pax_global_header 0000666 0000000 0000000 00000000064 15000246650 0014510 g ustar 00root root 0000000 0000000 52 comment=7502af33b9eaf601feb93ba34868df4b7d55a9d3
acme.sh-0.0~git20250417.7502af3/ 0000775 0000000 0000000 00000000000 15000246650 0015402 5 ustar 00root root 0000000 0000000 acme.sh-0.0~git20250417.7502af3/Blogs-and-tutorials.md 0000664 0000000 0000000 00000022656 15000246650 0021571 0 ustar 00root root 0000000 0000000 Here are some blogs that may help you:
## 中文
1. [使用 acme.sh 配置自动续签 SSL 证书](https://u.sb/acme-sh-ssl/)
1. [部署 使用 acme.sh 给 Nginx 安装 Let’ s Encrypt 提供的免费 SSL 证书](https://ruby-china.org/topics/31983)
1. [使用acme.sh快速搭建https](https://www.zoulei.net/2017/03/05/acme.sh_quick_start/)
1. [快速配置 HTTPS](https://blog.mynook.info/post/fast-way-to-configure-a-https-site)
1. https://www.rails365.net/articles/shi-yong-acme-sh-an-zhuang-let-s-encrypt-ti-gong-mian-fei-ssl-zheng-shu
1. [Windows Tomcat 配置Let’s Encrypt证书并自动更新](http://www.jianshu.com/p/80d72f34140b)
1. [acme.sh 自动更新 RSA、ECC 双证书实践](https://deepzz.com/post/acmesh-letsencrypt-cert-auto-renew.html)
1. https://hitian.info/notes/2017/02/16/acme-sh-create-letsencrypt-certificates-with-dns-api/
1. https://nmchgx.com/acme-https/
1. https://www.gubo.org/acme_sh-lets-encrypt-auto-signing-renewing-script/
1. [让你的网站免费开启Https访问](https://rekkles.xyz/2017/07/05/create-a-https-website/)
1. https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E
1. https://www.gubo.org/acme_sh-lets-encrypt-auto-signing-renewing-script/
1. https://www.prinice.org/2016/09/11/86/
1. https://www.bfdz.ink/2016/11/08/28/
1. https://yangac.me/41
1. https://opvps.com/letsencrypt-ssl/
1. https://www.chdon.com/463.html
1. https://zhaochen.xyz/2016/06/21/5.html
1. https://www.logcg.com/archives/2007.html
1. https://guozeyu.com/2016/08/install-nginx-1-11-on-ubuntu/
1. https://liliang13.com/tag/acme-sh/
1. https://meta.discoursecn.org/t/topic/1061
1. https://mechanus.io/acme-sh-ji-li-tui-jian-de-lets-encrypt-gong-ju/
1. https://blog.messyidea.com/archives/42/
1. [使用le.sh脚本通过CloudFlare API获取DNS TXT记录来签发站点证书](https://bismarck.moe/2016/02/07/%E4%BD%BF%E7%94%A8le-sh%E8%84%9A%E6%9C%AC%E9%80%9A%E8%BF%87cloudflare-api%E8%8E%B7%E5%8F%96dns-txt%E8%AE%B0%E5%BD%95%E6%9D%A5%E7%AD%BE%E5%8F%91%E7%AB%99%E7%82%B9%E8%AF%81%E4%B9%A6/)
1. http://blog.topspeedsnail.com/archives/3823
1. https://www.niefufeng.com/articles/letsencrypt-certificate
1. https://www.ershiwo.com/2016/03/use-lets-encrypt-on-multi-servers.html
1. http://frankwei.xyz/kuai-su-ban-fa-ge-mian-fei-de-sslzheng-shu/
1. http://www.yilan.io/article/5703d07dc41b4c012e973bcb
1. https://yatesun.com/2016/04/lets-encrypt-certificate/
1. https://simiki.xulog.com/linux/issue%20and%20install%20cert.html
1. https://zhangly.com/use-acme-sh/
1. https://www.nanqinlang.com/shell-acme.html
1. https://b.tossp.com/2018/在docker中申请lets-encrypt通配符https证书/
## English
1. [FreeBSD.org switched to acme.sh](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
1. [Install your Let’s Encrypt SSL certificate with acme.sh](https://kb.virtubox.net/knowledgebase/install-lets-encrypt-ssl-certificate-acme-sh/)
1. https://retifrav.github.io/blog/2021/04/05/acme-sh-instead-of-certbot/
1. https://east.fm/posts/a-bash-client-for-the-acme-protocol/index.html
1. https://east.fm/posts/acme-sh-cpanel-a2hosting/index.html
1. https://kazoo.ga/kazoo-it-speaks-https/
1. https://tryingtobeawesome.com/encryptdaddy/
1. [Let's Encrypt certificates on Synology DSM 5](http://blog.raorn.name/2017/02/lets-encrypt-certificates-on-synology.html)
1. http://centosquestions.com/setup-solusvm-with-lets-encrypt-free-ssl-certificate/
1. http://blog.e-zest.com/ssl-encryption-using-lets-encrypt-on-aws-ec2-amazon-linux
1. https://odd-one-out.serek.eu/lets-encrypt-dns-challenge-cloudflare-acme-sh/
1. http://biowikifarm.net/meta/HTTPS_Support_via_Let%E2%80%99s_Encrypt
1. https://medium.com/@pavlakis/using-acme-sh-to-generate-letsencrypt-certificates-c98f28752e9f
1. https://lttviet.com/2016/09/13/letsencrypt/
1. [HTTPS on WebFaction using Let's Encrypt](https://blog.rarepebble.com/https-on-webfaction/)
1. https://lttviet.com/2016/09/13/letsencrypt/
1. https://unix.stackexchange.com/questions/327125/letencrypt-on-shared-hosting-neither-yum-or-dnf-found
1. https://mijndertstuij.nl/writing/posts/using-acme.sh-to-issue-lets-encrypt-certificates/
1. https://forums.zimbra.org/viewtopic.php?t=60781
1. https://www.ollegustafsson.com/en/letsencrypt-routeros/
1. https://kralik.io/2016/11/26/how-easy-is-to-use-https-with-lets-encrypt-and-acme-sh/
1. https://www.juliogonzalez.es/lets-encrypt-ssl-certificates-at-cpanel-without-native-support-for-example-at-namecheap/352
1. https://www.rmedgar.com/blog/using-acme-sh-with-nginx
1. https://yulinling.net/post/lets_encrypt_on_host_without_root_access/
1. https://erdees.ru/it/all-about-let-s-encrypt/
1. https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration
1. https://forum.openwrt.org/viewtopic.php?pid=327103#p327103
1. https://got-tty.org/lets-encrypt-in-pfsense
1. https://community.webfaction.com/questions/19988/using-letsencrypt
1. https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty
1. https://blog.quiptiq.com/2016/05/05/installing-a-lets-encrypt-certificate-for-znc/
1. https://www.arowan.be/2016/04/18/certificat-lets-encrypt-sur-votre-hyperviseur-proxmox-update/
1. https://chevereto.com/community/threads/tutorial-free-ssl-from-letsencrypt-setup-for-nginx-1-9-x.7217/
1. http://www.mcpressonline.com/security/techtip-let-s-encrypt-together.html
1. https://meta.discourse.org/t/setting-up-lets-encrypt/40709
1. http://www.cyberciti.biz/faq/how-to-configure-nginx-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/
1. https://www.cyberciti.biz/faq/how-to-configure-lighttpd-web-server-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/
1. https://cpbotha.net/2016/07/18/installing-free-lets-encrypt-ssl-certificates-on-webfaction-in-3-easy-steps/
1. http://www.ecsoft2.org/howto/using-let%E2%80%99s-encrypt-os2
1. https://ramy.nl/2016/03/23/installing-lets-encrypt-on-ubuntu-14-04/
1. https://www.naschenweng.info/2017/01/06/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge/
1. https://www.naschenweng.info/2017/01/06/automatic-ssl-renewal-encrypt-dsm-5-x-synology-ds1010-dns-01-verification/
1. http://community.brocade.com/t5/vADC-Blog/Using-Let-s-Encrypt-certificates-with-Brocade-vADC/ba-p/90491
1. https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/
1. https://thedevops.party/lets-encrypt-ssl-certificate-on-pfsense-2-3/
1. http://126kr.com/article/846xm2nb9sy
1. https://forge.puppet.com/fraenki/acme/1.0.0
1. https://forums.novell.com/showthread.php/502375-LetsEncrypt-setup
1. https://www.imagescape.com/blog/2017/04/25/lets-encrypt-alternative-acme-client/
1. https://wiki.nps.edu/display/~mcgredo/letsencrypt
1. http://icebearsoft.euweb.cz/letsencrypt-howto/#d1e970
1. [Free Wildcard Certificates using Azure DNS, Let’s Encrypt and acme.sh](https://noobient.com/post/172797046216/free-wildcard-certificates-using-azure-dns-lets)
1. [How to use acme.sh to install and update your VMware vCenter and PSC servers](https://wiki.9r.com.au/display/9R/LetsEncrypt+Certificates+for+vCenter+and+PSC)
1. [Install a SSL reverse proxy on an Asus Router with OVH domain](https://github.com/pedrom34/TutoAsus/)
