前置条件
- 一个二级域名,如
example.com - 公网服务器 ip,如
12.34.56.78 - 你的邮箱,如 zhangsan@126.com
- 云账号的
securityid和securitykey - 保证你的二级域名域名正确解析到公网服务器 ip 地址上
工具准备
安装 certbot
apt-get install -ycertbot 或 yum install -y certbot
获取证书
certbot certonly \ -d *.example \ -d example.com \ --manual \ -m zhangsan@126.com \ --preferred-challenges dns \ --config-dir /data/certbot \ --work-dir /data/certbot \ --cert-name example.com \ --agree-tos
参数说明:
certonly: 只签发证书-d: 想要签发的证书支持的域名--manual: 手动签发,需要做一些额外操作,比如添加 TXT 类型的 dns 解析记录,来验证你有域名的控制权-m:邮箱,关联证书与签发者的邮箱,以便当证书出现问题时,方便用邮箱联系到签发者--preferred-challenges dns:用于设置证书申请使用的验证方式,这里设置为 DNS 验证,来验证域名控制权--config-dir:certbot 的配置目录,即配置文件的存储目录,默认在/etc/letsencrypt/--work-dir:certbot 的工作目录,即证书存放目录,默认在/var/lib/letsencrypt/,推荐和--config-dir一致,保证数据完整性和一致性--cert-name:证书名称--agree-tos: 自动同意协议
命令执行后:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: dns-01 challenge for example.com dns-01 challenge for example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
这时请先不要回车继续,请在 dns 解析记录里面添加一条类型为 TXT 的记录,内容为 sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc,域名为 _acme-challenge.example.com(后面会介绍如何不登录阿里云如何自动化添加解析记录)
添加完成后,清使用下面的命令验证解析记录是否生效:
dig -t txt _acme-challenge.example.com @8.8.8.8 ; <<>> DiG 9.16.1-Ubuntu <<>> -t txt _acme-challenge.example.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47952 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.example.com. IN TXT ;; ANSWER SECTION: _acme-challenge.example.com. 600 IN TXT "sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc" ;; Query time: 87 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Jun 10 10:17:39 CST 2023 ;; MSG SIZE rcvd: 111
确认生效后,继续回车执行,证书即可正确签发,路径为:
tree /data/workspace/certbot/live/example.com/ /data/workspace/certbot/live/example.com/ ├── cert.pem -> ../../archive/example.com/cert1.pem ├── chain.pem -> ../../archive/example.com/chain1.pem ├── fullchain.pem -> ../../archive/example.com/fullchain1.pem ├── privkey.pem -> ../../archive/example.com/privkey1.pem └── READM
如果是 nginx 负载均衡,只需要使用 fullchain.pem 和 privkey.pem 这两个证书即可
说明
证书有效期为三个月,到期之前需要更新证书,更新流程就是重新执行一遍上面的操作,新证书会在你申请证书的日期上加三个月。
如何自动化
自动化添加阿里云 dns 解析记录:
项目原地址:python-alidns
自动添加 txt 类型的解析记录:./alidns.py add TXT sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc
自动化续签域名证书
certbot certonly \ -d *.example \ -d example.com \ --manual \ -m zhangsan@126.com \ --preferred-challenges dns \ --config-dir /data/certbot \ --work-dir /data/certbot \ --cert-name example.com \ --agree-tos \ --non-interactive \ --manual-auth-hook /data/certbot/auth-script.sh \ --force-renew
参数说明:
--non-interactive:无交互--manual-auth-hook:手动模式下的执行脚本,主要是自动添加 dns 解析记录,如果是到期续签的话,解析记录还是首次签发时生成的那个,所以这个脚本可以随便写一些返回值为 0 的脚本,这个参数是必选项--force-renew:强制签发,即未满三个月也要签发,如果一天之内强制签发次数太多,会被 Let's Encrypt 限制 24 小时,所以没到期的话,还是不要强制续签
/data/certbot/auth-script.sh 内容可以如下
#!/bin/bash
echo "Creating TXT record"
res=$(dig +nocmd _acme-challenge.example.com TXT +noall +answer @8.8.8.8 | grep 'sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc')
if [ -n "$res" ]
then
echo "Record created and propagated"
fi
将自动化签发证书的命令另存为 ssl.sh,假定 solo 博客证书域名存放地址为 /data/solo/ssl/,域名证书名称为 STAR.example.com.pem,STAR.example.com.key,nginx 部署在 docker 中,ssl.sh 完整内容如下:
#!/bin/bash
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos \
--non-interactive \
--manual-auth-hook /data/certbot/auth-script.sh \
--force-renew
cat /data/certbot/live/example.com/fullchain.pem > /data/solo/ssl/STAR.example.com.pem
cat /data/certbot/live/example.com/privkey.pem > /data/solo/ssl/STAR.example.com.key
echo "======STAR.example.com======"
cat /data/solo/ssl/STAR.example.com.pem
echo "======STAR.example.com======"
cat /data/solo/ssl/STAR.example.com.key
docker exec nginx nginx -s reload
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
脚本准备好之后,设置定时任务执行,每三个月执行一次即可:
0 0 1 */3 * /data/certbot/ssl.sh
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于