letsencrypt證書-使用certbot申請wildcard證書

[TOC]

1. certbot安裝

cd /usr/local/src
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2. 認證方式

客戶在申請 Let’s Encrypt 證書的時候，須要校驗域名的全部權，證實操做者有權利爲該域名申請證書，目前支持三種驗證方式：

dns-01：給域名添加一個 DNS TXT 記錄。
http-01：在域名對應的 Web 服務器下放置一個 HTTP well-known URL 資源文件。
tls-sni-01：在域名對應的 Web 服務器下放置一個 HTTPS well-known URL 資源文件。

3. 運行命令

./certbot-auto certonly  -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

注意這裏 -d archerwong.cn 最好寫上，不然archerwong.cn將沒法被信任，只有xxx.archerwong.cn這樣的二級 域名才被信任

介紹下相關參數：

certonly，表示安裝模式，Certbot 有安裝模式和驗證模式兩種類型的插件。
--manual  表示手動安裝插件，Certbot 有不少插件，不一樣的插件均可以申請證書，用戶能夠根據須要自行選擇
-d 爲那些主機申請證書，若是是通配符，輸入 *.newyingyong.cn（能夠替換爲你本身的域名）
--preferred-challenges dns，使用 DNS 方式校驗域名全部權
--server，Let's Encrypt ACME v2 版本使用的服務器不一樣於 v1 版本，須要顯示指定。

交互界面以下

[root@host src]# sudo  ./certbot-auto certonly  -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@163.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.archerwong.cn with the following value:

apQPzp-NYZ0md_D_2_fKr465Il3dDbdR_BlOSOJTYAo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

注意這裏我把交互頁面截斷，很重要，先不要回車，將上面的txt值，填到你的域名解析裏面，等確認生效後再回車，我填寫以下

而後測試是否生效

$ dig  -t txt  _acme-challenge.archerwong.cn @8.8.8.8 

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> -t txt _acme-challenge.archerwong.cn @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.archerwong.cn.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.archerwong.cn. 599 IN	TXT	"apQPzp-NYZ0md_D_2_fKZ465Il3dDbdR_BlOSOJTYbo"

;; Query time: 306 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 17 21:34:43 CST 2018
;; MSG SIZE  rcvd: 114

確認生效後，按回車鍵，交互界面繼續

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/archerwong.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/archerwong.cn/privkey.pem
   Your cert will expire on 2019-03-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

至此已經成功生成了wildcard證書，查看下證書

tree  /etc/letsencrypt/live/archerwong.cn
/etc/letsencrypt/live/archerwong.cn
├── cert.pem -> ../../archive/archerwong.cn/cert1.pem
├── chain.pem -> ../../archive/archerwong.cn/chain1.pem
├── fullchain.pem -> ../../archive/archerwong.cn/fullchain1.pem
├── privkey.pem -> ../../archive/archerwong.cn/privkey1.pem
└── README

生成證書後,配置 Nginx

打開 nginx server 配置文件加入以下設置：

server {
    listen 443
    ssl on;
    ssl_certificate /etc/letsencrypt/live/網站域名/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/網站域名/privkey.pem;

     ## 其餘配置
}

強制跳轉 https https 默認是監聽 443 端口的，沒開啓 https 訪問的話通常默認是 80 端口。若是你肯定網站 80 端口上的站點都支持 https 的話加入下面的配件能夠自動重定向到 https

server {
    listen 80;
    server_name your.domain.com;
    return 301 https://$server_name$request_uri;
}

4. 更新

使用的庫：letsencrypt通配符證書，其實這個庫就是寫了一個鉤子，經過鉤子來自動填寫txt dns記錄。固然這個庫也能夠方便的申請通配符證書，感謝做者的付出。

1：下載

$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
$ cd certbot-letencrypt-wildcardcertificates-alydns-au
$ chmod 0777 au.sh autxy.sh python-version/au.sh