1. [How to use the Edgenexus Cert manager to deploy ACME certs](https://www.edgenexus.io/docs/guides/app-user-guides/Edgnexus%20EdgeCert%20Manager/EN/html/get_and_install_the_edgenexus_ssl_certificate_manager_.htm)
1. [acme.sh with HAProxy integration](https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh)
1. [Trusted TLS certificates for internal use](https://blog.mni.li/posts/internal-tls-with-caddy/)
## French
1. https://notes.ailothaen.fr/post/2017/01/Mise-en-place-de-HTTPS-sur-Apache-avec-Let-s-Encrypt
1. https://howto.biapy.com/fr/debian-gnu-linux/systeme/logiciels/installer-le-client-certbot-lets-encrypt-acme-sh-sur-debian
1. https://www.thelinuxfr.org/lets-encrypt-acme-sh-debian-nginx/
1. https://jereze.com/fr/snippets/letsencrypt-acme-no-root
1. https://kb.virtubox.net/fr/knowledgebase/obtenir-installer-certificat-ssl-wildcard-acme-sh-nginx/
1. [Installer un reverse proxy SSL sur un routeur Asus avec un nom de domaine Ovh](https://github.com/pedrom34/TutoAsus/blob/master/Readme.fr.md)
1. [Certificat Let’s Encrypt sur Azure Container Instances et NGINX](https://r3dlin3.github.io/2020/01/30/aci-letsencrypt-nginx/)
## Russian
1. http://wpb.1gb.ru/2016/08/27/%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-https-%D0%B4%D0%BB%D1%8F-%D1%81%D0%B0%D0%B9%D1%82%D0%B0-letsencrypt-ssl-%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82-nginx-debian/
## Polish
1. https://holas.pl/2016/02/24/zabezpiecz-swoja-strone-www-za-darmo-certyfikatem-ssl-od-lets-encrypt/
## Indonesian
1. [Cara memasang ZeroSSL + Renew Otomatis di Netlify, BunnyCDN, cPanel dan DirectAdmin (pakai acme.sh)](https://farrel.franqois.id/cara-memasang-zerossl-di-netlify-bunnycdn-cpanel-directadmin/)
## Italian
1. https://kb.kurgan.org/LetsEncrypt
## Japanese
1. https://http2.try-and-test.net/acme_sh.html
1. http://qiita.com/fujiba/items/249e8cb0484d5bbc5b21
1. http://d.hatena.ne.jp/worris2/20160213/1455375785
## Czech
1. https://www.root.cz/clanky/acme-sh-snadna-cesta-k-certifikatu-od-let-s-encrypt/
1. https://havel.mojeservery.cz/lets-encrypt-snadno-s-acmesh/
1. https://www.strachota.net/category/bezpecnost
## German
1. http://adminforge.de/webserver/lets-encrypt-via-acme-sh-fuer-apache-und-nginx/
1. https://blog.sengotta.net/lets-encrypt-dns-validation-mit-ovh-domain-nutzen/
1. http://blog.antiblau.de/2016/10/21/letsencrypt-mit-acme-sh-und-lighttpd/
## Spanish
1. http://sinanimodelucro.net/lang/en/2016/07/10/acme-sh-facil-no-tanto-en-centos-5/
acme.sh-0.0~git20250417.7502af3/BuyPass.com-CA.md 0000664 0000000 0000000 00000024145 15000246650 0020356 0 ustar 00root root 0000000 0000000 See https://github.com/Neilpang/acme.sh/pull/1989
Thanks to [www.buypass.com](https://www.buypass.com/)
> Buypass Go SSL is the name of the SSL certificate you will obtain from Buypass CA using the Buypass ACME API. This is a Domain Validated (DV) certificate.
>
> Advantages
>
> * free certificate
> * automatic issuance and renewal of certificates - no user action required
> * certificate lifetime is 180 days
> * certificate from a Norwegian publicly trusted CA
> * trusted by all major browser vendors
https://www.buypass.com/ssl/resources/go-ssl-technical-specification
https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints
**Production:**
https://api.buypass.com/acme/directory
**Test environment:**
https://api.test4.buypass.no/acme/directory
Usage:
First time register account with an email, the mail is required by buypass.com
```sh
acme.sh --server https://api.buypass.com/acme/directory \
--register-account --accountemail me@example.com
```
Then you can issue cert now.
```sh
acme.sh --server https://api.buypass.com/acme/directory \
--issue -d example.com -d www.example.com ..... \
--days 170
```
Since buypass cert has 180 days lifetime, so we specify `--days 170` for acme.sh to renew the cert at the 170 th day.
If you don't specify days, it will renew at 60 days by default.
Once issued, you can renew the cert without `--server` parameter.
```sh
acme.sh --renew -d example.com
```
Don't worry, all the certs will be automatically renewed as usual.
----------------------
1. BuyPass supports both v1 and v2 no wildcard cert, but you can add up to 5 domains per cert.
2. It has 180 days lifetime.
3. ECC cert is supported, but the signing root is a RSA root.
Example:
```
-----BEGIN CERTIFICATE-----
MIIGbDCCBFSgAwIBAgIKCRFsFobOdP0VfTANBgkqhkiG9w0BAQsFADBLMQswCQYD
VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM
FEJ1eXBhc3MgQ2xhc3MgMiBDQSA1MB4XDTE4MTIyOTAxMzIyNVoXDTE5MDYyNzIx
NTkwMFowGjEYMBYGA1UEAwwPYnV5cGFzcy5hY21lLnNoMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA0H5zERFpOG5en3JRnIZ6LXxDohtID0IbsdK2vjla
ARwuClpJzfcRd0iWZtsV0sUy4zlNv0CZEvwxM1egpL1cEpfrDzMOjpy7OmSyBiEV
Y6KxhBr/UNdYWZNaoWEQyHTaaYsEyoMTIL8Wt7uqnoxrVHrY4goYiJTqk8Xk8Skj
3QSLSb/jkLFfCl7gdAbgylXKhq8id5gp7VUnCUB5cp7wq1n6GCbn2k4HRzKLNXT2
4AZm/a+nNbhA6hBRm79hl2lvtefYM7wB+LbDODLT3AxabT3fjHPprAtcZ296H+gG
+w11urMCOtgADU9jgLikXkQNPQ1ZffbANs5+lN5MAwyNYwIDAQABo4ICgTCCAn0w
CQYDVR0TBAIwADAfBgNVHSMEGDAWgBQnUqRvLSqrQJOQ7NZpy/58YTt8QjAdBgNV
HQ4EFgQUYtkEq1qyZWbHkD5GhIhHxqALb+8wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSAEGDAWMAoGCGCEQgEaAQIH
MAgGBmeBDAECATA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmJ1eXBhc3Mu
bm8vY3JsL0JQQ2xhc3MyQ0E1LmNybDAvBgNVHREEKDAmgg9idXlwYXNzLmFjbWUu
c2iCE3d3dy5idXlwYXNzLmFjbWUuc2gwagYIKwYBBQUHAQEEXjBcMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5idXlwYXNzLmNvbTA1BggrBgEFBQcwAoYpaHR0cDov
L2NydC5idXlwYXNzLm5vL2NydC9CUENsYXNzMkNBNS5jZXIwggEFBgorBgEEAdZ5
AgQCBIH2BIHzAPEAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAA
AWf3l0qaAAAEAwBHMEUCICYVuYUQuwAqgWv0dlM/p6+nbHOkrod/t+US2Qua1Ybw
AiEA8YS0Nh/N7opKZF4p8g3vaICQG2g/Y8uqKUuTA3Dz1IIAdwBVgdTCFpA2AUrq
C5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWf3l0vpAAAEAwBIMEYCIQDyRw4nBKTF
qIVL8NX7vROojrXu4wpeRjx2PGsPKFl4fwIhAJyE9KedaBY7QP/YQp1JKm9gXw64
2KSv3vizaM1xSQ2DMA0GCSqGSIb3DQEBCwUAA4ICAQCMUUgNvRZrUBF0yZD1MKvd
aJ7UuGqisfuJroDhFHNFWqhahIPr3kFOA1YWTZdg/8xlnkfwZ5Q4qoC9U4y08Iy7
+nyzSHohDg1uH16JiuLyh1I/aq34wDWGEzRAKHL3FGRQYE8+xk3xT5lzVjZpuc07
sxjez02Mbd5UbrflRXjT+l0KAC2kUrZ1CI8CjHdmA74RL3GRIL/hZaWBDTp64xr/
QKJqXUKZdUIY2CGUTDKKF/RVdLqHle3wF2u0Hog/10HwlTf/KRmohPdD4XPGrU1Y
PKSfP5HGIhAPOSAbpyeR0wN0GAR84VNF2PVgttqtJCAqVLfs8dscMDce4Yujrg4a
i+aTB5pPb0fm+wa+z6kwFtu8Aauag9jN7bAw13dq6VpiLxVCPBa1mmMgjJCj5Abl
rcV5itofkhz1E/ZVTH+k2KzBICqE2DZkxLVGEuhY9k6RuicY6FWZ83eIZKx3Dmci
2FBnNob0b1jvC79lo3eyDB6G8+dFs29l8RvrNLdxiZlidLJdjbcEQd+OZ3ZWlVS7
cwQ3G6VZh1+8limcZechXCa/aonf2JyadWfCxZRZRJsy1NMLT7yd3w6haubgZ0f2
a96zwu5nXXQ7xbawEajLy6Qll9yejmKSVUVoyTH1AoZoaA/NOnjnQXveeiktArlg
86H+f+G4O5uuktiHIeAYNg==
-----END CERTIFICATE-----
```
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:11:6c:16:86:ce:74:fd:15:7d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 CA 5
Validity
Not Before: Dec 29 01:32:25 2018 GMT
Not After : Jun 27 21:59:00 2019 GMT
Subject: CN = buypass.acme.sh
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:7e:73:11:11:69:38:6e:5e:9f:72:51:9c:86:
7a:2d:7c:43:a2:1b:48:0f:42:1b:b1:d2:b6:be:39:
5a:01:1c:2e:0a:5a:49:cd:f7:11:77:48:96:66:db:
15:d2:c5:32:e3:39:4d:bf:40:99:12:fc:31:33:57:
a0:a4:bd:5c:12:97:eb:0f:33:0e:8e:9c:bb:3a:64:
b2:06:21:15:63:a2:b1:84:1a:ff:50:d7:58:59:93:
5a:a1:61:10:c8:74:da:69:8b:04:ca:83:13:20:bf:
16:b7:bb:aa:9e:8c:6b:54:7a:d8:e2:0a:18:88:94:
ea:93:c5:e4:f1:29:23:dd:04:8b:49:bf:e3:90:b1:
5f:0a:5e:e0:74:06:e0:ca:55:ca:86:af:22:77:98:
29:ed:55:27:09:40:79:72:9e:f0:ab:59:fa:18:26:
e7:da:4e:07:47:32:8b:35:74:f6:e0:06:66:fd:af:
a7:35:b8:40:ea:10:51:9b:bf:61:97:69:6f:b5:e7:
d8:33:bc:01:f8:b6:c3:38:32:d3:dc:0c:5a:6d:3d:
df:8c:73:e9:ac:0b:5c:67:6f:7a:1f:e8:06:fb:0d:
75:ba:b3:02:3a:d8:00:0d:4f:63:80:b8:a4:5e:44:
0d:3d:0d:59:7d:f6:c0:36:ce:7e:94:de:4c:03:0c:
8d:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Authority Key Identifier:
keyid:27:52:A4:6F:2D:2A:AB:40:93:90:EC:D6:69:CB:FE:7C:61:3B:7C:42
X509v3 Subject Key Identifier:
62:D9:04:AB:5A:B2:65:66:C7:90:3E:46:84:88:47:C6:A0:0B:6F:EF
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 2.16.578.1.26.1.2.7
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.buypass.no/crl/BPClass2CA5.crl
X509v3 Subject Alternative Name:
DNS:buypass.acme.sh, DNS:www.buypass.acme.sh
Authority Information Access:
OCSP - URI:http://ocsp.buypass.com
CA Issuers - URI:http://crt.buypass.no/crt/BPClass2CA5.cer
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
Timestamp : Dec 29 01:32:26.650 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:26:15:B9:85:10:BB:00:2A:81:6B:F4:76:
53:3F:A7:AF:A7:6C:73:A4:AE:87:7F:B7:E5:12:D9:0B:
9A:D5:86:F0:02:21:00:F1:84:B4:36:1F:CD:EE:8A:4A:
64:5E:29:F2:0D:EF:68:80:90:1B:68:3F:63:CB:AA:29:
4B:93:03:70:F3:D4:82
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
Timestamp : Dec 29 01:32:26.985 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F2:47:0E:27:04:A4:C5:A8:85:4B:F0:
D5:FB:BD:13:A8:8E:B5:EE:E3:0A:5E:46:3C:76:3C:6B:
0F:28:59:78:7F:02:21:00:9C:84:F4:A7:9D:68:16:3B:
40:FF:D8:42:9D:49:2A:6F:60:5F:0E:B8:D8:A4:AF:DE:
F8:B3:68:CD:71:49:0D:83
Signature Algorithm: sha256WithRSAEncryption
8c:51:48:0d:bd:16:6b:50:11:74:c9:90:f5:30:ab:dd:68:9e:
d4:b8:6a:a2:b1:fb:89:ae:80:e1:14:73:45:5a:a8:5a:84:83:
eb:de:41:4e:03:56:16:4d:97:60:ff:cc:65:9e:47:f0:67:94:
38:aa:80:bd:53:8c:b4:f0:8c:bb:fa:7c:b3:48:7a:21:0e:0d:
6e:1f:5e:89:8a:e2:f2:87:52:3f:6a:ad:f8:c0:35:86:13:34:
40:28:72:f7:14:64:50:60:4f:3e:c6:4d:f1:4f:99:73:56:36:
69:b9:cd:3b:b3:18:de:cf:4d:8c:6d:de:54:6e:b7:e5:45:78:
d3:fa:5d:0a:00:2d:a4:52:b6:75:08:8f:02:8c:77:66:03:be:
11:2f:71:91:20:bf:e1:65:a5:81:0d:3a:7a:e3:1a:ff:40:a2:
6a:5d:42:99:75:42:18:d8:21:94:4c:32:8a:17:f4:55:74:ba:
87:95:ed:f0:17:6b:b4:1e:88:3f:d7:41:f0:95:37:ff:29:19:
a8:84:f7:43:e1:73:c6:ad:4d:58:3c:a4:9f:3f:91:c6:22:10:
0f:39:20:1b:a7:27:91:d3:03:74:18:04:7c:e1:53:45:d8:f5:
60:b6:da:ad:24:20:2a:54:b7:ec:f1:db:1c:30:37:1e:e1:8b:
a3:ae:0e:1a:8b:e6:93:07:9a:4f:6f:47:e6:fb:06:be:cf:a9:
30:16:db:bc:01:ab:9a:83:d8:cd:ed:b0:30:d7:77:6a:e9:5a:
62:2f:15:42:3c:16:b5:9a:63:20:8c:90:a3:e4:06:e5:ad:c5:
79:8a:da:1f:92:1c:f5:13:f6:55:4c:7f:a4:d8:ac:c1:20:2a:
84:d8:36:64:c4:b5:46:12:e8:58:f6:4e:91:ba:27:18:e8:55:
99:f3:77:88:64:ac:77:0e:67:22:d8:50:67:36:86:f4:6f:58:
ef:0b:bf:65:a3:77:b2:0c:1e:86:f3:e7:45:b3:6f:65:f1:1b:
eb:34:b7:71:89:99:62:74:b2:5d:8d:b7:04:41:df:8e:67:76:
56:95:54:bb:73:04:37:1b:a5:59:87:5f:bc:96:29:9c:65:e7:
21:5c:26:bf:6a:89:df:d8:9c:9a:75:67:c2:c5:94:59:44:9b:
32:d4:d3:0b:4f:bc:9d:df:0e:a1:6a:e6:e0:67:47:f6:6b:de:
b3:c2:ee:67:5d:74:3b:c5:b6:b0:11:a8:cb:cb:a4:25:97:dc:
9e:8e:62:92:55:45:68:c9:31:f5:02:86:68:68:0f:cd:3a:78:
e7:41:7b:de:7a:29:2d:02:b9:60:f3:a1:fe:7f:e1:b8:3b:9b:
ae:92:d8:87:21:e0:18:36
``` acme.sh-0.0~git20250417.7502af3/CA.md 0000664 0000000 0000000 00000002123 15000246650 0016205 0 ustar 00root root 0000000 0000000 Comparison of the features offered for free by the supported CAs:
| CA | MaxLifetime | ECC Chain | Domain Count | Wildcard | IPv4 | IPv6 | NotBefore | NotAfter | IDN | Test Server |
|---------------|-------------|-----------|--------------|----------|---- |------|-------------|----------|-------|---------------|
| Let's Encrypt | 90 | Full | 100 | Yes | No | No | No | No | Yes | Yes |
| ZeroSSL | 90 | Full | 100 | Yes | No | No | Yes (+1d) | Yes | Yes | No |
| Google | 90 | Partial | 100 | Yes | No | No | No | Yes | No | Yes |
| Buypass | 180 | Partial | 5 | No | No | No | No | No | Yes | Yes |
| SSL.com | 104 | Partial | 2 | No | No | No | No | No | Yes | No |
Details for CAs servers are available here: [Server](https://github.com/acmesh-official/acme.sh/wiki/Server) acme.sh-0.0~git20250417.7502af3/Change-default-CA-to-ZeroSSL.md 0000664 0000000 0000000 00000004612 15000246650 0022736 0 ustar 00root root 0000000 0000000 Previously, if no `server` was provided, or if don't have `--set-default-ca` set, acme.sh used letsencrypt as the default CA.
https://github.com/acmesh-official/acme.sh/wiki/Server
As of acme.sh v3.0, the default CA is now [ZeroSSL](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA).
This change will only affect the newly created(issued) certs after `August-1st` (with v3.0), any pre-existing certs will still be renewed automatically against the current CA.
Q&A:
1. As an existing user, what do I need to do?
Generally, nothing needs to do. (If auto-upgrade is enabled, acme.sh can upgrade itself).
No matter acme.sh is upgraded to v3.0 or not, your existing certs will be renewed as before, against the same CA it's currently using.
2. Will I still be able to use letsencrypt then?
Yes, of course. You are still free to use any supported CA with providing `--server` parameter.
```
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
```
3. What if I don't like this change? I want to stick to letsencrypt?
Yes, sure. You can `--set-default-ca` now or any time you like. Then acme.sh will always use the default ca you set:
```
acme.sh --set-default-ca --server letsencrypt
```
If you set the default CA, acme.sh will respect your choice first. It will always use this default ca in the future, no matter in `v2.*`, `v3.*` or any future `v4.*`.
**acme.sh always respects your choice first, and will never make any changes to your files without your permissions.**
4. My current cert is using letsencrypt, Will it be changed when renewed then?
No, and never. Don't worry. when your cert is renewed, it will use the current CA, not the default CA.
5. As a new user after `August-1st 2021`(v3.0), what will it look like to me?
You can install acme.sh as normal, nothing is changed.
You can also issue certs as normal [See how to issue a cert](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert):
```
acme.sh --issue -d example.com --dns dns_cf
```
The cert will be issued with the default CA [ZeroSSL](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
You can also try with letsencrypt:
```
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
```
There is a comparison: ZeroSSL vs Let's Encrypt:
https://zerossl.com/letsencrypt-alternative/
acme.sh-0.0~git20250417.7502af3/Code-of-conduct.md 0000664 0000000 0000000 00000004047 15000246650 0020642 0 ustar 00root root 0000000 0000000 # Common rules for contributing to acme.sh
### 1. The file shebang must be `sh` not `bash`
acme.sh is a `unix shell` script, not just a `bash` script.
If you want to contribute your script, the shebang must be:
```sh
#!/usr/bin/env sh
```
After the installation, acme.sh could change the shebang to bash to get better performance if you have bash on your machine.
Of course, if you just use it on your own, it can be any valid shebang on your machine. It could be `sh` or `bash`, it's up to you.
