΠΌΠ΅Π½Π½ΠΎ
sudo systemctl stop nginx # ΠΈΠ»ΠΈ apache2
# ΠΡΠΏΡΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ
sudo ./cert_manager.sh issue
# ΠΠ°ΠΏΡΡΡΠΈΡΡ Π²Π΅Π±-ΡΠ΅ΡΠ²Π΅Ρ ΠΎΠ±ΡΠ°ΡΠ½ΠΎ
sudo systemctl start nginx# ΠΠΎΠ³ΠΈ acme.sh
tail -f ~/.acme.sh/*.log
# ΠΠΎΠ³ΠΈ Π°Π²ΡΠΎΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΡ
tail -f /var/log/acme_renewal.log
# ΠΡΠΎΠ²Π΅ΡΠΊΠ° cron
sudo crontab -l | grep acmeΠΡΠΎΡ ΠΏΡΠΎΠ΅ΠΊΡ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½ΡΠ΅ΡΡΡ ΠΏΠΎΠ΄ Π»ΠΈΡΠ΅Π½Π·ΠΈΠ΅ΠΉ MIT. Π‘ΠΌ. ΡΠ°ΠΉΠ» LICENSE Π΄Π»Ρ ΠΏΠΎΠ΄ΡΠΎΠ±Π½ΠΎΠΉ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ.
ΠΡΠΈΠ²Π΅ΡΡΡΠ²ΡΡΡΡΡ ΠΏΡΠ»Π»-ΡΠ΅ΠΊΠ²Π΅ΡΡΡ! ΠΠ»Ρ ΠΊΡΡΠΏΠ½ΡΡ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ ΡΠ½Π°ΡΠ°Π»Π° ΠΎΡΠΊΡΠΎΠΉΡΠ΅ issue Π΄Π»Ρ ΠΎΠ±ΡΡΠΆΠ΄Π΅Π½ΠΈΡ.
ΠΡΠ»ΠΈ Ρ Π²Π°Ρ Π²ΠΎΠ·Π½ΠΈΠΊΠ»ΠΈ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ:
- ΠΡΠΎΠ²Π΅ΡΡΡΠ΅ ΡΠ°Π·Π΄Π΅Π» "Π£ΡΡΡΠ°Π½Π΅Π½ΠΈΠ΅ ΠΏΡΠΎΠ±Π»Π΅ΠΌ"
- ΠΠΎΡΠΌΠΎΡΡΠΈΡΠ΅ Π»ΠΎΠ³ΠΈ
- Π‘ΠΎΠ·Π΄Π°ΠΉΡΠ΅ issue Ρ ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅ΠΌ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ
A collection of bash scripts for SSL certificate management on Linux servers with automatic renewal.
This repository contains tools for simple and automated SSL certificate management:
cert_manager.sh- Simplified script for SSL certificate management onlytls.sh- Original full-featured 3X-UI panel management script
# Download the script
wget https://github.com/teslaproduuction/TLScript/raw/main/cert_manager.sh
chmod +x cert_manager.sh
# Run interactive menu
sudo ./cert_manager.sh
# Or use direct commands
sudo ./cert_manager.sh install # Install dependencies
sudo ./cert_manager.sh issue # Issue certificate- β HTTP validation (port 80)
- β Cloudflare DNS validation
- β AWS Route53 DNS validation
- β Google Cloud DNS validation
- β DigitalOcean DNS validation
- β ZeroSSL as alternative CA
- β Standalone mode (port 80)
- β Webroot mode (existing web server)
- β Cloudflare DNS plugin
- β AWS Route53 DNS plugin
- β Google Cloud DNS plugin
- β DigitalOcean DNS plugin
- β Revoke certificates
- β Force renew certificates
- β View all installed certificates
- β Generate self-signed certificates
- β Automatic installation of all dependencies
- β Setup cron for automatic renewal
- β Renewal process logging
- β Auto-update acme.sh and certbot
- Ubuntu 20.04+
- Debian 11+
- CentOS 8+
- Fedora 36+
- Arch Linux
- AlmaLinux 9+
- Rocky Linux 9+
- Oracle Linux 8+
sudo ./cert_manager.shYou will see this menu:
SSL Certificate Management Script
0. Exit Script
βββββββββββββββββββββββββββββββββββββββ
ACME.SH Methods (Let's Encrypt/ZeroSSL)
1. Issue via acme.sh (HTTP validation)
2. Issue via acme.sh (Cloudflare DNS)
3. Issue via acme.sh (AWS Route53 DNS)
4. Issue via acme.sh (Google Cloud DNS)
5. Issue via acme.sh (DigitalOcean DNS)
6. Issue via acme.sh (ZeroSSL CA)
βββββββββββββββββββββββββββββββββββββββ
CERTBOT Methods
11. Issue via Certbot (Standalone)
12. Issue via Certbot (Webroot)
13. Issue via Certbot (Cloudflare DNS)
14. Issue via Certbot (AWS Route53 DNS)
