申請Let's Encrypt通配符SSL證書

時間 2019-11-08

標籤申請 let's let encrypt 通配符 ssl 證書欄目 SSL 简体版

原文原文鏈接

前言

本文在本身的電腦上安裝certbot。python

經過DNS驗證域名全部權。90天后，須要手動續簽證書。git

證書獲取後手動上傳至服務器，只適合開發模式。web

自動化簽發流程，請參考其餘文章。shell

流程

安裝CertBot（Let's Encrypt用於頒發證書的工具,python編譯）api

brew是軟件一個軟件管理工具，很是好用，自動下載依賴包。xcode
```
$ brew install certbot
```
若是有提示，根據提示安裝依賴環境。完成後從新執行上一行語句。服務器
```
$ xcode-select --install
```

執行請求指令dom

具體相關參數，請查閱Let's Encrypt和certbot官方文檔。ide

$ sudo certbot certonly  -d "*.你的域名" -d "你的域名" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

輸入相關信息工具

Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 你的郵箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a    // 贊成

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y  // 贊成
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 你的域名
dns-01 challenge for 你的域名

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y   // 贊成

DNS解析驗證

添加TXT類型的解析,主機記錄爲：_acme-challenge

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.你的域名 with the following value:

18eEXZpvkS0WPSog8T9YtWZEeUWf6r2lyScf_NfAurc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

檢測
```
nslookup -q=txt _acme-challenge.你的域名
```
查看解析成功，因爲 Let's Encrypt 域名驗證服務器是在國外，須要等幾分鐘，再確認

成功結果

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/你的域名/fullchain.pem   // 證書保存路徑
   Your key file has been saved at:
   /etc/letsencrypt/live/你的域名/privkey.pem     // 證書保存路徑
   Your cert will expire on 2019-06-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

獲取證書

$ sudo cat /etc/letsencrypt/live/你的域名/fullchain.pem | pbcopy

$ sudo cat /etc/letsencrypt/live/你的域名/privkey.pem | pbcopy

續簽證書

自動續簽過時的證書，該操做須要配合DNS插件，本文模式不適合自動續簽
```
$ sudo certbot renew
```

管理證書

顯示證書列表與信息

$ sudo certbot certificates

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: xxx1.com
	Domains: *.xxx1.com xxx1.com
	Expiry Date: 2019-06-15 07:49:25+00:00 (VALID: 36 days)
	Certificate Path: /etc/letsencrypt/live/xxx1.com/fullchain.pem
	Private Key Path: /etc/letsencrypt/live/xxx1.com/privkey.pem
  Certificate Name: xxx2.com
	Domains: *.xxx2.com xxx2.com
	Expiry Date: 2019-08-08 01:19:19+00:00 (VALID: 89 days)
	Certificate Path: /etc/letsencrypt/live/xxx2.com/fullchain.pem
	Private Key Path: /etc/letsencrypt/live/xxx2.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。