### 2. Please create a new issue for future bugs
Please report a new issue here: `" Report bugs to xxxx dns api"` https://github.com/Neilpang/acme.sh/issues
And please watch to that issue. Any future bug will be reported there.
Example: https://github.com/Neilpang/acme.sh/issues/2057
### 3. Cross-Platform Compatibility Guide
1. Don't use `grep -o` options, please use `_egrep_o()` function instead, other grep options may be used with caution.
2. Don't use `curl` or `wget`, please use `_get()` or `_post()` function instead. The `_post()` function can send `POST`, `PUT` or `UPDATE` requests.
3. Do not use `sed -e`, which causes a problem in OS X and BSD.
4. Do not use `sed` with labels, which causes `Label too long` problem in Solaris.
5. Do not use `sed` with newlines (`\n`), which causes a problem in OS X and BSD.
6. Do not use `grep -E` option.
If you need a BSD or Solaris development environment, please head to [vmactions](https://github.com/vmactions). For example, you can use [solaris-shell](https://github.com/vmactions/shell-solaris) to get a shell environment in Solaris.
## Style Guidelines
acme.sh uses shellcheck for new commits and also enforces style guidelines.
To avoid the most common travis failures:
* Use indentation with 2 spaces
* remove trailing spaces
* Doublequote variables (use _debug txtvalue "$txtvalue" instead of _debug txtvalue=$txtvalue)
* Always check the travis results after a commit
* Consider using shellcheck (https://www.shellcheck.net/) before commiting
* `shfmt -l -w -i 2 .` will re-indent your files
acme.sh-0.0~git20250417.7502af3/DNS-API-Dev-Guide.md 0000664 0000000 0000000 00000023156 15000246650 0020535 0 ustar 00root root 0000000 0000000 # Guide for developing a DNS API for acme.sh
This guide is to help any developer interested to build a brand new DNS API for acme.sh
## Some useful tips
1. It's normal to run into errors, so do use `--debug 2` when testing. For e.g., `acme.sh --issue --debug 2 -d example.com --dns dns_myapi`
2. It's normal to burst rate limits for Let's Encrypt, so do use `--staging` when testing. For e.g., `acme.sh --issue --staging --debug 2 -d example.com --dns dns_myapi` Read [issue 1787](https://github.com/acmesh-official/acme.sh/issues/1787) for details. Remember to remove `--staging` after testing.
3. It's normal that the dns script is not run if the domain was validated before. Forcing execution of the DNS API script can be achieved by clearing the "valid" status of a domain at Let’s Encrypt via the `--deactivate` command. Wildcard domains have their own status, so these have to be deactivated separately.
```
acme.sh --deactivate [--server letsencrypt_test] -d 'test.example.com' -d '*.test.example.com'
```
Let's assume your API name is `myapi`, and you will use your API like:
```sh
export MYAPI_Username=myname
export MYAPI_Password=mypass
acme.sh --issue -d example.com --dns dns_myapi
```
Here we go:
### 1. The Cloudflare DNS API is a recommended reference:
Read it first:
https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_cf.sh
### 2. The script file name must be `dns_myapi.sh`
The file name must be in this format: `dns_yourApiName.sh`, in this example, it should be `dns_myapi.sh`
### 3. The file can be placed in `acme.sh/` folder, or in `acme.sh/dnsapi/` subfolder.
If you want to contribute your script to `acme.sh` project, it must be placed in `acme.sh/dnsapi/` folder.
If you just want to use your script on your machine, you can put it in `.acme.sh/` or `.acme.sh/dnsapi/` folders.
acme.sh searches the script files in either the acme.sh home dir(`.acme.sh/`) or in the `dnsapi` subfolder(`.acme.sh/dnsapi`).
### 4. There must be 2 functions in your script:
```sh
# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
# Used to add txt record
dns_myapi_add() { }
# Usage: fulldomain txtvalue
# Used to remove the txt record after validation
dns_myapi_rm() { }
```
Actually, the `dns_myapi_add()` is required, but `dns_myapi_rm()` is optional. You can just write the add function at the beginning for testing purposes, it's `highly recommended` to implement the rm function too. Otherwise, your TXT records will increase 1 every 2 months.
### 5. Guide for the add function
Steps when you write the `dns_myapi_add()` function:
#### 1. Get the full domain and the txt record:
```sh
dns_myapi_add() {
fulldomain=$1
txtvalue=$2
...
}
```
#### 2. You must save your username and password in the add function:
The credentials such as username, password, API key or API token etc, must be saved so that acme.sh can renew the cert automatically in future. It will reuse the credentials automatically.
```sh
dns_myapi_add() {
...
MYAPI_Username="${MYAPI_Username:-$(_readaccountconf_mutable MYAPI_Username)}"
MYAPI_Password="${MYAPI_Password:-$(_readaccountconf_mutable MYAPI_Password)}"
if [ -z "$MYAPI_Username" ] || [ -z "$MYAPI_Password" ]; then
MYAPI_Username=""
MYAPI_Password=""
_err "You don't specify cloudflare api key and email yet."
_err "Please create your key and try again."
return 1
fi
#save the credentials to the account conf file.
_saveaccountconf_mutable MYAPI_Username "$MYAPI_Username"
_saveaccountconf_mutable MYAPI_Password "$MYAPI_Password"
...
}
```
#### 3. Detect which part is your root zone.
The full domain could be in either one of the following formats:
1. `_acme-challenge.www.example.com`
2. `_acme-challenge.example.com`
3. `_acme-challenge.example.co.uk`
4. `_acme-challenge.www.example.co.uk`
5. `_acme-challenge.sub1.sub2.www.example.co.uk`
6. `sub1.sub2.example.co.uk`
7. `example.com` (For [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode))
8. `example.co.uk` (For [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode))
For most of the DNS providers, you must determine which part is the domain root zone(example.com or example.co.uk), and which part is the subdomain(_acme-challenge or _acme-challenge.www)
*You can not just split the full domain, and get the first part as a subdomain, and the rest as root zone.
Please make sure you can handle all the formats above.*
A good practice is to list all your root zones through your DNS API, then compare and detect which part is the root zone. Then the rest is the subdomain.
See: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_cf.sh#L142
```sh
dns_myapi_add() {
...
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
_err "invalid domain"
return 1
fi
...
```
#### 4. Call your DNS API to add a TXT record.
Most of the DNS providers provide an HTTP API or REST API.
So, you can just use the HTTP GET/POST/PUT/DELETE method to call their API to add/remove the TXT record.
acme.sh defined two functions to make http GET/POST/PUT/DELETE connections.
See:
- https://github.com/acmesh-official/acme.sh/blob/8ded524236347d5a1f7a3169809cab9cf363a1c8/acme.sh#L2013
- https://github.com/acmesh-official/acme.sh/blob/8ded524236347d5a1f7a3169809cab9cf363a1c8/acme.sh#L1887
```
_get() {}
_post() {}
```
You can use them directly.
Please take care that the `_post()` function can send POST/PUT/DELETE requests, not just `POST`.
See:
- https://github.com/acmesh-official/acme.sh/blob/975a7359a23cd5f8335aca58ceab552d8d967ea7/dnsapi/dns_infoblox.sh#L85
- https://github.com/acmesh-official/acme.sh/blob/ded7a5438ce94c4dd0435068de5c0c384b60e4dd/dnsapi/dns_cf.sh#L73
Do not use `curl` or `wget` directly in your script.
**Note:** Wildcard certificates require two TXT values. When implementing the method make sure that you append the value instead of replacing it
dig -t txt _acme-challenge.example.com should return
```
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t txt _acme-challenge.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35476
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_acme-challenge.example.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.example.com. 3600 IN TXT "tye6yGOxJEffnXDzZKNJjOHSsCFtKwU_5L0ykmY8CzE"
_acme-challenge.example.com. 3600 IN TXT "XhVGx_0VVeR5yiaGLHHXrRl2sAbZhI7IugMSdbfR4go"
```
#### 5. Additional HTTP headers.
Your HTTP method call may require additional headers for Authorization, ContentType, Accept, Cookies, etc. for the DNS providers API to add/remove the txt record. You can export _H*n* (_H1, _H2, _H3, etc.) environment variables with the [HTTP header](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields) needed:
```sh
...
myusername="$MYAPI_username"
mypassword="$MYAPI_password"
mycredentials="$(printf "%s" "$myusername:$mypassword" | _base64)"
export _H1="Authorization: Basic $mycredentials"
export _H2="Content-Type: application/json"
...
```
Just number the _H*n* in the order that you need the headers. Please review [these](https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_zone.sh#L110) [few](https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_desec.sh#L151) [examples](https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_jd.sh#L184) for inspiration.
This is the only way to pass the equivalent wget's _--user_ and _--password_ and curl's _--user_ parameters.
#### 6. Process the API Response.
The API response could be in text, JSON or XML format. Here are a lot of functions to process strings:
```sh
...
_startswith()
_endswith()
_contains()
_egrep_o()
...
```
You can use `sed`, `grep`, `cut`, `paste` etc, Do not use `awk` at all.
### 7. Guide for the rm function.
The steps are the same as the add function.
Please take care that the rm function and add function are called in 2 different isolated subshells. So, you can not pass any env vars from the add function to the rm function.
You must re-do all the preparations of the add function here too.
See: https://github.com/acmesh-official/acme.sh/blob/8ded524236347d5a1f7a3169809cab9cf363a1c8/dnsapi/dns_cf.sh#L106
### 8. Please also check this bug to support the V2 wildcard cert:
https://github.com/acmesh-official/acme.sh/issues/1261
### 9. Please create a new issue for future bugs
Please report a new issue here: `" Report bugs to xxxx DNS API"` https://github.com/acmesh-official/acme.sh/issues
And please watch to that issue. Any future bug will be reported there.
Example: https://github.com/acmesh-official/acme.sh/issues/2057
### 10. Update the docs to include your DNS API usage.
Please append your API at the end: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2
You must to add an anchor with your DNS API name like ``.
