飞牛fnOS在使用DDNS时,需要签发自己域名的SSL证书。但目前并没有该功能。
论坛里有方案:飞牛fnos使用acme.sh自动部署并自动更新ssl证书【脚本更新】 - 攻略分享 飞牛私有云论坛 fnOS,原作者为:https://blog.csdn.net/jummewu
原脚本只能签发RSA证书,因此做了点调整改动,使其能够签发ECC证书。
#!/bin/bash set -euo pipefail# ============================== # 🛠️ 配置区(请按需修改) # ============================== DOMAIN="domain.com" DNS_PROVIDER="dns_dp" # DNSPod DP_Id="123456" # ← 替换为你的 DNSPod ID DP_Key="1111111" # ← 替换为你的 DNSPod Token# 证书服务商:letsencrypt 或 zerossl CERT_SERVER="letsencrypt"# --- ZeroSSL 专用配置(当 CERT_SERVER=zerossl 时必填)--- # 获取 EAB 凭据:https://app.zerossl.com/developer # Email="admin@cnraft.com" # EAB_kid="xxxxx" # EAB_hmac_key="xxxxx"DNS_SLEEP=120 SSLS_DIR="/usr/trim/var/trim_connect/ssls" CONF_FILE="/usr/trim/etc/network_gateway_cert.conf" RELOAD_CMD="systemctl restart webdav.service smbftpd.service trim_nginx.service"# ============================== # 🧰 工具函数 # ============================== log() { echo -e "\033[1;34m[INFO]\033[0m $*"; } warn() { echo -e "\033[1;33m[WARN]\033[0m $*" >&2; } err() { echo -e "\033[1;31m[ERROR]\033[0m $*" >&2; exit 1; }check_cmd() {command -v "$1" &>/dev/null || err "Command '$1' not found." }install_jq() {if command -v jq &>/dev/null; then return; fiif command -v apt-get &>/dev/null; thenapt-get update && apt-get install -y jq || err "apt install jq failed"elif command -v apk &>/dev/null; thenapk add --no-cache jq || err "apk add jq failed"elseerr "Unsupported OS: cannot auto-install jq."fi }# ============================== # 🚀 主流程 # ============================== START_TT=$(date +%s%3N)# --- 检查依赖 --- check_cmd date psql openssl install_jqACME_SH=$(command -v acme.sh 2>/dev/null || echo "/root/.acme.sh/acme.sh") [[ -x "$ACME_SH" ]] || err "acme.sh not found."export DP_Id DP_Key [[ -z "$DP_Id" ]] && err "DP_Id is empty!" [[ -z "$DP_Key" ]] && err "DP_Key is empty!"# --- 申请证书 --- log "Issuing ECC certificate for $DOMAIN and *.$DOMAIN via $CERT_SERVER..."case "$CERT_SERVER" inletsencrypt)"$ACME_SH" --force --log \--issue \--dns "$DNS_PROVIDER" --dnssleep "$DNS_SLEEP" \-d "$DOMAIN" -d "*.$DOMAIN" \--ecc --keylength ec-256;;zerossl)[[ -z "${Email:-}" || -z "${EAB_kid:-}" || -z "${EAB_hmac_key:-}" ]] && \err "ZeroSSL requires Email, EAB_kid, EAB_hmac_key"export Email EAB_kid EAB_hmac_key"$ACME_SH" --register-account -m "$Email" --server zerossl \--eab-kid "$EAB_kid" --eab-hmac-key "$EAB_hmac_key" || true"$ACME_SH" --force --log \--issue \--dns "$DNS_PROVIDER" --dnssleep "$DNS_SLEEP" \-d "$DOMAIN" -d "*.$DOMAIN" \--ecc --keylength ec-256;;*) err "Unsupported CERT_SERVER: $CERT_SERVER";; esac# --- 获取证书元数据(使用 Le_ 前缀字段)--- CERT_INFO_RAW="$("$ACME_SH" --info -d "$DOMAIN" --ecc)"Le_CertCreateTimeStr=$(echo "$CERT_INFO_RAW" | grep '^Le_CertCreateTimeStr=' | cut -d= -f2) Le_NextRenewTimeStr=$(echo "$CERT_INFO_RAW" | grep '^Le_NextRenewTimeStr=' | cut -d= -f2)if [ -z "$Le_CertCreateTimeStr" ] || [ -z "$Le_NextRenewTimeStr" ]; thenerr "Missing Le_CertCreateTimeStr or Le_NextRenewTimeStr in acme.sh output." fi# UTC+8 中国时区 CERT_CREATE_TT=$(date -d "${Le_CertCreateTimeStr} 8 hours" +%s%3N) CERT_CREATE=$(date -d "${Le_CertCreateTimeStr} 8 hours" +%s) CERT_RENEW_TT=$(date -d "${Le_NextRenewTimeStr} 1 month 8 hours" +%s%3N) CERT_RENEW=$(date -d "${Le_NextRenewTimeStr} 1 month 8 hours" +%s)# --- 创建目录 & 安装证书 --- CERT_DIR="${SSLS_DIR}/${DOMAIN}/${CERT_CREATE}" mkdir -p "$CERT_DIR"CERT_FILE="$CERT_DIR/${DOMAIN}.cer" KEY_FILE="$CERT_DIR/${DOMAIN}.key" FULLCHAIN_FILE="$CERT_DIR/fullchain.cer" CA_FILE="$CERT_DIR/issuer_certificate.crt""$ACME_SH" --install-cert -d "$DOMAIN" --ecc \--cert-file "$CERT_FILE" \--key-file "$KEY_FILE" \--fullchain-file "$FULLCHAIN_FILE" \--ca-file "$CA_FILE" \--reloadcmd "$RELOAD_CMD"chmod 755 "$KEY_FILE" "$CERT_FILE" "$FULLCHAIN_FILE" "$CA_FILE"# --- 提取证书信息 --- ISSUER=$(openssl x509 -in "$CERT_FILE" -noout -issuer | awk -F' = ' '{print $NF}' | sed 's/,.