15. Issue via Certbot (Google Cloud DNS)
16. Issue via Certbot (DigitalOcean DNS)
βββββββββββββββββββββββββββββββββββββββ
Certificate Management
21. Revoke Certificate
22. Force Renew Certificate
23. List All Certificates
βββββββββββββββββββββββββββββββββββββββ
Other Options
31. Generate Self-Signed Certificate
32. Install Dependencies
33. Setup Automatic Renewal
34. Check Auto-Renewal Status
Please enter your selection:
Please enter your selection [0-8]: 1
[INF] Installing required dependencies...
[INF] Dependencies installed successfully
Installing acme.sh...
[INF] Install acme.sh succeed
Please enter your domain name: example.com
[DEG] Your domain is: example.com, checking it...
[INF] Your domain is ready for issuing certificate now...
Please choose which port to use, default will be 80 port: 80
[INF] Will use port: 80 to issue certificates, please make sure this port is open...
[INF] Issue certificates succeed, installing certificates...
[INF] Install certificates succeed
[INF] Setting up automatic certificate renewal...
[INF] Auto renewal cron job added successfully
[INF] Automatic certificate renewal setup completed
[INF] Certificate installation completed successfully!
[INF] Certificate files are located at: /root/cert/example.com
[INF] Private key: /root/cert/example.com/privkey.pem
[INF] Full chain: /root/cert/example.com/fullchain.pem
Please enter your selection [0-8]: 2
[DEG] ******Instructions for use******
[INF] This Acme script requires the following data:
[INF] 1. Cloudflare Registered email
[INF] 2. Cloudflare Global API Key
[INF] 3. The domain name that has been resolved DNS to the current server by Cloudflare
[INF] 4. The script applies for a certificate. The default installation path is /root/cert
Confirmed? [y/n]: y
Please set a domain name:
Input your domain here: example.com
[DEG] Your domain name is set to: example.com
Please set the API key:
Input your key here: your_cloudflare_api_key_here
[DEG] Your API key is: your_cloudflare_api_key_here
Please set up registered email:
Input your email here: your@email.com
[DEG] Your registered email address is: your@email.com
[INF] Certificate issued Successfully, Installing...
[INF] Certificate installed Successfully
[INF] Auto renewal cron job added successfully
[INF] The certificate is installed and auto-renewal is turned on. Certificate files location:
total 16K
-rw-r--r-- 1 root root 1.8K Jan 15 10:30 ca.cer
-rw-r--r-- 1 root root 3.8K Jan 15 10:30 example.com.cer
-rw-r--r-- 1 root root 1.7K Jan 15 10:30 example.com.key
-rw-r--r-- 1 root root 5.5K Jan 15 10:30 fullchain.cer
Please enter your selection [0-8]: 8
[INF] Checking automatic renewal status...
[INF] Auto renewal cron job is configured:
30 2 * * * ~/.acme.sh/acme.sh --cron --home ~/.acme.sh > /var/log/acme_renewal.log 2>&1
[INF] acme.sh auto-upgrade is enabled
[INF] Last renewal log entries:
[Sat Jan 15 02:30:01 UTC 2024] Renewing domain: example.com
[Sat Jan 15 02:30:01 UTC 2024] Domain example.com renewed successfully
[Sat Jan 15 02:30:02 UTC 2024] Cert success.