This will allow to quickly lookup your API instruction by a link https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_yourapi
Also don't forget to add the issue link from step 9 like `Report any bugs or issues here`.
### 11. Add structural info description
Your script should start with a [structured info description](https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Structural-Info-description) to automatically generate a list of APIs and their variables.
### 12. Please read and follow the instruction before creating a pull request
Please follow the guide: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test
See more code of conduct: https://github.com/acmesh-official/acme.sh/wiki/Code-of-conduct acme.sh-0.0~git20250417.7502af3/DNS-API-Structural-Info-description.md 0000664 0000000 0000000 00000012131 15000246650 0024335 0 ustar 00root root 0000000 0000000 # DNS API Structural Info description
For GUI we need to show a list of options and basic description.
So instead of using comments describe a provider info in a special variable that later will be read and parsed.
The variable must be called like `dns_example_info` where the `example` is your provider code as in a file name.
The basic example:
```sh
# shellcheck disable=SC2034
dns_example_info='Example.org
Site: Example.org
Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_example
Options:
Example_Token API Token
Issues: github.com/acmesh-official/acme.sh/issues/9000
Author: Your Name
'
```
The format is both human-readable and easy to parse.
The `# shellcheck disable=SC2034` is needed to ignore an error that the var is not used.
The `dns_example_info` declares a variable with a multi line text.
At the first line is the title of of the API. If this is just a DNS provider then try use it's domain name.
Please write long domains in a CamelCase e.g. `CloudFlare.com`. This will help a user to distinguish providers in a list.
The `Site: Example.org` is a URL (without `https://`) to the provider's site. Sometimes it should be a dedicated DNS page:
```sh
dns_aws_info='Amazon AWS Route53 domain API
Site: docs.aws.amazon.com/route53/
```
The `Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_example` is a link to Wiki page with instructions. Some providers may have own wiki page e.g. `Lexicon`. The `https://` at beginning is stripped.
The `Options:` is a section with list of parameters (environment variables) to configure the provider. Each option should be declared on a separate line.
The line ` Example_Token API Token` starts with one space and declares a variable `Example_Token` with a title `API Token`.
You may have multiple options and you can specify default value and show if the option is required:
Options:
VARIABLE1 Title for the option1.
VARIABLE2 Title for the option2. Default "default value".
VARIABLE3 Title for the option3. A long description to show on UI. Optional.
By default all the variables are mandatory. The `Optional.` is a special mark that the variable is not required.
The `Default "default value".` is a special mark and the value between the double quotes will be used as a default. Such variable are optional.
Only the first sentence will be a title so the the `A long description to show on UI` will be an extended description to show separately and it can be long and contain links.
The HTML is not allowed in a title or description.
A DNS provider may have alternative options like CloudFlare may use API KEY or API Token.
You can use a second section `OptionsAlt:` section. See [dns_cf.sh](https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_cf.sh).
The `Issues: github.com/acmesh-official/acme.sh/issues/9000` is a link to an support issue or a forum topic where you can reach an author to report a bug. At beginning you may omit it and we'll add ourselves once a PR is merged and the issue is created. The `https://` at beginning is stripped.
The `Author: Your Name ` is an optional field with a developer name and email (is not required). The author can be a GitHub username `@yourname`. You may use a link e.g. `Author: Alex Loban `. Multiple authors should be separated with a comma `,` e.g. `Author: Wolfgang Ebner, Sven Neubuaer`.
## Domain aliases
If a provider has multiple domains e.g. `AlibabaCloud.com` has an additional `Aliyun.com` then you can declare them in a dedicated field `Domains:`:
```sh
dns_1984hosting_info='1984.hosting
Domains: 1984.is
Site: 1984.hosting
'
```
So here the https://1984.hosting is the main page but the https://1984.is is also used.
So if user looking for the `1984.is` it may be confused it it see only the `1984.hosting`.
The `Domains:` may be also useful to search a provider in a drop-down list with autocomplete.
## Extended description
If the API is not for a specific provider but for a software (e.g. PowerDNS) or a protocol (e.g. nsupdate) then the title will be not a domain but a text.
Also you may add a description on the next line(s) staring with a space:
```sh
dns_acmedns_info='acme-dns Server API
The acme-dns is a limited DNS server with RESTful API to handle ACME DNS challenges.
Site: github.com/joohoi/acme-dns
'
```
See the [initial commit](https://github.com/acmesh-official/acme.sh/commit/6b7b5caf54ea0b45508e158db3748d00f48672f2#diff-defdf80606e9123d8383965fa2bd6281a2567dc76c7d246a5244b41ec43429feR3) for mare samples.
## Parsing
Here a script (dash and ash complaint) to generate a list of all infos:
```sh
#!/bin/ash
for f in ./dnsapi/dns_*.sh
do
filename=$(basename -- "$f")
dns_api="${filename%.*}"
echo "$dns_api"
dns_api_info_var="${dns_api}_info"
# shellcheck source=./dnsapi/dns_*.sh
. "$f"
info=""
eval info=\$$dns_api_info_var
echo "$info"
done
```
Now execute it and stored result to info.txt file:
sh ./dns_info.sh > info.txt
The resulted file has size of 40Kb bytes and gzipped it's about 10Kb.
See example of how to parse it in JavaScript: https://github.com/yurt-page/acmesh-parse-dnsapi-info acme.sh-0.0~git20250417.7502af3/DNS-API-Test.md 0000664 0000000 0000000 00000006555 15000246650 0017707 0 ustar 00root root 0000000 0000000
There is a CI workflow `DNS.yml` to test your DNS API when you send PR to add a new DNS API.
This test suite uses GitHub actions. The purpose is to try your changes on one particular API across a bunch of different operating systems so that we have confidence your changes will work wherever this script is used. This test must be passing before your PR can get merged.
However, as a limitation of github actions, the workflow `DNS.yml` can only run in your Forked repo when you push code.
## So, please enable Github Actions on your Forked repo first, and then push code to your repo, it will run there.
If you have not enabled Github Actions before you push to your fork, unfortunately you'll need to trigger some kind of push in order for GitHub actions to realise it needs to run the workflow, so either push a new commit after enabling GitHub actions, roll your fork back to be even with the main repo, then push again, or delete your fork and re-push your changes.
Once you've got GitHub Actions running the DNS API tests on your fork, we need to configure them so they can put your change through its paces.
### 1. An example DNS API
We'll use this API as an example. It's called `dns_myapi`, and it takes two environment variable arguments, `MyDnsKey1`, and `MyDnsKey2`. To run it on the command line, we'd do this:
```
export MyDnsKey1=myValue1
export MyDnsKey2=myValue2
acme.sh --issue -d mytest.myExample.com --dns dns_myapi
```
### 2. In order to test this particular API, we'd need to do this:
1. Go to your repository on GitHub.
1. Click on the “Settings” tab.
1. Scroll down to the “Security” section and click on “Secrets and variables”, then on “Actions” and finally on “New repository secret”.
1. Enter a name for your secret (e.g. TokenName1 ) and insert the corresponding value.
1. Click on “Add secret”.
**The secrets are only visible to yourself, nobody else can read the secrets.**
**You must create a separate secret for each variable. Each entry under “Add secret” only takes one name and one value**
And we'd need to set the following secrets:
```
TokenName1 = MyDnsKey1
```
```
TokenValue1 = myValue1
```
```
TokenName2 = MyDnsKey2
```
```
TokenValue2 = myValue2
```
```
TEST_DNS = dns_myapi
```
```
TestingDomain = mytest.myExample.com
```
```
TEST_DNS_SLEEP = 120
```
The `TEST_DNS_SLEEP` is the time (in seconds) to sleep to wait for your DNS records to propagate.
Different DNS providers may require different propagate time, please ask your DNS provider support for the time.
Usually, it's larger than `120` seconds.
## Note
Note that in order to test a different API, you'd need different values, for example the Netlify API is run like this:
```
export NETLIFY_ACCESS_TOKEN="xxxx"
acme.sh --issue -d mytest.myExample.com --dns dns_netlify
```
So we'd need to set the following secrets in GitHub:
```
TEST_DNS = dns_netlify
```
```
TokenName1 = NETLIFY_ACCESS_TOKEN
```
```
TokenValue1 = xxxx
```
```
TestingDomain = mytest.myExample.com
```
Now the tests should be able to try out your change to the Netlify DNS API!
# How to get a Solaris server
If you need a solaris shell to debug your script, please see this project: https://github.com/vmactions/shell-solaris
# How to get a FreeBSD server
If you need a freebsd shell to debug your script, please see this project: https://github.com/vmactions/shell-freebsd
acme.sh-0.0~git20250417.7502af3/DNS-alias-mode.md 0000664 0000000 0000000 00000012427 15000246650 0020367 0 ustar 00root root 0000000 0000000 If your DNS provider doesn't support API access, or if you're concerned about security problems from giving the DNS API access to your main domain, then you can use DNS alias mode.
For example, your main domain is **example.com**, which doesn't have API access, or you don't want to give the API access to acme.sh, since it's important.
And you have another domain: **aliasDomainForValidationOnly.com**, which has a supported DNS API. This domain is less important, and maybe it's used for validation only.
Ok, let's start.
### 1. First set domain CNAME:
```text
_acme-challenge.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
```
or, in standard [DNS zone file](https://en.wikipedia.org/wiki/Zone_file) format, (like ISC BIND or NSD):
```text.zone_file
_acme-challenge.example.com IN CNAME _acme-challenge.aliasDomainForValidationOnly.com.
```
- If you are using `Cloudflare`, do set `Proxy status` as `DNS only`. DON'T set it to ~Proxied~, it won't work!
### 2. Issue a cert:
```sh
acme.sh --issue \
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
```
The Letsencrypt CA server checks the txt record of original domain `_acme-challenge.example.com` to validate your domain, but you have set the CNAME in step 1, so it goes forward to the aliased domain `_acme-challenge.aliasDomainForValidationOnly.com` to check.
