申请Let’s Encrypt免费通配符SSL域名证书

一、下载 Certbot 客户端
wget https://dl.eff.org/certbot-auto
或者yum install epel; yum install python2-certbot-nginx

二、设为可执行权限
chmod a+x certbot-auto
./certbot-auto certonly -d “*.xxx.com” –manual –preferred-challenges dns-01 –server https://acme-v02.api.letsencrypt.org/directory

三、申请通配符证书是要经过 DNS 认证的,接下来需要按照提示在域名后台添加对应的 DNS TXT 记录。
dig -t txt _acme-challenge.xxx.com @8.8.8.8
等待txt记录生效,可以显示出来解析的时候,回车。提示如下:
MPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxx.com/privkey.pem
Your cert will expire on 2018-06-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

四、查看生成的证书
tree /etc/letsencrypt/live/xxx.com/
.
├── cert.pem (服务器端证书)
├── chain.pem (根证书和中继证书)
├── fullchain.pem (Nginx所需要ssl_certificate文件)
└── privkey.pem (安全证书KEY文件)

五、验证范域名证书
openssl x509 -in /etc/letsencrypt/live/xxx.com/cert.pem -noout -text
# 可以看到证书包含了 SAN 扩展,该扩展的值就是 *.xxx.com

Authority Information Access:
OCSP – URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers – URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name:
DNS:*.xxx.com

六、证书续期
手动:
certbot-auto renew

用计划任务自动化比较好:每天0点和中午12点自动续期。
0 0,12 * * * python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && ./path/certbot-auto renew

七、NGINX使用SSL证书:
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # 不加本条也不耽误使用。
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # 不加本条也不耽误使用。

PS:https://certbot.eff.org/docs/using.html
1、申请通配符证书,只能使用 dns-01 的方式。
2、certonly 表示插件,Certbot 有很多插件。不同的插件都可以申请证书,用户可以根据需要自行选择。
3、-d 为哪些主机申请证书。如果是通配符,输入 *.xxx.com (根据实际情况替换为你自己的域名)。
4、–preferred-challenges dns-01,使用 DNS 方式校验域名所有权。
5、–server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
6、dns-01:给域名添加一个 DNS TXT 记录。
7、http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
8、tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。
9、在配置Let’s Encrypt免费SSL证书的时候域名一定要解析到当前VPS服务器,而且DNS必须用到海外域名DNS,如果用国内免费DNS可能会导致获取不到错误。
10、–dry-run Test “renew” or “certonly” without saving any certificates to disk

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

You are commenting using your WordPress.com account. Log Out /  更改 )

Google photo

You are commenting using your Google account. Log Out /  更改 )

Twitter picture

You are commenting using your Twitter account. Log Out /  更改 )

Facebook photo

You are commenting using your Facebook account. Log Out /  更改 )

Connecting to %s


%d 博主赞过: