生成免費SSL通配證書

經過Let's Encrypt 生成免費SSL證書 有效期是3個月

1.下載工具certbot-auto

wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto

2.生成證書，默認會安裝openssl-devel等依賴包

# 須要root 權限
# 按照提示輸入 郵箱地址，是否聽從相關權益等操做
# 注：在提示域名解析後在敲回車操做部分
[root@BOSS_SUPPORT_ADP ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxapp.com" --manual --preferred-challenges dns-01 certonly

3.若是一路回車錯過域名解析部分會提示報錯

# 能夠從新執行以上部操做
[root@BOSS_SUPPORT_ADP ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxapp.com" --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxapp.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y                                               ###########  輸入 Y 以後，請勿敲回車
                                                                    ###########  在域名解析商 作 TXT 解析
                                                                    # _acme-chxxxxxxnge.xxapp.com      TXT解析到      tvz7vfOMn9QT4XPxxxxxnvYygohV-scq72E0B_366s
                                                                    # 解析測試 dig _acme-chxxxxxxnge.xxapp.com txt       # 成功後 敲回車    
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxapp.com with the following value:

tvz7vfOMn9QT4XPxxxxxnvYygohV-scq72E0B_366s

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxapp.com/fullchain.pem                
   Your key file has been saved at:
   /etc/letsencrypt/live/xxapp.com/privkey.pem
   Your cert will expire on 2019-04-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4.證書生成位置

# 下相應的域名
/etc/letsencrypt/live/

5.證書名稱類型

-rw-r--r-- 1 root root 1907 Jan 22 03:07 cert1.pem            # 證書正文
-rw-r--r-- 1 root root 1647 Jan 22 03:07 chain1.pem           # 
-rw-r--r-- 1 root root 3554 Jan 22 03:07 fullchain1.pem       # cert1.pem和chain1.pem 合併的證書  用於證書鏈
-rw------- 1 root root 1704 Jan 22 03:07 privkey1.pem         # 證書祕鑰 key

6.自動更新已申請的ssl證書

certbot 提供了更新證書的命令cerbot renew，會自動更新全部已申請的ssl證書。