HTTPS證書自動生成--certbot

安裝EPEL源

yum -y install epel-release.noarch

安裝cerbot的rpm包

yum -y install certbot

開始生成證書

certbot certonly --manual -d *.6666li.club

Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Enter 'c' to cancel):  ***.@**.com      ---輸入郵箱第一次啓動出現
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:     -------------------輸入A第一次啓動時出現
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:                  ----------------- -輸入 Y or n 第一次啓動時出現

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y                  ---------------- 輸入Y  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name
_acme-challenge.6666li.club with the following value:

8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

手動添加TXT記錄 _acme-challenge 對應值爲----8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng

驗證命令

dig txt _acme-challenge.6666li.club 輸出以下

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> txt _acme-challenge.6666li.club
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.6666li.club.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.6666li.club. 5	IN	TXT	"8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng"

;; Query time: 55 msec
;; SERVER: 192.168.11.2#53(192.168.11.2)
;; WHEN: Mon May 20 10:30:06 CST 2019
;; MSG SIZE  rcvd: 101

驗證成功

接上步輸入回車繼續

Please deploy a DNS TXT record under the name
_acme-challenge.6666li.club with the following value:

8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

證書生成成功

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/6666li.club/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/6666li.club/privkey.pem

證書自動續訂命令

certbot renew

HA證書生成

cat fullchain.pem privkey.pem > servername.pem