快速配置 Let's encrypt 通配符证书

本贴最后更新于 2136 天前,其中的信息可能已经事过境迁

1.简介

Let's Encrypt 已经支持申请免费的通配符证书,只需要对域名申请 https 证书,该域名下所有的子域名都可以使用。有一点需要说明,Let's Encrypt 的通配符证书只是针对二级域名,不针对主域名,例如blog.smile13.comsmile13.com则被认为是两个域名,申请证书的时候都需要申请。

2.配置环境

操作系统:centos7.4
配置域名:smile13.com,*.smile13.com

3.申请证书

3.1.下载 Certbot 并设置执行权限

1. wget https://dl.eff.org/certbot-auto
2. chmod +x certbot-auto

3.2.生成证书

./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

相关参数说明:
-certonly:表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
-manual:表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。
-d:为哪些主机申请证书,如果是通配符,输入 *.smile13.com(替换为自己的域名)。
-preferred-challenges:使用 DNS 方式校验域名所有权。
-server:Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。

下面是命令执行过程中的相关操作:

> [root@eric201 software-package]# cd /etc/letsencrypt/live/
> -bash: cd: /etc/letsencrypt/live/: No such file or directory
> [root@eric201 software-package]# ./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Plugins selected: Authenticator manual, Installer None
> Obtaining a new certificate
> Performing the following challenges:
> dns-01 challenge for smile13.com
> dns-01 challenge for smile13.com
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> NOTE: The IP of this machine will be publicly logged as having requested this
> certificate. If you're running certbot in manual mode on a machine that is not
> your server, please ensure you're okay with that.
> 
> Are you OK with your IP being logged?
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> (Y)es/(N)o: Y
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Please deploy a DNS TXT record under the name
> _acme-challenge.smile13.com with the following value:
> 
> nQjdBo-5myb3mfnMJ1e0lDyfp6cAZap9FBR8AcM4FFE
> 
> Before continuing, verify the record is deployed.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Press Enter to Continue

注意:在这里需要去域名的管理台配置 DNS TXT 记录,校验域名的所有权,否则直接敲回车进入下一步,证书会生成失败的,具体怎样配置 DNS TXT 记录,请往下看。

> 
> Please deploy a DNS TXT record under the name
> _acme-challenge.smile13.com with the following value:
> 
> jc8GXEczmoV6hs1K5GXH3NKa-IB2okf7ZWzAVfx8tYY
> 
> Before continuing, verify the record is deployed.
> (This must be set up in addition to the previous challenges; do not remove,
> replace, or undo the previous challenge tasks yet. Note that you might be
> asked to create multiple distinct TXT records with the same name. This is
> permitted by DNS standards.)
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Press Enter to Continue

同理,在这里也需要去域名的管理台配置 DNS TXT 记录,校验域名的所有权。

> Waiting for verification...
> Cleaning up challenges
> 
> IMPORTANT NOTES:
>  - Congratulations! Your certificate and chain have been saved at:
>    /etc/letsencrypt/live/smile13.com/fullchain.pem
>    Your key file has been saved at:
>    /etc/letsencrypt/live/smile13.com/privkey.pem
>    Your cert will expire on 2019-02-22. To obtain a new or tweaked
>    version of this certificate in the future, simply run certbot-auto
>    again. To non-interactively renew *all* of your certificates, run
>    "certbot-auto renew"
>  - If you like Certbot, please consider supporting our work by:
> 
>    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
>    Donating to EFF:                    https://eff.org/donate-le

DNS TXT 配置如下(如果申请多个域名,需要配置多条)

imagepng

在 /etc/letsencrypt/live/smile13.com/下可以看到生成的文件:

3.3.更新证书

Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行,下面的命令可以配置定时任务自动执行

certbot-auto renew

4.配置证书

我使用的是 nginx,所以这里只讲述在 nginx 中怎样配,apache 类似,以后再补充。下面是 ssl 相关的配置,其他部分如 location 不变。

server {
	listen 443 ssl;
	server_name blog.smile13.com; #你的域名
	#ssl on;
	ssl_certificate /etc/letsencrypt/live/smile13.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/smile13.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/smile13.com/chain.pem;
>
	ssl_session_timeout 5m;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
>
	location / {
	......
	}
}

配置好后重启 nginx(systemctl restart nginx)就可以了。

  • HTTPS
    99 引用 • 274 回帖 • 3 关注
  • SSL

    SSL(Secure Sockets Layer 安全套接层),及其继任者传输层安全(Transport Layer Security,TLS)是为网络通信提供安全及数据完整性的一种安全协议。TLS 与 SSL 在传输层对网络连接进行加密。

    70 引用 • 193 回帖 • 418 关注

相关帖子

欢迎来到这里!

我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。

注册 关于
请输入回帖内容 ...