免费申请Let's Encrypt HTTPS 通配符证书
Let's Encrypt介绍
部署 HTTPS 网站的时候需要证书,证书由 CA 机构签发,大部分传统 CA 机构签发证书是需要收费的,这不利于推动 HTTPS 协议的使用。Let's Encrypt 也是一个 CA 机构,但这个 CA 机构是免费的,也就是说签发证书不需要任何费用。
Let's Encrypt 官网:https://letsencrypt.org
申请 Let's Encrypt 通配符证书
传统的 CA 机构是人工受理证书申请、证书更新、证书撤销,完全是手动处理的。Let’s Encrypt CA 使用ACME协议完全是自动化操作的,ACME 协议规范化了证书申请、更新、撤销等流程,只要一个客户端实现了该协议的功能,通过客户端就可以向 Let’s Encrypt 申请证书,任何人都可以基于 ACME 协议实现一个客户端,官方推荐的客户端是Certbot 。
安装客户端
#git clone https://github.com/certbot/certbot #cd certbot/ #./certbot-auto --version .... 第一次使用命令会自动安装一些软件包 ...... Creating virtual environment... Installing Python packages... Installation succeeded. certbot 0.32.0
申请证书命令
./certbot-auto certonly -m laojia@126.com -d *.waizi.ren -d waizi.ren --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
--manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
-d 为那些主机申请证书,如果是通配符,输入 *.waizi.ren(替换为你自己的域名)
--preferred-challenges dns,使用 DNS 方式校验域名所有权
--server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
申请证书过程
会有几个交互,具体看提示:
是否同意 Let's Encrypt 协议要求
是否公开邮箱
询问是否对域名和机器(IP)进行绑定
DNS验证
三个交互过后,要求配置 DNS TXT 记录,从而校验域名所有权,也就是判断证书申请者是否有域名的所有权。
上面输出要求给 waizi.ren 配置一条 TXT 记录:,在没有确认 TXT 记录生效之前不要回车执行。
根据下面提示,在你的dns服务器上面,配置txt记录为:
_acme-challenge.waizi.ren 值为cUDqhEEpDQb1qU9vuGyjCS5ZgdPeZtxDjY_riKOOvkA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.waizi.ren with the following value: cUDqhEEpDQb1qU9vuGyjCS5ZgdPeZtxDjY_riKOOvkA Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
验证txt生效:
yum install -y bind-utils#安装 nslookup nslookup -q=TXT _acme-challenge.waizi.ren #查看是否生效 #也可以用dig命令 dig -t txt _acme-challenge.xiewo.net @8.8.8.8
域名txt生效后再回车,出现下面说明就已经成功申请了证书了
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/waizi.ren/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/waizi.ren/privkey.pem Your cert will expire on 2019-06-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
证书生成后存在以下目录
[root@tokyo waizi.ren]# ls /etc/letsencrypt/archive/waizi.ren/ -l total 16 -rw-r--r-- 1 root root 1915 Mar 28 11:30 cert1.pem -rw-r--r-- 1 root root 1647 Mar 28 11:30 chain1.pem -rw-r--r-- 1 root root 3562 Mar 28 11:30 fullchain1.pem -rw------- 1 root root 1704 Mar 28 11:30 privkey1.pem
命令验证证书
[root@tokyo letsencrypt]# openssl x509 -in /etc/letsencrypt/archive/waizi.ren/cert1.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 03:66:1b:9d:e2:ba:57:2b:70:8b:a7:93:33:0f:8d:43:ba:1f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Mar 28 02:29:58 2019 GMT Not After : Jun 26 02:29:58 2019 GMT Subject: CN=*.waizi.ren .......
更新证书
证书有效期为三个月,快到期的时候可以用下面命令,renew 一下证书就ok了。
./certbot-auto certonly -m laojia@126.com -d *.waizi.ren -d waizi.ren --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
是的~ 你没有看错,和申请证书的命令一毛一样啊。具体过程参考下面的:
更新的时候有 2 个交互:
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y #输入 yes
去你的dns服务器上面,更新一下 _acme-challenge.waizi.ren 的值,
Please deploy a DNS TXT record under the name _acme-challenge.waizi.ren with the following value: DA59UCtPeaHTE_4skIdWx7fFDOLa2Qohqfj2lC0ByzQ Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
用nslookup命令验证更新后,再 enter,看到 Congratulations 说明证书更新成功!
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/xiewo.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/xiewo.net/privkey.pem Your cert will expire on 2019-09-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
再去重启一下nginx,就完事了。
可忽略错误
如果出现如下错误,可以忽略:certbot-auto has insecure permissions!
[root@sh-115 update_cert]# ./update_cert.sh ./certbot-auto has insecure permissions! To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/ Upgrading certbot-auto 1.0.0 to 1.3.0... Replacing certbot-auto... Creating virtual environment... Installing Python packages...
更新错误
Couldn't download https://raw.githubusercontent.com/certbot/certbot/v0.39.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno 110] Connection timed out>
可在命令后加参数,忽略升级。如下。
certbot-auto renew --no-self-upgrade ...
参考文档:https://www.jianshu.com/p/c5c9d071e395
共 0 条评论