申请Let's Encrypt通配符SSL证书

时间 2019-11-08

标签申请 let's let encrypt 通配符 ssl 证书栏目 SSL 繁體版

原文原文链接

前言

本文在本身的电脑上安装certbot。python

经过DNS验证域名全部权。90天后，须要手动续签证书。git

证书获取后手动上传至服务器，只适合开发模式。web

自动化签发流程，请参考其余文章。shell

流程

安装CertBot（Let's Encrypt用于颁发证书的工具,python编译）api

brew是软件一个软件管理工具，很是好用，自动下载依赖包。xcode
```
$ brew install certbot
```
若是有提示，根据提示安装依赖环境。完成后从新执行上一行语句。服务器
```
$ xcode-select --install
```

执行请求指令dom

具体相关参数，请查阅Let's Encrypt和certbot官方文档。ide

$ sudo certbot certonly  -d "*.你的域名" -d "你的域名" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

输入相关信息工具

Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 你的邮箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a    // 赞成

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y  // 赞成
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 你的域名
dns-01 challenge for 你的域名

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y   // 赞成

DNS解析验证

添加TXT类型的解析,主机记录为：_acme-challenge

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.你的域名 with the following value:

18eEXZpvkS0WPSog8T9YtWZEeUWf6r2lyScf_NfAurc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

检测
```
nslookup -q=txt _acme-challenge.你的域名
```
查看解析成功，因为 Let's Encrypt 域名验证服务器是在国外，须要等几分钟，再确认

成功结果

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/你的域名/fullchain.pem   // 证书保存路径
   Your key file has been saved at:
   /etc/letsencrypt/live/你的域名/privkey.pem     // 证书保存路径
   Your cert will expire on 2019-06-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

获取证书

$ sudo cat /etc/letsencrypt/live/你的域名/fullchain.pem | pbcopy

$ sudo cat /etc/letsencrypt/live/你的域名/privkey.pem | pbcopy

续签证书

自动续签过时的证书，该操做须要配合DNS插件，本文模式不适合自动续签
```
$ sudo certbot renew
```

管理证书

显示证书列表与信息

$ sudo certbot certificates

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: xxx1.com
	Domains: *.xxx1.com xxx1.com
	Expiry Date: 2019-06-15 07:49:25+00:00 (VALID: 36 days)
	Certificate Path: /etc/letsencrypt/live/xxx1.com/fullchain.pem
	Private Key Path: /etc/letsencrypt/live/xxx1.com/privkey.pem
  Certificate Name: xxx2.com
	Domains: *.xxx2.com xxx2.com
	Expiry Date: 2019-08-08 01:19:19+00:00 (VALID: 89 days)
	Certificate Path: /etc/letsencrypt/live/xxx2.com/fullchain.pem
	Private Key Path: /etc/letsencrypt/live/xxx2.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -