令 acme.sh 使用 Cloudflare 的 DNS API 签发与续签证书
使用 acme.sh 通过 DNS 挑战的方式申请泛域名证书,且通过这种方式,我们可以很方面的申请 SSL 证书用于我们的内部服务,不会遇到因为使用自签名证书导致的各种麻烦。
acme.sh 支持非常多的 DNS 提供商的 DNS API,通过 DNS API 可以免去手动填写 _acme-challenge 的麻烦。
以 Cloudflare 为例
首先我们查看一下 acne.sh 需要 Cloudflare 什么信息:dns_cf.sh
#!/usr/bin/env sh# shellcheck disable=SC2034dns_cf_info='CloudFlareSite: CloudFlare.comDocs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_cfOptions: CF_Key API Key CF_Email Your account emailOptionsAlt: CF_Token API Token CF_Account_ID Account ID CF_Zone_ID Zone ID. Optional.'也可以看 acme.sh 的 wiki 是怎么写的,不过我觉得代码比 wiki 更诚实一点:
As of June 2025, the Cloudflare Domain API can be accessed using three kinds of API keys:
User token; Account-owned token; or User Global API Key (Not recommended).
我们采用第一个方法,User token.
去 Cloudflare 的控制面板拿到如下的凭证,然后再补充一下 CF_Email
CF_Token="Y7VRjJ_**"CF_Zone_ID="5f011**"CF_Account_ID="29b0**"CF_Email="***"不管是签发还是续签,添加 --dns_cf 参数即可
# 续签/usr/share/acme.sh/acme.sh --cron --dns_cf --home /certs
# 签发/usr/share/acme.sh/acme.sh --issue -d krystzal.dev --dns_cf --home /certs使用 systemd-timer 来实现定时刷新
我们可以使用 systemd-timer 来替代 crontab 实现定时续签,这里以每天续签为例
# acme.sh.service[Unit]Description=Renew certificates acquired via acme.shAfter=network.target network-online.target nss-lookup.targetWants=network-online.target nss-lookup.targetDocumentation=https://github.com/acmesh-official/acme.sh/wiki
[Service]User=certGroup=certType=simpleExecStart=/bin/acme.sh --cron --dns dns_cf --home /certs --dnssleep 600SuccessExitStatus=0 2Restart=on-failureEnvironmentFile=/etc/systemd/system/acme.sh.env# acme.sh.timer[Unit]Description=Run acme.sh daily
[Timer]OnCalendar=*-*-* 00:00:00Persistent=true
[Install]WantedBy=timers.target# acmd.sh.envCF_Token="Y7VRjJ_**"CF_Zone_ID="5f011**"CF_Account_ID="29b0**"然后执行一下刷新 systemd-daemon,接着启用一下 acme.sh.timer
systemctl daemon-reloadsystemctl enable acme.sh.timer支持的 DNS API 列表
NOTE
这个列表更新于 2026-02-25,而 acme.sh 会随着时间更新,因此请查看其仓库获得最新的列表
在每个 DNS API 具体操作的 .sh 的文件开头有写需要什么 API密钥,前往 DNS 服务商面板获取后写作具体的环境变量即可
- dns_1984hosting.sh
- dns_acmedns.sh
- dns_acmeproxy.sh
- dns_active24.sh
- dns_ad.sh
- dns_ali.sh
- dns_alviy.sh
- dns_anx.sh
- dns_artfiles.sh
- dns_arvan.sh
- dns_aurora.sh
- dns_autodns.sh
- dns_aws.sh
- dns_azion.sh
- dns_azure.sh
- dns_beget.sh
- dns_bookmyname.sh
- dns_bunny.sh
- dns_cf.sh
- dns_clouddns.sh
- dns_cloudns.sh
- dns_cn.sh
- dns_conoha.sh
- dns_constellix.sh
