1.简介
Let's Encrypt 已经支持申请免费的通配符证书,只需要对域名申请 https 证书,该域名下所有的子域名都可以使用。有一点需要说明,Let's Encrypt 的通配符证书只是针对二级域名,不针对主域名,例如blog.smile13.com和smile13.com则被认为是两个域名,申请证书的时候都需要申请。
2.配置环境
操作系统:centos7.4
配置域名:smile13.com,*.smile13.com
3.申请证书
3.1.下载 Certbot 并设置执行权限
1. wget https://dl.eff.org/certbot-auto 2. chmod +x certbot-auto
3.2.生成证书
./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
相关参数说明:
-certonly:表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
-manual:表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。
-d:为哪些主机申请证书,如果是通配符,输入 *.smile13.com(替换为自己的域名)。
-preferred-challenges:使用 DNS 方式校验域名所有权。
-server:Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
下面是命令执行过程中的相关操作:
> [root@eric201 software-package]# cd /etc/letsencrypt/live/ > -bash: cd: /etc/letsencrypt/live/: No such file or directory > [root@eric201 software-package]# ./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory > Saving debug log to /var/log/letsencrypt/letsencrypt.log > Plugins selected: Authenticator manual, Installer None > Obtaining a new certificate > Performing the following challenges: > dns-01 challenge for smile13.com > dns-01 challenge for smile13.com > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > NOTE: The IP of this machine will be publicly logged as having requested this > certificate. If you're running certbot in manual mode on a machine that is not > your server, please ensure you're okay with that. > > Are you OK with your IP being logged? > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > (Y)es/(N)o: Y > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Please deploy a DNS TXT record under the name > _acme-challenge.smile13.com with the following value: > > nQjdBo-5myb3mfnMJ1e0lDyfp6cAZap9FBR8AcM4FFE > > Before continuing, verify the record is deployed. > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Press Enter to Continue
注意:在这里需要去域名的管理台配置 DNS TXT 记录,校验域名的所有权,否则直接敲回车进入下一步,证书会生成失败的,具体怎样配置 DNS TXT 记录,请往下看。
> > Please deploy a DNS TXT record under the name > _acme-challenge.smile13.com with the following value: > > jc8GXEczmoV6hs1K5GXH3NKa-IB2okf7ZWzAVfx8tYY > > Before continuing, verify the record is deployed. > (This must be set up in addition to the previous challenges; do not remove, > replace, or undo the previous challenge tasks yet. Note that you might be > asked to create multiple distinct TXT records with the same name. This is > permitted by DNS standards.) > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Press Enter to Continue
同理,在这里也需要去域名的管理台配置 DNS TXT 记录,校验域名的所有权。
> Waiting for verification... > Cleaning up challenges > > IMPORTANT NOTES: > - Congratulations! Your certificate and chain have been saved at: > /etc/letsencrypt/live/smile13.com/fullchain.pem > Your key file has been saved at: > /etc/letsencrypt/live/smile13.com/privkey.pem > Your cert will expire on 2019-02-22. To obtain a new or tweaked > version of this certificate in the future, simply run certbot-auto > again. To non-interactively renew *all* of your certificates, run > "certbot-auto renew" > - If you like Certbot, please consider supporting our work by: > > Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate > Donating to EFF: https://eff.org/donate-le
DNS TXT 配置如下(如果申请多个域名,需要配置多条)
在 /etc/letsencrypt/live/smile13.com/下可以看到生成的文件:
3.3.更新证书
Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行,下面的命令可以配置定时任务自动执行
certbot-auto renew
4.配置证书
我使用的是 nginx,所以这里只讲述在 nginx 中怎样配,apache 类似,以后再补充。下面是 ssl 相关的配置,其他部分如 location 不变。
server { listen 443 ssl; server_name blog.smile13.com; #你的域名 #ssl on; ssl_certificate /etc/letsencrypt/live/smile13.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/smile13.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/smile13.com/chain.pem; > ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; > location / { ...... } }
配置好后重启 nginx(systemctl restart nginx)就可以了。
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于