1.简介
Let's Encrypt 已经支持申请免费的通配符证书,只需要对域名申请 https 证书,该域名下所有的子域名都可以使用。有一点需要说明,Let's Encrypt 的通配符证书只是针对二级域名,不针对主域名,例如blog.smile13.com和smile13.com则被认为是两个域名,申请证书的时候都需要申请。
2.配置环境
操作系统:centos7.4
配置域名:smile13.com,*.smile13.com
3.申请证书
3.1.下载 Certbot 并设置执行权限
1. wget https://dl.eff.org/certbot-auto
2. chmod +x certbot-auto
3.2.生成证书
./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
相关参数说明:
-certonly:表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
-manual:表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。
-d:为哪些主机申请证书,如果是通配符,输入 *.smile13.com(替换为自己的域名)。
-preferred-challenges:使用 DNS 方式校验域名所有权。
-server:Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
下面是命令执行过程中的相关操作:
> [root@eric201 software-package]# cd /etc/letsencrypt/live/
> -bash: cd: /etc/letsencrypt/live/: No such file or directory
> [root@eric201 software-package]# ./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Plugins selected: Authenticator manual, Installer None
> Obtaining a new certificate
> Performing the following challenges:
> dns-01 challenge for smile13.com
> dns-01 challenge for smile13.com
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> NOTE: The IP of this machine will be publicly logged as having requested this
> certificate. If you're running certbot in manual mode on a machine that is not
> your server, please ensure you're okay with that.
>
> Are you OK with your IP being logged?
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> (Y)es/(N)o: Y
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Please deploy a DNS TXT record under the name
> _acme-challenge.smile13.com with the following value:
>
> nQjdBo-5myb3mfnMJ1e0lDyfp6cAZap9FBR8AcM4FFE
>
> Before continuing, verify the record is deployed.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Press Enter to Continue
注意:在这里需要去域名的管理台配置 DNS TXT 记录,校验域名的所有权,否则直接敲回车进入下一步,证书会生成失败的,具体怎样配置 DNS TXT 记录,请往下看。
>
> Please deploy a DNS TXT record under the name
> _acme-challenge.smile13.com with the following value:
>
> jc8GXEczmoV6hs1K5GXH3NKa-IB2okf7ZWzAVfx8tYY
>
> Before continuing, verify the record is deployed.
> (This must be set up in addition to the previous challenges; do not remove,
> replace, or undo the previous challenge tasks yet. Note that you might be
> asked to create multiple distinct TXT records with the same name. This is
> permitted by DNS standards.)
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Press Enter to Continue
同理,在这里也需要去域名的管理台配置 DNS TXT 记录,校验域名的所有权。
> Waiting for verification...
> Cleaning up challenges
>
> IMPORTANT NOTES:
> - Congratulations! Your certificate and chain have been saved at:
> /etc/letsencrypt/live/smile13.com/fullchain.pem
> Your key file has been saved at:
> /etc/letsencrypt/live/smile13.com/privkey.pem
> Your cert will expire on 2019-02-22. To obtain a new or tweaked
> version of this certificate in the future, simply run certbot-auto
> again. To non-interactively renew *all* of your certificates, run
> "certbot-auto renew"
> - If you like Certbot, please consider supporting our work by:
>
> Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
> Donating to EFF: https://eff.org/donate-le
DNS TXT 配置如下(如果申请多个域名,需要配置多条)
在 /etc/letsencrypt/live/smile13.com/下可以看到生成的文件:
3.3.更新证书
Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行,下面的命令可以配置定时任务自动执行
certbot-auto renew
4.配置证书
我使用的是 nginx,所以这里只讲述在 nginx 中怎样配,apache 类似,以后再补充。下面是 ssl 相关的配置,其他部分如 location 不变。
server {
listen 443 ssl;
server_name blog.smile13.com; #你的域名
#ssl on;
ssl_certificate /etc/letsencrypt/live/smile13.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/smile13.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/smile13.com/chain.pem;
>
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
>
location / {
......
}
}
配置好后重启 nginx(systemctl restart nginx)就可以了。
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于