- dns_cpanel.sh
- dns_curanet.sh
- dns_cyon.sh
- dns_da.sh
- dns_ddnss.sh
- dns_desec.sh
- dns_df.sh
- dns_dgon.sh
- dns_dnsexit.sh
- dns_dnshome.sh
- dns_dnsimple.sh
- dns_dnsservices.sh
- dns_doapi.sh
- dns_domeneshop.sh
- dns_dpi.sh
- dns_dp.sh
- dns_dreamhost.sh
- dns_duckdns.sh
- dns_durabledns.sh
- dns_dyn.sh
- dns_dynu.sh
- dns_dynv6.sh
- dns_easydns.sh
- dns_edgecenter.sh
- dns_edgedns.sh
- dns_efficientip.sh
- dns_euserv.sh
- dns_exoscale.sh
- dns_fornex.sh
- dns_freedns.sh
- dns_freemyip.sh
- dns_gandi_livedns.sh
- dns_gcloud.sh
- dns_gcore.sh
- dns_gd.sh
- dns_geoscaling.sh
- dns_googledomains.sh
- dns_he_ddns.sh
- dns_he.sh
- dns_hetznercloud.sh
- dns_hetzner.sh
- dns_hexonet.sh
- dns_hostingde.sh
- dns_hostup.sh
- dns_huaweicloud.sh
- dns_infoblox.sh
- dns_infoblox_uddi.sh
- dns_infomaniak.sh
- dns_internetbs.sh
- dns_inwx.sh
- dns_ionos_cloud.sh
- dns_ionos.sh
- dns_ipv64.sh
- dns_ispconfig.sh
- dns_jd.sh
- dns_joker.sh
- dns_kappernet.sh
- dns_kas.sh
- dns_kinghost.sh
- dns_knot.sh
- dns_la.sh
- dns_leaseweb.sh
- dns_lexicon.sh
- dns_limacity.sh
- dns_linode.sh
- dns_linode_v4.sh
- dns_loopia.sh
- dns_lua.sh
- dns_maradns.sh
- dns_me.sh
- dns_mgwm.sh
- dns_miab.sh
- dns_mijnhost.sh
- dns_misaka.sh
- dns_myapi.sh
- dns_mydevil.sh
- dns_mydnsjp.sh
- dns_mythic_beasts.sh
- dns_namecheap.sh
- dns_namecom.sh
- dns_namesilo.sh
- dns_nanelo.sh
- dns_nederhost.sh
- dns_neodigit.sh
- dns_netcup.sh
- dns_netlify.sh
- dns_nic.sh
- dns_njalla.sh
- dns_nm.sh
- dns_nsd.sh
- dns_nsone.sh
- dns_nsupdate.sh
- dns_nw.sh
- dns_oci.sh
- dns_omglol.sh
- dns_one.sh
- dns_online.sh
- dns_openprovider_rest.sh
- dns_openprovider.sh
- dns_openstack.sh
- dns_opnsense.sh
- dns_ovh.sh
- dns_pdns.sh
- dns_pleskxml.sh
- dns_pointhq.sh
- dns_porkbun.sh
- dns_qc.sh
- dns_rackcorp.sh
- dns_rackspace.sh
- dns_rage4.sh
- dns_rcode0.sh
- dns_regru.sh
- dns_scaleway.sh
- dns_schlundtech.sh
- dns_selectel.sh
- dns_selfhost.sh
- dns_servercow.sh
- dns_simply.sh
- dns_sotoon.sh
- dns_spaceship.sh
- dns_technitium.sh
- dns_tele3.sh
- dns_tencent.sh
- dns_timeweb.sh
- dns_transip.sh
- dns_udr.sh
- dns_ultra.sh
- dns_unoeuro.sh
- dns_variomedia.sh
- dns_veesp.sh
- dns_vercel.sh
- dns_virakcloud.sh
- dns_vscale.sh
- dns_vultr.sh
- dns_websupport.sh
- dns_west_cn.sh
- dns_world4you.sh
- dns_yandex360.sh
- dns_yc.sh
- dns_zilore.sh
- dns_zoneedit.sh
- dns_zone.sh
- dns_zonomi.sh