The script supports direct function calls via command line:
| Command | Description |
|---|---|
install |
Install all dependencies (acme.sh, certbot) |
issue |
Issue certificate via HTTP (acme.sh) |
cloudflare |
Issue certificate via Cloudflare DNS (acme.sh) |
route53 |
Issue certificate via AWS Route53 DNS (acme.sh) |
gcloud |
Issue certificate via Google Cloud DNS (acme.sh) |
digitalocean |
Issue certificate via DigitalOcean DNS (acme.sh) |
zerossl |
Issue certificate via ZeroSSL CA (acme.sh) |
certbot-standalone |
Issue certificate via Certbot standalone |
certbot-webroot |
Issue certificate via Certbot webroot |
self-signed |
Generate self-signed certificate |
revoke |
Revoke certificate |
renew |
Force renew certificate |
list |
Show all certificates |
check |
Check auto-renewal status |
setup-renewal |
Setup automatic renewal |
The project includes a comprehensive automated testing system via GitHub Actions:
-
Main Tests (
test.yml) - run on every push/PR:- β ShellCheck code analysis
- β Bash syntax validation
- β Basic functionality tests
- β Dependency installation tests
- β Security analysis
- β Documentation checks
- β Integration tests
- β Performance tests
-
Multi-Platform Tests (
multi-os-test.yml):- Ubuntu 20.04, 22.04, 24.04
- Debian 11, 12
- CentOS Stream 8, 9
- AlmaLinux 9
- Rocky Linux 9
- Fedora 38, 39, 40
- Arch Linux
- openSUSE Tumbleweed
-
Alternative OS Tests (
alt-os-test.yml):- Amazon Linux 2023
- Oracle Linux 8, 9
- Red Hat UBI 8, 9
- Alpine Linux
- BusyBox
-
Code Quality Checks (
code-quality.yml):- ShellCheck with different severity levels
- Security scanning
- Code style verification
- Dependency analysis
Before committing, it's recommended to run local tests:
# Syntax check
bash -n cert_manager.sh
# ShellCheck analysis (requires shellcheck installation)
shellcheck -S warning cert_manager.sh
# Basic functional test
echo "0" | sudo ./cert_manager.shsudo ./cert_manager.sh issue
# Enter domain: example.com
# Enter port (default 80): 80sudo ./cert_manager.sh cloudflare
# Enter domain: example.com
# Enter Cloudflare API Key: your_api_key
# Enter email: your@email.comsudo ./cert_manager.sh check
# Shows cron task status and latest logs/root/cert/ # Certificates directory
βββ example.com/
β βββ privkey.pem # Private key
β βββ fullchain.pem # Full certificate chain
~/.acme.sh/ # acme.sh installation
/var/log/acme_renewal.log # Auto-renewal log
The script automatically:
- Installs a cron task for daily check at 2:30 AM
- Enables acme.sh auto-update
- Logs all renewal operations
Cron task looks like:
30 2 * * * ~/.acme.sh/acme.sh --cron --home ~/.acme.sh > /var/log/acme_renewal.log 2>&1- Requires root privileges to operate
- Certificates are saved in secure
/root/cert/directory - Uses official acme.sh client
- Supports only trusted certificate authorities (Let's Encrypt)
- Linux server with one of the supported distributions
- Root privileges
- Internet connection
- Domain must point to your server
- Port 80 must be available
- Domain must use Cloudflare as DNS
- Cloudflare Global API Key
- Cloudflare account email
# Find process using the port
sudo lsof -i :80
# Stop web server temporarily
sudo systemctl stop nginx # or apache2
# Issue certificate
sudo ./cert_manager.sh issue
# Start web server back
sudo systemctl start nginx# acme.sh logs
tail -f ~/.acme.sh/*.log
# Auto-renewal logs
tail -f /var/log/acme_renewal.log
# Check cron
sudo crontab -l | grep acmeThis project is distributed under the MIT License. See the LICENSE file for detailed information.
Pull requests are welcome! For major changes, please open an issue first to discuss.
If you encounter problems:
- Check the "Troubleshooting" section
- Review the logs
- Create an issue with problem description