*$//' || echo "unknown") SIG_ALGO=$(openssl x509 -in "$CERT_FILE" -noout -text | awk '/Signature Algorithm:/{print $3; exit}' || echo "unknown")case "$SIG_ALGO" in*RSA*) ALGO_TYPE="RSA" ;;*ECDSA*|*ECC*) ALGO_TYPE="ECC" ;;*SM2*) ALGO_TYPE="SM2" ;;*) ALGO_TYPE="UNKNOWN" ;; esac# --- 更新 PostgreSQL 数据库 --- if psql -qtAX -U postgres -d trim_connect -c "SELECT 1 FROM cert WHERE domain = '$DOMAIN';" | grep -q 1; thenpsql -U postgres -d trim_connect -c " UPDATE cert SETvalid_from = $CERT_CREATE_TT,valid_to = $CERT_RENEW_TT,encrypt_type = '$ALGO_TYPE',issued_by = '$ISSUER',last_renew_time = $START_TT,des = '由acme.sh自动生成的正式证书 ($CERT_SERVER)',private_key = '$KEY_FILE',certificate = '$CERT_FILE',issuer_certificate = '$CA_FILE',status = 'suc',updated_time = $START_TTWHERE domain = '$DOMAIN';" >/dev/null elseMAX_ID=$(psql -qtAX -U postgres -d trim_connect -c "SELECT COALESCE(MAX(id), 0) FROM cert;" 2>/dev/null)DOMAIN_ID=$((MAX_ID + 1))psql -U postgres -d trim_connect -c " INSERT INTO cert (id, domain, subject_alt_name, common_name,valid_from, valid_to, encrypt_type, issued_by,created_time, des, retry_count, error_msg,deploy_type, deploy_extra,private_key, certificate, issuer_certificate,status, last_renew_time, updated_time) VALUES ($DOMAIN_ID, '$DOMAIN', '*.$DOMAIN', '$DOMAIN',$CERT_CREATE_TT, $CERT_RENEW_TT, '$ALGO_TYPE', '$ISSUER',$START_TT, '由acme.sh自动生成的正式证书 ($CERT_SERVER)', 0, NULL,'upload', NULL,'$KEY_FILE', '$CERT_FILE', '$CA_FILE','suc', $START_TT, $START_TT);" >/dev/null fi# --- 更新 NGINX JSON 配置--- [[ -f "$CONF_FILE" ]] || { echo "[]" > "$CONF_FILE"; }NEW_ENTRY=$(jq -n \--arg host "$DOMAIN" \--arg cert "$FULLCHAIN_FILE" \--arg key "$KEY_FILE" \'{host: $host, cert: $cert, key: $key}' )CURRENT=$(jq -c '.' "$CONF_FILE" 2>/dev/null || echo "[]")if echo "$CURRENT" | jq -e ".[] | select(.host == \"$DOMAIN\")" >/dev/null; thenUPDATED=$(echo "$CURRENT" | jq --argjson new "$NEW_ENTRY" 'map(if .host == $new.host then $new else . end)') elseUPDATED=$(echo "$CURRENT" | jq --argjson new "$NEW_ENTRY" '. += [$new]') ficp "$CONF_FILE" "$CONF_FILE.$START_TT.bak" echo "$UPDATED" | jq -c '.' > "$CONF_FILE"if ! grep -F "$FULLCHAIN_FILE" "$CONF_FILE" >/dev/null; thenerr "NGINX config updated but cert path not found." fi# --- 重载服务 + 清理旧证书 --- $RELOAD_CMD || truefind "${SSLS_DIR}/${DOMAIN}" -maxdepth 1 -type d -mtime +90 -exec rm -rf {} + 2>/dev/null || true find /usr/trim/etc/ -name "network_gateway_cert.conf.*.bak" -mtime +90 -delete 2>/dev/null || true# --- 生成摘要配置 --- CONF_SUMMARY="${SSLS_DIR}/${DOMAIN}/sslpath.conf" cat > "$CONF_SUMMARY" <<EOF DOMAIN=$DOMAIN CERT_CREATE_TT=$CERT_CREATE_TT CERT_RENEW_TT=$CERT_RENEW_TT ALGO_TYPE=$ALGO_TYPE CERT_ISSUED_BY=$ISSUER TT=$START_TT DOMAIN_SSL_DIR=$CERT_DIR CERT_SERVER=$CERT_SERVER STAGING=false EOFlog "✅ Certificate deployed: $CERT_DIR" log "📌 Summary: $CONF_SUMMARY"
保存为deploy-cert.sh并给执行权限:
chmod +x deploy-cert.sh ./deploy-cert.sh
最后将其添加到计划任务中:
# 每月1日 2:30 执行 30 2 1 * * /path/to/deploy-cert.sh >> /var/log/acme-deploy.log 2>&1