Acme2J v0.0.1

本项目实现了 acme.sh 的dns申请证书流程，采用acme.sh的默认配置， CA为 zerossl ，账户私钥和域名私钥默认使用 ecc-prime256v1 生成，暂不支持其他加密形式。 获取的证书可用于 yourdomain.com 和 *.yourdomain.com。

This program implements the default certificate application process of acme.sh, using dns-txt, The CA is zerossl, and the account private key and domain private key are generated by ecc-prime256v1 as default. Other encryption forms are not supported at present The certificate supports both yourdomain.com and *.yourdomain.com.

#写这个项目的目的是为了实验在Windows上申请Zerossl的通配符证书，现在实现了，估计日后不会再更新了。#

#The purpose of writing this project was to test applying for a wildcard certificate for Zerossl on Windows, and it is now implemented and it is estimated that it will not be updated in the future.#

运行要求 / Running requirements

• Java 8+
• Curl
• Openssl
• Echo (Linux, it must support echo -n)

本项目自带 jre8 、curl 和 openssl-win 。 前往 https://adoptium.net/zh-CN/temurin/releases/?version=8 https://curl.se/download.html https://wiki.openssl.org/index.php/Binaries 找到适用于您系统的版本, 在 Windows 上你不必安装他们，它们都是便携版，解压即用

This project comes with jre8 , curl and openssl-win. Go to https://adoptium.net/zh-CN/temurin/releases/?version=8 , https://curl.se/download.html , and https://wiki.openssl.org/index.php/Binaries to find the version for your system, You don't have to install them on Windows, they're all portable and ready to use

使用 / How to use

⚙ 配置 / conf

• 路径随意，不要有空格，最好全英文路径
• 如果未指定，对于Windows，默认使用项目自带的openssl和curl；对于Linux，默认使用/usr/bin/openssl和/usr/bin/curl
• The path where you like and there should be no spaces and it is best to follow the path in English
  
• If not specified, for Windows, using program default. For Linux, using /usr/bin/openssl and /usr/bin/curl

# win 
openssl=C:/path/to/your/openssl.exe 
curl=C:/path/to/your/curl.exe
# openssl=C:\\path\\to\\your\\openssl.exe 
# curl=C:\\path\\to\\your\\curl.exe

# linux
# openssl=/path/to/your/openssl.exe 
# curl=/path/to/your/curl.exe

🔄 编译 / compile (if you want)

javac -encoding utf-8 Acme2J.java

▶️ 运行 / run

.\java\bin\java.exe Acme2J <操作/options> domain=youdomain.com [email protected]
# 操作/options: issue continue renew

📤 申请证书 / issue

.\java\bin\java.exe Acme2J issue domain=youdomain.com [email protected]

📝 添加dns记录后 / after you add the DNS records

.\java\bin\java.exe Acme2J continue domain=youdomain.com [email protected]

🆕 更新证书 / renew

.\java\bin\java.exe Acme2J renew domain=youdomain.com [email protected]
# 实际上重新申请证书 Actually this will issue a new cert

❌ 吊销证书 未实现 / revoke certs NOT implemented

文件说明 / File description

• 无 ca.cer，可以从 domain.cer 自行解析 / No ca.cer, but you can make it from domain.cer

文件说明 / File description

• 无 ca.cer，可以从 domain.cer 自行解析 / No ca.cer, but you can make it from domain.cer

├── .gitignore                              
├── account.key         // -> /root/.acme.sh/ca/acme.zerossl.com/v2/DV90/account.key
├── account.json        // -> /root/.acme.sh/ca/acme.zerossl.com/v2/DV90/account.json
├── ca.conf             // -> /root/.acme.sh/ca/acme.zerossl.com/v2/DV90/ca.conf
├── domain                   
│   ├── domain.key      // -> /root/.acme.sh/domain_ecc/domain.key      = ssl.key
│   ├── domain.cer      // -> /root/.acme.sh/domain_ecc/fullchain.cer   = ssl.pem           
│   ├── domian.conf     // -> /root/.acme.sh/domain_ecc/domain.conf              
│   └── domain.csr.conf // -> /root/.acme.sh/domain_ecc/domain.csr.conf
├── Readme.md                  
├── Acme2J.java                  
├── Acme2J.class    
└── tools

所有文件根路径默认在项目目录下。与acme.sh的配置文件不同，本项目的配置没有用使用单引号，如 Le_Domain='domain' 在本项目中为 Le_Domain=domain， acme.sh 的配置文件可以用于本项目。

The root path of all files is in the project directory. Unlike the acme.sh configuration file, the configuration of this project is not used with single quotes, e.g. Le_Domain='domain' is Le_Domain=domain in this project, and the configuration file of acme.sh can be used for this project.

⚠ 注意 / Notice

• 本程序不支持ip证书，不支持多域名 / This program does not support IP cert, multi domain are not supported
  

• 本程序未遵循acme.sh的设计 / This program does not follow the design of acme.sh
  

• 本程序未经过严格测试与优化 / This program has not been strictly tested and optimized
  

• 禁止滥用 / Abuse is prohibited
  

• 禁止用于一切损害公共利益的行为 / Any other acts that harm the public interest are prohibited
  

最后 / In the end

• 网络请求由curl实现

• 密钥、签名等功能由openssl实现

• Java调用系统命令行实现必要功能

• 在 Windows 10/11 和 Ubuntu 20 上测试可用

• 涉及 openssl 和 curl 的代码我已用 TODO 标记

• 面向过程开发，程序很简陋，但是比 acme.sh的源码更易阅读

• 所有流程来自申请证书时 acme.sh 的网络请求顺序，并结合源码开发

• 注意项目中的某些方法不完善，很"难用且危险"比如 valueFor

• 本项目旨在描述一个完整的acme.sh申请流程，提取其中最重要的步骤与方法作为日后开发其他项目的参考

• 如果你想参考本项目二次开发，你必须阅读 acme.sh 的源码，参考其中的可能的限制条件，如 retry-after 等

• 运行acme.sh时指定acme.sh --issue --dns -d yourdoamain --yes-I-know-dns-manual-mode-enough-go-ahead-please --output-insecure --debug 3可以得到详细日志

• 配置curl全局跳过证书验证 或者 将 acme.sh 中的 _CURL - 替换为 _CURL -k - 可以帮助你进行网络研究

• 根据这个项目给出的方法流程，只要解决了 curl 和 openssl 你就可以轻松地将 acme.sh 用其他编程语言实现，在任何环境运行，甚至是浏览器。

• acme.sh 默认 ecc 但是可选 rsa acme.sh --help -k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. -ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096

• Network request is implemented by curl

• Key, signature and other functions are implemented by openssl

• Java calls the system command line to implement necessary functions

• Tested on Windows 11 and Ubuntu 20

• I have marked the code involving openssl and curl with TODO

• Process-oriented development, the program is very simple, but easier to read than the source code of acme.sh

• All processes come from the network request sequence of acme.sh when applying for a certificate, and are developed in combination with the source code

• Note that some methods in the project are imperfect and "difficult to use and dangerous", such as valueFor() and other methods involving regular expressions

• This project aims to describe a complete acme.sh application process, extract the most important steps and methods as a reference for future development of other projects

• If you want to refer to this project for secondary development, you must read the source code of acme.sh and refer to the possible restrictions, such as retry-after, etc.

• Run acme.sh with acme.sh --issue --dns -d yourdoamain --yes-I-know-dns-manual-mode-enough-go-ahead-please --output-insecure --debug 3 can get detailed logs

• Configure curl to skip certificate verification globally or replace _CURL - in acme.sh with _CURL -k - to help you conduct network research

• According to the method flow given in this project, as long as curl and openssl are solved, you can easily implement acme.sh in other programming languages and run it in any environment, even in a browser.

• acme.sh use ecc but can choose rsa. acme.sh --help -k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521. -ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096