#!/bin/bash get_nginx_bin() { local nginx_path_search nginx_path_search=$(command -v nginx 2>/dev/null) if [ -z "$nginx_path_search" ]; then for dir in /usr/local/nginx/sbin /usr/sbin /usr/bin /sbin; do if [ -x "$dir/nginx" ]; then nginx_path_search="$dir/nginx" break fi done fi if [ -z "$nginx_path_search" ]; then nginx_pid=$(pgrep -o nginx) [ -n "$nginx_pid" ] && nginx_path_search=$(readlink -f "/proc/$nginx_pid/exe" 2>/dev/null) fi echo "$nginx_path_search" } case "$1" in --tencent) DNS_API="dns_tencent" echo "👉 即将使用api: 腾讯云" ;; --ali|"") DNS_API="dns_ali" echo "👉 即将使用api: 阿里云" ;; *) echo "❌ 未知参数: $1" echo "可用参数:" echo " --ali 使用阿里云 DNS(默认)" echo " --tencent 使用腾讯云 DNS" exit 1 ;; esac NGINX_BIN=$(get_nginx_bin) if [ -z "$NGINX_BIN" ]; then echo "❌ 错误:未探测到nginx可执行文件" echo "请检查nginx是否安装,或手动加入环境变量" exit 1 fi echo "探测到nginx路径: $NGINX_BIN" NGINX_CONF_PATH=$(dirname "$($NGINX_BIN -t 2>&1 | awk -F'file ' '/configuration file/ {print $2}' | awk '{print $1}' | head -n 1)") # 获取nginx证书和密钥名称 CERT_NAME=$(basename "$($NGINX_BIN -T 2>/dev/null | awk '$1 == "ssl_certificate" {gsub(";","",$2); print $2; exit}')") KEY_NAME=$(basename "$($NGINX_BIN -T 2>/dev/null | awk '$1 == "ssl_certificate_key" {gsub(";","",$2); print $2; exit}')") if [ -z "$CERT_NAME" ] || [ -z "$KEY_NAME" ]; then echo "❌ 错误: 配置中未找到证书配置" exit 1 fi if [ "$DNS_API" = "dns_ali" ]; then read -ep "请输入阿里云 AccessKey ID: " Ali_Key read -ep "请输入阿里云 AccessKey Secret: " Ali_Secret export Ali_Key export Ali_Secret elif [ "$DNS_API" = "dns_tencent" ]; then read -ep "请输入腾讯云 SecretId: " Tencent_SecretId read -ep "请输入腾讯云 SecretKey: " Tencent_SecretKey export Tencent_SecretId export Tencent_SecretKey fi while true; do read -ep "请输入要签发证书的域名(可带http/https和路径): " Domain # 清洗: # 1. 去掉协议 http:// 或 https:// # 2. 去掉端口号 :8080 # 3. 去掉路径 /foo/bar Domain=$(echo "$Domain" | sed -E 's#^https?://##' | sed -E 's#[:/].*##') # 合法性校验(支持通配符 *.example.com) if [[ "$Domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "❌ 证书不能直接签发给ip地址,请输入域名" continue fi if [[ ! "$Domain" =~ ^(\*\.)?[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$ ]]; then echo "❌ 域名格式不合法,请重新输入" continue fi read -ep "确认签发证书给域名 [$Domain] ? (y/n): " confirm case "$confirm" in yes|y|Y) echo "域名已确认:$Domain" break ;; no|n|N) echo "已取消,请重新输入域名" ;; *) echo "请输入 yes 或 no" ;; esac done # 拉取acme脚本文件并解压 rm -rf /root/acme.sh-3.1.0 if [ -f /root/acme.zip ]&&[ "$(curl -sL -o - http://ai.dipcc.com/acme/acme.sh-3.1.0.zip|md5sum|awk '{print $1}')" == "$(md5sum /root/acme.zip|awk '{print $1}')" ]; then echo "已下载,跳过..." else curl -o /root/acme.zip http://ai.dipcc.com/acme/acme.sh-3.1.0.zip if [ $? -ne 0 ]; then echo "下载失败,请重试!" exit 1 fi fi unzip /root/acme.zip -d /root # 安装acme脚本至系统 if ! command -v acme.sh &> /dev/null; then echo "acme.sh未安装,开始安装..." cd /root/acme.sh-3.1.0 bash acme.sh --install fi # 设置le为默认的ca服务器 bash acme.sh --set-default-ca --server letsencrypt # 签发证书并重启nginx bash acme.sh --issue --dns $DNS_API -d $Domain \ --fullchain-file $NGINX_CONF_PATH/$CERT_NAME \ --key-file $NGINX_CONF_PATH/$KEY_NAME \ # 检查 Nginx 配置是否正确 $NGINX_BIN -t if [ $? -ne 0 ]; then echo "nginx 配置错误,请检查配置文件!" exit 1 fi if systemctl is-active --quiet nginx; then echo "重新加载nginx配置..." systemctl reload nginx else echo "nginx未启动,正在启动..." systemctl start nginx fi