// 我是移動到了/etc/letsencrypt目錄下，而後重命名manual-auth-hook

2：配置

目前該工具支持三種運行環境：

• au.sh：操做阿里雲 DNS hook shell（PHP 環境）。
• autxy.sh：操做騰訊雲 DNS hook shell（PHP 環境）。
• python-version/au.py：操做阿里雲 DNS hook shell（Python 2.7/3.6）,感謝 @Duke-Wu 的 PR。

這三種運行環境什麼意思呢？就是可根據本身服務器環境和域名服務商選擇任意一個 hook shell（操做的時候任選其一便可）。

DNS API 密鑰：

• alydns.php，修改 accessKeyId、accessSecrec 變量，阿里雲 API key 和 Secrec 官方申請文檔。
• txydns.php，修改 txyaccessKeyId、txyaccessSecrec 變量，騰訊雲 API 密鑰官方申請文檔。
• python-version/alydns27.py，修改 ACCESS_KEY_ID、ACCESS_KEY_SECRET，阿里雲 API key 和 Secrec 官方申請文檔。

這個 API 密鑰什麼意思呢？因爲須要經過 API 操做阿里雲 DNS 或騰訊雲 DNS 的記錄，因此須要去域名服務商哪兒獲取 API 密鑰。

3：申請證書

特別說明： --manual-auth-hook 指定的 hook 文件三個任選其一（au.sh、autxy.sh、python-version/au.sh），其餘操做徹底相同。

測試是否有錯誤

$ ./certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns  --manual-auth-hook /腳本目錄/au.sh（autxy.sh 或 python-version/27.py，下面統一以 au.sh 介紹）  --dry-run  

# 實際申請
$ ./certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns  --manual-auth-hook /腳本目錄/au.sh

這裏我實際運行了測試

[root@host src]# ./certbot-auto certonly  -d *.archerwong.cn --manual --preferred-challenges dns  --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengevnc1ol1jxXcQnX8ggc40-HFXPdca7xTzhDZRDKzHla8
END

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

4：續期證書

一、對機器上全部證書 renew

$ ./certbot-auto renew  --manual --preferred-challenges dns  --manual-auth-hook /腳本目錄/au.sh

實際更新下，結果以下

[root@host src]# ./certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/archerwong.cn/fullchain.pem expires on 2019-03-18 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@host src]# ./certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn
dns-01 challenge for archerwong.cn
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengeapQPzp-NYaZfafamd_D_2_fKr46fafafaR_BlOSOJTYAo
END

Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengeNnS-4PfafavlFuvgm1vjzfafafaD5Ux_JfQoohs
END

Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/archerwong.cn/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/archerwong.cn/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

二、對某一張證書進行續期

先看看機器上有多少證書：

$ ./certbot-auto certificates                                                           
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: archerwong.cn-0001
    Domains: *.archerwong.cn archerwong.cn
    Expiry Date: 2019-03-17 13:24:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/archerwong.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/archerwong.cn-0001/privkey.pem
  Certificate Name: test.archerwong.cn-0001
    Domains: test.archerwong.cn
    Expiry Date: 2019-03-18 05:36:23+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/test.archerwong.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.archerwong.cn-0001/privkey.pem
  Certificate Name: archerwong.cn
    Domains: *.archerwong.cn
    Expiry Date: 2019-03-17 12:34:52+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/archerwong.cn/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/archerwong.cn/privkey.pem

記住證書名，好比 archerwong.cn，而後運行下列命令 renew：

$ ./certbot-auto renew --cert-name archerwong.cn --manual-auth-hook /腳本目錄/au.sh

三、加入 crontab

編輯文件 /etc/crontab :

1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook /腳本目錄/au.sh

上面的意思是，每隔一天的一點一分運行一次腳本

crontab的文件格式

分 時 日 月 星期 要運行的命令

• 第1列分鐘0～59
• 第2列小時0～23（0表示子夜）
• 第3列日1～31
• 第4列月1～12
• 第5列星期0～7（0和7表示星期天）
• 第6列要運行的命令

參考：

https://www.jianshu.com/p/c5c9d071e395

https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au