前置条件
- 一个二级域名,如
example.com
- 公网服务器 ip,如
12.34.56.78
- 你的邮箱,如 zhangsan@126.com
- 云账号的
securityid
和securitykey
- 保证你的二级域名域名正确解析到公网服务器 ip 地址上
工具准备
安装 certbot
apt-get install -ycertbot
或
yum install -y certbot
获取证书
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos
参数说明:
certonly
: 只签发证书-d
: 想要签发的证书支持的域名--manual
: 手动签发,需要做一些额外操作,比如添加 TXT 类型的 dns 解析记录,来验证你有域名的控制权-m
:邮箱,关联证书与签发者的邮箱,以便当证书出现问题时,方便用邮箱联系到签发者--preferred-challenges dns
:用于设置证书申请使用的验证方式,这里设置为 DNS 验证,来验证域名控制权--config-dir
:certbot 的配置目录,即配置文件的存储目录,默认在/etc/letsencrypt/
--work-dir
:certbot 的工作目录,即证书存放目录,默认在/var/lib/letsencrypt/
,推荐和--config-dir
一致,保证数据完整性和一致性--cert-name
:证书名称--agree-tos
: 自动同意协议
命令执行后:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
这时请先不要回车继续,请在 dns 解析记录里面添加一条类型为 TXT 的记录,内容为 sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc
,域名为 _acme-challenge.example.com
(后面会介绍如何不登录阿里云如何自动化添加解析记录)
添加完成后,清使用下面的命令验证解析记录是否生效:
dig -t txt _acme-challenge.example.com @8.8.8.8
; <<>> DiG 9.16.1-Ubuntu <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47952
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.example.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.example.com. 600 IN TXT "sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc"
;; Query time: 87 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 10 10:17:39 CST 2023
;; MSG SIZE rcvd: 111
确认生效后,继续回车执行,证书即可正确签发,路径为:
tree /data/workspace/certbot/live/example.com/
/data/workspace/certbot/live/example.com/
├── cert.pem -> ../../archive/example.com/cert1.pem
├── chain.pem -> ../../archive/example.com/chain1.pem
├── fullchain.pem -> ../../archive/example.com/fullchain1.pem
├── privkey.pem -> ../../archive/example.com/privkey1.pem
└── READM
如果是 nginx 负载均衡,只需要使用 fullchain.pem
和 privkey.pem
这两个证书即可
说明
证书有效期为三个月,到期之前需要更新证书,更新流程就是重新执行一遍上面的操作,新证书会在你申请证书的日期上加三个月。
如何自动化
自动化添加阿里云 dns 解析记录:
项目原地址:python-alidns
自动添加 txt 类型的解析记录:./alidns.py add TXT sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc
自动化续签域名证书
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos \
--non-interactive \
--manual-auth-hook /data/certbot/auth-script.sh \
--force-renew
参数说明:
--non-interactive
:无交互--manual-auth-hook
:手动模式下的执行脚本,主要是自动添加 dns 解析记录,如果是到期续签的话,解析记录还是首次签发时生成的那个,所以这个脚本可以随便写一些返回值为 0 的脚本,这个参数是必选项--force-renew
:强制签发,即未满三个月也要签发,如果一天之内强制签发次数太多,会被 Let's Encrypt 限制 24 小时,所以没到期的话,还是不要强制续签
/data/certbot/auth-script.sh
内容可以如下
#!/bin/bash
echo "Creating TXT record"
res=$(dig +nocmd _acme-challenge.example.com TXT +noall +answer @8.8.8.8 | grep 'sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc')
if [ -n "$res" ]
then
echo "Record created and propagated"
fi
将自动化签发证书的命令另存为 ssl.sh
,假定 solo 博客证书域名存放地址为 /data/solo/ssl/
,域名证书名称为 STAR.example.com.pem
,STAR.example.com.key
,nginx 部署在 docker 中,ssl.sh
完整内容如下:
#!/bin/bash
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos \
--non-interactive \
--manual-auth-hook /data/certbot/auth-script.sh \
--force-renew
cat /data/certbot/live/example.com/fullchain.pem > /data/solo/ssl/STAR.example.com.pem
cat /data/certbot/live/example.com/privkey.pem > /data/solo/ssl/STAR.example.com.key
echo "======STAR.example.com======"
cat /data/solo/ssl/STAR.example.com.pem
echo "======STAR.example.com======"
cat /data/solo/ssl/STAR.example.com.key
docker exec nginx nginx -s reload
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
脚本准备好之后,设置定时任务执行,每三个月执行一次即可:
0 0 1 */3 * /data/certbot/ssl.sh
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于