And acme.sh knows that, so it just added the correct txt record to `_acme-challenge.aliasDomainForValidationOnly.com`.
So, it's done. you will get a cert for `example.com`, but you don't need to give the domain control out.
### 3. Share the same aliased domain:
If you have multiple (sub)domains, you need add CNAME for each (sub)domain, but they can share the same aliased domain.
For example, you can add the CNAME like:
```sh
_acme-challenge.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.www.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.sub.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.example.net
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.example.org
=> _acme-challenge.aliasDomainForValidationOnly.com
```
And then issue cert like bellow:
```sh
acme.sh --issue \
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d www.example.com \
-d sub.example.com \
-d example.net \
-d example.org
```
Even with ACME v2 wildcard cert:
```sh
acme.sh --issue \
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d example.net \
-d example.org \
-d *.example.com \
-d *.example.net \
-d *.example.org
```
### 4. Specify different aliased domains for each domain.
Yes, you know, acme.sh supports to set the alias domains for each domain. Even with different dns provider:
You can set CNAME like:
```sh
_acme-challenge.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.example.net
=> _acme-challenge.aliasDomainForValidationOnly2.com
```
Then issue cert:
```sh
acme.sh --issue \
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d example.net --challenge-alias aliasDomainForValidationOnly2.com
```
Even with different dns provider:
```sh
acme.sh --issue \
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d example.net --challenge-alias aliasDomainForValidationOnly2.com --dns dns_gd
```
Let's assume the first domain `aliasDomainForValidationOnly.com` is hosted at cloudflare, and the second is hosted at godaddy.
### 5. Mix dns alias and default dns auth
You can get a certificate with domains where you can authenticate with dns and want to mix it with domains where you need to use dns alias mode. Use `--challenge-alias no` to mark the domain that doesn't use a dns alias.
If we have direct acccess to set a txt record for *.example.com. The domain example.net must use dns alias. For extern1.example.net set a CNAME
```txt
_acme-challenge.extern1.example.net
=> _acme-challenge.aliasDomainForValidationOnly.com
```
Then issue cert:
```sh
./acme.sh/acme.sh --issue \
-d host1.example.com --challenge-alias no \
-d host2.example.com --challenge-alias no \
-d extern1.example.net --challenge-alias aliasDomainForValidationOnly.com \
--dns dns_infoblox
```
### 6. Last
Do not remove the CNAME like : `_acme-challenge.example.com` after you issue the cert. It will be reused when acme.sh tries to renew the cert. The left cname record `_acme-challenge.example.com` doesn't harm your domain at all. Just keep it there.
### 7. challenge-alias or domain-alias
We have another parameter: `--domain-alias`, it has the same meaning with `--challenge-alias`.
But with `--domain-alias` you don't need to add `_acme-challenge.` prefix.
For example, if you use `--challenge-alias`, you must set CNAME like bellow:
```sh
CNAME:
_acme-challenge.A.com
=> _acme-challenge.B.com
```
Then issue cert like:
```sh
acme.sh --issue -d a.com --challenge-alias b.com --dns dns_cf
```
If you use `--domain-alias`, the CNAME should be like:
```sh
CNAME:
_acme-challenge.A.com
=> myalias.B.com
```
Then issue cert like:
```sh
acme.sh --issue -d a.com --domain-alias myalias.B.com --dns dns_cf
```
acme.sh-0.0~git20250417.7502af3/DNS-manual-mode.md 0000664 0000000 0000000 00000003560 15000246650 0020551 0 ustar 00root root 0000000 0000000 Warning: DNS manual mode can not renew automatically.
If your domain provider offers an DNS API, it's highly recommended to use DNS API mode instead. With the DNS API mode, you can automate the renewals.
If your domain provider does **not** offer an API where you can add/edit TXT records of your domain, it is recommended to use [DNS alias mode](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode) instead. Or change the dns servers of your domain to anyone that support DNS api.
DNS manual mode **should** be used for testing. If you do use it for your production server, remember to renew your certificate within 90 days. [Please, make sure you understand DNS manual mode](https://github.com/Neilpang/acme.sh/issues/1029).
1. First step:
```sh
acme.sh --issue -d example.com --dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
```
2. Please add the TXT record to your DNS records. This step is required every time you renew your certificate. With DNS api mode, this step can be automated.
3. Now retry with `--renew` command.
```sh
acme.sh --renew -d example.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
```
***
**if your DNS _acme challenge fails when using renew, your respective CA will generate new _acme challenge,**
_**make sure to wait 1 minute for DNS entries to reflect before using renew.**_
***
_**if you had issued a Staging/Production Certificate with SHA CSR then use the `--force` switch to overwrite any entries of old CER and issue fresh CER.**_
```sh
acme.sh --renew -d example.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please --force
```
_**if you had issued a Staging/Production Certificate with ECC CSR then use the `--ecc --force` switch to overwrite any entries of old CER and issue fresh CER.**_
```sh
acme.sh --renew -d example.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please --ecc --force
```
acme.sh-0.0~git20250417.7502af3/Deploy-ssl-certs-to-apache-server.md 0000664 0000000 0000000 00000002560 15000246650 0024243 0 ustar 00root root 0000000 0000000 ## 1. run acme.sh to copy the certificates to the correct location on the disk
### 1.1) create a sensible directory to store your apache certificates
I chose /etc/apache2/2.2/ssl
```
mkdir -p /etc/apache2/2.2/ssl
```
### 1.2) run acme.sh
A few notes:
* the parameters are stored in the .acme.sh configuration file, so get it right for your system as this file is read when the cron job runs
* "reloadcmd" is dependent on your operating system, system V Linux systems use the command "service apache2 force-reload", Solaris based systems use "svcadm restart apache22" or similar
```
acme.sh --install-cert -d online.domain.com \
--cert-file /etc/apache2/2.2/ssl/online.domain.com-cert.pem \
--key-file /etc/apache2/2.2/ssl/online.domain.com-key.pem \
--fullchain-file /etc/apache2/2.2/ssl/letsencrypt.pem \
--reloadcmd "service apache2 force-reload"
```
## 2. Set up your httpd.conf
There are so many ways to do this, it would take a long list to write every variant, however the specific codes you will need to set in your httpd.conf (or ssl.conf, or httpd-ssl.conf) are:
```
SSLCertificateFile /etc/apache2/2.2/ssl/online.domain.com-cert.pem
SSLCertificateKeyFile /etc/apache2/2.2/ssl/online.domain.com-key.pem
SSLCertificateChainFile "/etc/apache2/2.2/ssl/letsencrypt.pem"
SSLCACertificatePath "/etc/apache2/2.2/ssl/"
SSLCACertificateFile "/etc/apache2/2.2/ssl/letsencrypt.pem"
```
acme.sh-0.0~git20250417.7502af3/Deploy-ssl-certs-to-nginx.md 0000664 0000000 0000000 00000000276 15000246650 0022643 0 ustar 00root root 0000000 0000000 TODO
see:
1. https://www.rmedgar.com/blog/using-acme-sh-with-nginx
1. http://www.cyberciti.biz/faq/how-to-configure-nginx-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/
acme.sh-0.0~git20250417.7502af3/Deploy-ssl-to-SolusVM.md 0000664 0000000 0000000 00000002546 15000246650 0021754 0 ustar 00root root 0000000 0000000 ### 1. SolusVM master with nginx stack:
First of all, install acme.sh as described in the documentation.
#### 1) Issue your certificate:
acme.sh will try to validate your domain over http connection. That means the docroot is /usr/local/solusvm/www/.verification. Please check if you have this folder, else you can use /usr/local/solusvm/www as your docroot.
```
acme.sh --issue -d solusvm.yourdomain.com \
-w /usr/local/solusvm/www/.verification
```
Chenge 'solusvm.yourdomain.com' with your SolusVM master domain name. Remember you can add multiple domains (SANs) to your certificate using the -d option. Please check acme.sh wiki on how to do it.
#### 1) Install the issued certificate to your SolusVM master:
```
acme.sh --installcert -d solusvm.yourdomain.com \
--keypath /usr/local/svmstack/nginx/ssl/ssl.key \
--fullchainpath /usr/local/svmstack/nginx/ssl/ssl.crt \
--reloadcmd "service svmstack-nginx restart; \
/usr/local/svmstack/sshwebsocket/quit; \
/usr/local/svmstack/sshwebsocket/port_check; \
cd /usr/local/svmstack/nginx/ssl && cat ssl.key ssl.crt > ssl.pem"
```
This command will install the fullchain and the private key to /usr/local/svmstack/nginx/ssl/. After that, it will restart the web server, restart sshwebsocket (used for HTML5 console) and then generate the ssl.pem file needed for novnc websockify.
