快速配置 Let's encrypt 通配符证书

1.简介

Let's Encrypt 已经支持申请免费的通配符证书，只需要对域名申请 https 证书，该域名下所有的子域名都可以使用。有一点需要说明，Let's Encrypt 的通配符证书只是针对二级域名，不针对主域名，例如blog.smile13.com和smile13.com则被认为是两个域名，申请证书的时候都需要申请。

2.配置环境

操作系统：centos7.4
配置域名：smile13.com，*.smile13.com

3.申请证书

3.1.下载 Certbot 并设置执行权限

1. wget https://dl.eff.org/certbot-auto
2. chmod +x certbot-auto

3.2.生成证书

./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

相关参数说明：
-certonly：表示安装模式，Certbot 有安装模式和验证模式两种类型的插件。
-manual：表示手动安装插件，Certbot 有很多插件，不同的插件都可以申请证书，用户可以根据需要自行选择。
-d：为哪些主机申请证书，如果是通配符，输入 *.smile13.com（替换为自己的域名）。
-preferred-challenges：使用 DNS 方式校验域名所有权。
-server：Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本，需要显示指定。

下面是命令执行过程中的相关操作：

> [root@eric201 software-package]# cd /etc/letsencrypt/live/
> -bash: cd: /etc/letsencrypt/live/: No such file or directory
> [root@eric201 software-package]# ./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Plugins selected: Authenticator manual, Installer None
> Obtaining a new certificate
> Performing the following challenges:
> dns-01 challenge for smile13.com
> dns-01 challenge for smile13.com
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> NOTE: The IP of this machine will be publicly logged as having requested this
> certificate. If you're running certbot in manual mode on a machine that is not
> your server, please ensure you're okay with that.
> 
> Are you OK with your IP being logged?
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> (Y)es/(N)o: Y
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Please deploy a DNS TXT record under the name
> _acme-challenge.smile13.com with the following value:
> 
> nQjdBo-5myb3mfnMJ1e0lDyfp6cAZap9FBR8AcM4FFE
> 
> Before continuing, verify the record is deployed.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Press Enter to Continue

注意：在这里需要去域名的管理台配置 DNS TXT 记录，校验域名的所有权，否则直接敲回车进入下一步，证书会生成失败的，具体怎样配置 DNS TXT 记录，请往下看。

> 
> Please deploy a DNS TXT record under the name
> _acme-challenge.smile13.com with the following value:
> 
> jc8GXEczmoV6hs1K5GXH3NKa-IB2okf7ZWzAVfx8tYY
> 
> Before continuing, verify the record is deployed.
> (This must be set up in addition to the previous challenges; do not remove,
> replace, or undo the previous challenge tasks yet. Note that you might be
> asked to create multiple distinct TXT records with the same name. This is
> permitted by DNS standards.)
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Press Enter to Continue

同理，在这里也需要去域名的管理台配置 DNS TXT 记录，校验域名的所有权。

> Waiting for verification...
> Cleaning up challenges
> 
> IMPORTANT NOTES:
>  - Congratulations! Your certificate and chain have been saved at:
>    /etc/letsencrypt/live/smile13.com/fullchain.pem
>    Your key file has been saved at:
>    /etc/letsencrypt/live/smile13.com/privkey.pem
>    Your cert will expire on 2019-02-22. To obtain a new or tweaked
>    version of this certificate in the future, simply run certbot-auto
>    again. To non-interactively renew *all* of your certificates, run
>    "certbot-auto renew"
>  - If you like Certbot, please consider supporting our work by:
> 
>    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
>    Donating to EFF:                    https://eff.org/donate-le

DNS TXT 配置如下（如果申请多个域名，需要配置多条）

在 /etc/letsencrypt/live/smile13.com/下可以看到生成的文件：

3.3.更新证书

Let’s encrypt 的免费证书默认有效期为 90 天，到期后如果要续期可以执行,下面的命令可以配置定时任务自动执行

certbot-auto renew

4.配置证书

我使用的是 nginx，所以这里只讲述在 nginx 中怎样配，apache 类似，以后再补充。下面是 ssl 相关的配置，其他部分如 location 不变。

server {
	listen 443 ssl;
	server_name blog.smile13.com; #你的域名
	#ssl on;
	ssl_certificate /etc/letsencrypt/live/smile13.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/smile13.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/smile13.com/chain.pem;
>
	ssl_session_timeout 5m;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
>
	location / {
	......
	}
}

配置好后重启 nginx（systemctl restart nginx）就可以了。