### 2. SolusVM master with lighttpd stack:
TODO acme.sh-0.0~git20250417.7502af3/Donate-list.md 0000664 0000000 0000000 00000007273 15000246650 0020120 0 ustar 00root root 0000000 0000000 ## Thanks to those who donate:
(If you want to be listed with your website link here, please write email to me: donate@neilpang.com )
(You can also find me on Twitter: [@neilpangxa](https://twitter.com/neilpangxa))
(In date time order, from the early to the latest)
1. Third Eye
1. Chan Davy
1. Stephan Herbers
1. Armando Lüscher
1. Barry van Someren
1. Robert Wetzlmayr
1. Ricardo Cabrera
1. Coffeesprout ICT services
1. myGeiger Scientific Instruments Oy
1. shimile@GitHub
1. John Elliot ProgClub
1. Dan Langille
1. Haiku Lab Limited
1. Miroslav Lachman
1. Yannick Grangé
1. Christian Kraus
1. Jean-Baptiste Marie
1. Steven Grantz
1. Chris Gelatt
1. Petr Líbal
1. Neil Sabol
1. Ovchinnikov Alexey
1. allegronet.de (Klaus Lehmann)
1. Maurice Bleuel
1. Romain Muller
1. Stefan Daschek
1. Andreas Vögele
1. Moritz Süß
1. Simon Hengchen
1. Chen Wei Chi
1. Allen Thompson
1. Peter Berbec
1. Гончаров Владимир
1. Stuart Friedberg
1. Scott Aitken
1. Bob Geddes
1. David Yang
1. [Techno FAQ](https://technofaq.org)
1. Alex King
1. Seth Schoen
1. Andre D Henry
1. Simon Gaynor
1. Benedykt Mis
1. Andris Reinman
1. Walther Schubert
1. Mathew Rupp
1. Richard Shea
1. Vladislav Bakayev
1. Georgi Petrov
1. Hank Oxford
1. Ondrej Sury
1. Feng Gao
1. David Tourel [Maildrop](https://www.maildrop.fr)
1. Falinder Patric
1. Ovchinnikov Alexey
1. Demiri Adil
1. Forsythe R G
1. Tekampe Nils
1. Zimmermann Christoph
1. Bucciarelli Mark
1. Muller Romain
1. H. Meier Thomas
1. Xibo Signage Ltd
1. Rzepka Norman
1. Biere Christian
1. Burkard Marius
1. Autie Nicolas
1. Campitelli da Silva Pinto Vinícius
1. Haslinger Daniel
1. Drolet Jean-Yves
1. Zensiri Alexander
1. Losev Vladimir
1. Wyde Patrik
1. G2Soft.Net
1. Hueskes Robin
1. Tichý Petr
1. Herbers Stephan
1. ВасильевКонстантин
1. Pérez Fuster José Joaquín
1. Strasser Joel
1. Growls LLC
1. Miehler Axel
1. Dalla Stella Marco
1. Zhou Hao
1. Silberman Jonathan
1. Jäger Max
1. Gollnick Joerg
1. Petkov Petko
1. Kevin Rosbach
1. Hueskes Robin
1. ByrdBrain.com
1. Jensen Thomas
1. [The Citizen](http://thecitizen.pk)
## 微信捐助列表:
发现有人微信捐助了. 但是微信这个真是看不见名字, 只能全部匿名了. 欢迎大家自己补上:
(排名不分先后)
1. 匿名
2. 匿名
3. 匿名
4. 匿名
1. 匿名
2. 匿名
3. 匿名
4. 匿名
1. 匿名
2. 匿名
3. 匿名
4. 匿名
4. 匿名
4. 匿名
4. 匿名
4. 匿名
4. 匿名
4. 匿名
4. 匿名
5. *尔
6. c*l
7. *水
8. d*g
9. *哥
10. *荣
11. 张一菜
1. _*_
1. *j
1. *良
1. M*t
1. *😊
1. *兔
1. *想
1. 爱*Q
1. M*k
1. *司
1. j*e
1. *亮
1. *嘛
1. D*t
1. *月
1. C*n
1. R*i
1. *力
1. *鸟
1. N*i
1. *飞
1. *1
1. *翟
1. J*s
1. *店
1. *子
1. *木
1. *人
1. *孩
1. Arthur
1. *兵
1. *昊
1. *健
1. *e
1. T*n
1. n*o
1. *l
1. *川
1. M*n
1. *神
1. *霓
## 支付宝
现在也补上列表, 可能有遗漏, 欢迎大家自己补上:
(排名不分先后)
1. *宇
2. *宇腾
3. *文龙
4. *明军
5. *士军
6. *超
7. *博涵
8. *祖辉
9. *欣磊
10. *智超
11. *瑞祥
12. *志伟
13. *世超
14. *志杰
15. *伟
16. *明
17. *博
18. *凯升
19. *进
20. *泉波
21. *松
22. *森
23. *昂
24. *晓迪
25. *浩睿
26. *晓枫
27. *麟
28. *锐錩
29. *坚
30. *嘉康
31. *旭光
1. *泽宇
1. *敏
1. *腾飞
1. *开
1. *浦城
1. *云轩
1. *山林
1. *友德
1. *涛
1. *桃
1. *雁辉
1. *淑豪
1. *峻源
1. *亚庆
1. *秋雨
1. *晨
1. *少龙
1. *磊
1. *晶晶
1. *佳炜
1. *宇蓝
1. *毅博
1. *勇
1. *组涛
1. *翔
# Sponsors:
[](https://www.quantumca.com.cn/?__utm_source=acmesh-donation)
acme.sh-0.0~git20250417.7502af3/Enable-acme.sh-log.md 0000664 0000000 0000000 00000001461 15000246650 0021207 0 ustar 00root root 0000000 0000000 ## 1. You can use `--log` parameter in any command to enable log file.
Once enabled, the log will take effect for any operations in future.
Example: install and enable log.
```
acme.sh --install --log
```
If you forget to enable log when installing, you can enable log by any command.
Example: enable log when issuing a cert:
```
acme.sh --issue .... --log
```
## 2. Set the log file path.
The default log file is in `~/.acme.sh/acme.sh.log`
And you can specify a log file path
```
acme.sh --issue ..... --log "/path/to/mylog.log"
```
## 3. You can also specify log level.
The default log level is `1`, it will output the log info same as `--debug`
This is enough for most cases. You can also specify log level.
set log level to `2`
```
acme.sh --issue ..... --log --log-level 2
```
acme.sh-0.0~git20250417.7502af3/Exit-Codes.md 0000664 0000000 0000000 00000000671 15000246650 0017674 0 ustar 00root root 0000000 0000000 # Request exit codes
There currently are three exit codes:
**0**: certificate request successful
**1**: certificate request failed
**2**: certificate still valid, request skipped
## Cronjobs
If you run `acme.sh --cron` and all certificates are still valid (so nothing is renewd), the exit code will be is 0.
Only if you run `acme.sh --renew --domain example.com` and it is still valid, the exit code will be 2 as stated above. acme.sh-0.0~git20250417.7502af3/Explicitly-use-DOH.md 0000664 0000000 0000000 00000000361 15000246650 0021254 0 ustar 00root root 0000000 0000000 Reference to https://github.com/acmesh-official/acme.sh/issues/3487
```bash
DOH_CLOUDFLARE=1
DOH_GOOGLE=2
DOH_ALI=3
DOH_DP=4
```
Explicitly use Aliyun DNS:
```bash
cd .acme.sh
echo "export DOH_USE=3" >> acme.sh.env
source acme.sh.env
``` acme.sh-0.0~git20250417.7502af3/Google-Public-CA.md 0000664 0000000 0000000 00000000040 15000246650 0020627 0 ustar 00root root 0000000 0000000 See [[Google Trust Services CA]] acme.sh-0.0~git20250417.7502af3/Google-Trust-Services-CA.md 0000664 0000000 0000000 00000030607 15000246650 0022327 0 ustar 00root root 0000000 0000000 Google just announced its free ACME server: https://cloud.google.com/blog/products/identity-security/automate-public-certificate-lifecycle-management-via--acme-client-api
It supports multiple domains and wildcard domains. The lifetime of the cert is 90 days, too.
1. Follow this guide to create your EAB key and EAB id:
https://cloud.google.com/public-certificate-authority/docs/quickstart
2. OK, Done. You can register an ACME and issue certs now:
```
acme.sh --register-account -m myemail@example.com --server google \
--eab-kid xxxxxxx \
--eab-hmac-key xxxxxxx
acme.sh --issue --server google \
-d example.com --dns dns_googledomains
```
Here is an example cert:
```
-----BEGIN CERTIFICATE-----
MIIFejCCBGKgAwIBAgIRAIQeIGxefiDpDgAAAAADL4YwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjIwMzMwMTMzNDM1WhcNMjIwNjI4
MTMzNDM0WjAbMRkwFwYDVQQDExBnY2EubmVpbHBhbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvogb9TZAG+wfJ9VA/hcf3NfW/BM8bx+hXfdq
BtLAlMhxNRzhI+TBj1y2mFuYPuq7C+cmJVmmcG+zuMka33nEX7RFCn2AMcp2Dh7m
frw2jfqhruBqYiaCt74FLHz//O+WNY68LPdYgEuKdh1W0UE5tgcn7sIUGv3ClQVG
u5kit7EYViAXD9ey+kImLgdqFeD1n2v79F+nYmu/nAJ8lPXHk1ADmjATxP7tNWmQ
XopH/1ThWeiMzb+nCb+y6fs7Fw89Q8ECP3Q+HbBzyWh3x8zptZbb1bh6SrJ7Uz3c
yz/M5hcn+EbX5ZNWsoNnYu5O8GPwC5MbLnKEgVQyjUJ0Q34bJQIDAQABo4ICjDCC
AogwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFErTzUpCbi/cp3bNK7i1cc+AF+J0MB8GA1UdIwQYMBaA
FNX8ng3fHsrdCJeXbivFX8Ur9ey4MHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcw
AYYpaHR0cDovL29jc3AucGtpLmdvb2cvcy9ndHMxcDUvRXZZZFdCRVNaY1kwMQYI
KwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFwNS5kZXIw
LwYDVR0RBCgwJoIQZ2NhLm5laWxwYW5nLmNvbYISKi5nY2EubmVpbHBhbmcuY29t
MCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAx
oC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMXA1L2h0QUlJRUV0WGNZLmNy
bDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEHIyrHfIkZKEMahOglCh15OMYsb
A+vrS8do8JBilgb2AAABf9s/9SMAAAQDAEcwRQIhAJXQxese0g6ilHanInWFe9wP
yZp5jTbIKRZ8T/0DJrmAAiBQcQ4U5bOcvuwHq63IdDTQ3JVLXibT+RMujzCZl1lW
jQB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABf9s/9HoAAAQD
AEgwRgIhAPN4hN8H84vkDbz6FQk8/VfypAfnj0J+F9kCwsndMtSBAiEAprEIgKtM
i0totuQ8YQK69oATZ9ancTPAE4w9iGBwGDswDQYJKoZIhvcNAQELBQADggEBAIE4
tkICIps1tXncYwnERecZDPeyk7BaeiS4D2gcFnP5zRJI9s6hpwlDLumcAcNMF4DV
xT1Xm/GDkvv3c+tAgcYyoKRjeLZcgzZb1TVnG/yWT3Q+vcyNvYy/UuZQuF019plC
oCvo5zyV0qeArps3WtyJOQ5QGuEmp8Vr3nQcG0MJpXNgMV1wE9S0TWn7AJ+x2csr
G8iQjR+0nJBVqnVCuRDArh2qYFQd/W5zFj46n/Edzx0jrc38RiBorx4IT0Pfm23o
+XvkdKDqdDquzq7FdYa5wDXlwQJOuf4BRPBo7a5f4fJpRcL3QSDwewSSHhDKQXFH
74yQYKaw0gRoE71IEmk=
-----END CERTIFICATE-----
```
The full chain:
```
-----BEGIN CERTIFICATE-----
MIIFejCCBGKgAwIBAgIRAIQeIGxefiDpDgAAAAADL4YwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjIwMzMwMTMzNDM1WhcNMjIwNjI4
MTMzNDM0WjAbMRkwFwYDVQQDExBnY2EubmVpbHBhbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvogb9TZAG+wfJ9VA/hcf3NfW/BM8bx+hXfdq
BtLAlMhxNRzhI+TBj1y2mFuYPuq7C+cmJVmmcG+zuMka33nEX7RFCn2AMcp2Dh7m
frw2jfqhruBqYiaCt74FLHz//O+WNY68LPdYgEuKdh1W0UE5tgcn7sIUGv3ClQVG
u5kit7EYViAXD9ey+kImLgdqFeD1n2v79F+nYmu/nAJ8lPXHk1ADmjATxP7tNWmQ
XopH/1ThWeiMzb+nCb+y6fs7Fw89Q8ECP3Q+HbBzyWh3x8zptZbb1bh6SrJ7Uz3c
yz/M5hcn+EbX5ZNWsoNnYu5O8GPwC5MbLnKEgVQyjUJ0Q34bJQIDAQABo4ICjDCC
AogwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFErTzUpCbi/cp3bNK7i1cc+AF+J0MB8GA1UdIwQYMBaA
FNX8ng3fHsrdCJeXbivFX8Ur9ey4MHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcw
AYYpaHR0cDovL29jc3AucGtpLmdvb2cvcy9ndHMxcDUvRXZZZFdCRVNaY1kwMQYI
KwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFwNS5kZXIw
LwYDVR0RBCgwJoIQZ2NhLm5laWxwYW5nLmNvbYISKi5nY2EubmVpbHBhbmcuY29t
MCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAx
oC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMXA1L2h0QUlJRUV0WGNZLmNy
bDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEHIyrHfIkZKEMahOglCh15OMYsb
A+vrS8do8JBilgb2AAABf9s/9SMAAAQDAEcwRQIhAJXQxese0g6ilHanInWFe9wP
yZp5jTbIKRZ8T/0DJrmAAiBQcQ4U5bOcvuwHq63IdDTQ3JVLXibT+RMujzCZl1lW
jQB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABf9s/9HoAAAQD
AEgwRgIhAPN4hN8H84vkDbz6FQk8/VfypAfnj0J+F9kCwsndMtSBAiEAprEIgKtM
i0totuQ8YQK69oATZ9ancTPAE4w9iGBwGDswDQYJKoZIhvcNAQELBQADggEBAIE4
tkICIps1tXncYwnERecZDPeyk7BaeiS4D2gcFnP5zRJI9s6hpwlDLumcAcNMF4DV
xT1Xm/GDkvv3c+tAgcYyoKRjeLZcgzZb1TVnG/yWT3Q+vcyNvYy/UuZQuF019plC
oCvo5zyV0qeArps3WtyJOQ5QGuEmp8Vr3nQcG0MJpXNgMV1wE9S0TWn7AJ+x2csr
G8iQjR+0nJBVqnVCuRDArh2qYFQd/W5zFj46n/Edzx0jrc38RiBorx4IT0Pfm23o
+XvkdKDqdDquzq7FdYa5wDXlwQJOuf4BRPBo7a5f4fJpRcL3QSDwewSSHhDKQXFH
74yQYKaw0gRoE71IEmk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjDCCA3SgAwIBAgINAgO8UKMnU/CRgCLt8TANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFQNTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALOC8CSMvy2Hr7LZp676yrpE1ls+/rL3smUW3N4Q6E8tEFha
KIaHoe5qs6DZdU9/oVIBi1WoSlsGSMg2EiWrifnyI1+dYGX5XNq+OuhcbX2c0IQY
hTDNTpvsPNiz4ZbU88ULZduPsHTL9h7zePGslcXdc8MxiIGvdKpv/QzjBZXwxRBP
ZWP6oK/GGD3Fod+XedcFibMwsHSuPZIQa4wVd90LBFf7gQPd6iI01eVWsvDEjUGx
wwLbYuyA0P921IbkBBq2tgwrYnF92a/Z8V76wB7KoBlcVfCA0SoMB4aQnzXjKCtb
7yPIox2kozru/oPcgkwlsE3FUa2em9NbhMIaWukCAwEAAaOCAXYwggFyMA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU1fyeDd8eyt0Il5duK8VfxSv17LgwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsME0G
A1UdIARGMEQwOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAgEA
bGMn7iPf5VJoTYFmkYXffWXlWzcxCCayB12avrHKAbmtv5139lEd15jFC0mhe6HX
02jlRA+LujbdQoJ30o3d9T/768gHmJPuWtC1Pd5LHC2MTex+jHv+TkD98LSzWQIQ
UVzjwCv9twZIUX4JXj8P3Kf+l+d5xQ5EiXjFaVkpoJo6SDYpppSTVS24R7XplrWf
B82mqz4yisCGg8XBQcifLzWODcAHeuGsyWW1y4qn3XHYYWU5hKwyPvd6NvFWn1ep
QW1akKfbOup1gAxjC2l0bwdMFfM3KKUZpG719iDNY7J+xCsJdYna0Twuck82GqGe
RNDNm6YjCD+XoaeeWqX3CZStXXZdKFbRGmZRUQd73j2wyO8weiQtvrizhvZL9/C1
T//Oxvn2PyonCA8JPiNax+NCLXo25D2YlmA5mOrR22Mq63gJsU4hs463zj6S8ZVc
pDnQwCvIUxX10i+CzQZ0Z5mQdzcKly3FHB700FvpFePqAgnIE9cTcGW/+4ibWiW+
dwnhp2pOEXW5Hk3xABtqZnmOw27YbaIiom0F+yzy8VDloNHYnzV9/HCrWSoC8b6w
0/H4zRK5aiWQW+OFIOb12stAHBk0IANhd7p/SA9JCynr52Fkx2PRR+sc4e6URu85
c8zuTyuN3PtYp7NlIJmVuftVb9eWbpQ99HqSjmMd320=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
```
Human readable format:
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
84:1e:20:6c:5e:7e:20:e9:0e:00:00:00:00:03:2f:86
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
Validity
Not Before: Mar 30 13:34:35 2022 GMT
Not After : Jun 28 13:34:34 2022 GMT
Subject: CN=gca.neilpang.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:88:1b:f5:36:40:1b:ec:1f:27:d5:40:fe:17:
1f:dc:d7:d6:fc:13:3c:6f:1f:a1:5d:f7:6a:06:d2:
c0:94:c8:71:35:1c:e1:23:e4:c1:8f:5c:b6:98:5b:
98:3e:ea:bb:0b:e7:26:25:59:a6:70:6f:b3:b8:c9:
1a:df:79:c4:5f:b4:45:0a:7d:80:31:ca:76:0e:1e:
e6:7e:bc:36:8d:fa:a1:ae:e0:6a:62:26:82:b7:be:
05:2c:7c:ff:fc:ef:96:35:8e:bc:2c:f7:58:80:4b:
8a:76:1d:56:d1:41:39:b6:07:27:ee:c2:14:1a:fd:
c2:95:05:46:bb:99:22:b7:b1:18:56:20:17:0f:d7:
b2:fa:42:26:2e:07:6a:15:e0:f5:9f:6b:fb:f4:5f:
a7:62:6b:bf:9c:02:7c:94:f5:c7:93:50:03:9a:30:
13:c4:fe:ed:35:69:90:5e:8a:47:ff:54:e1:59:e8:
8c:cd:bf:a7:09:bf:b2:e9:fb:3b:17:0f:3d:43:c1:
02:3f:74:3e:1d:b0:73:c9:68:77:c7:cc:e9:b5:96:
db:d5:b8:7a:4a:b2:7b:53:3d:dc:cb:3f:cc:e6:17:
27:f8:46:d7:e5:93:56:b2:83:67:62:ee:4e:f0:63:
f0:0b:93:1b:2e:72:84:81:54:32:8d:42:74:43:7e:
1b:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
4A:D3:CD:4A:42:6E:2F:DC:A7:76:CD:2B:B8:B5:71:CF:80:17:E2:74
X509v3 Authority Key Identifier:
keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/s/gts1p5/EvYdWBESZcY
CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der
X509v3 Subject Alternative Name:
DNS:gca.neilpang.com, DNS:*.gca.neilpang.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.11129.2.5.3
X509v3 CRL Distribution Points:
Full Name:
URI:http://crls.pki.goog/gts1p5/htAIIEEtXcY.crl
1.3.6.1.4.1.11129.2.4.2:
......v.A...."FJ...:.B.^N1.....K.h..b........?.#.....G0E.!..........v."u.{....y.6.).|O..&... Pq...........t4...K^&.....0..YV..w.)y...99!.Vs.c.w..W}.`
....<.W.....B~......2...!......L.Kh..