一.证书申请(certbot)
1.1 系统确定
我们使用的是 百度 服务创建的系统,系统是 ubuntu。
1.2 工具安装
复制代码
1
2
3
4
5sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo apt-get update sudo apt-get install certbot
1.3 证书申请
复制代码
1
2
3
4
5certbot certonly -d *.wepego.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual交互式获取, --preferred-challenges dns使用DNS验证的方式(泛域名只能使用DNS验证),如果取消此选项,将会默认使用 http 形式认证(.well-known), --server指明支持acme-v02的Server地址,默认是acme-v01的地址。
申请过程如下,为了确保域名是在你的管理权限之内,我们中间需要做一条 TXT 的 DNS 解析。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 418498042@qq.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: dns-01 challenge for wzlinux.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.wzlinux.com with the following value: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/wzlinux.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/wzlinux.com/privkey.pem Your cert will expire on 2019-09-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
我们看到上面有一条 DNS 解析需求,我这里是在百度云进行设定的。
解析好之后,我们在服务器上面验证一下解析记录。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19[root@ ~]# dig -t txt _acme-challenge.wepego.cn ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t txt _acme-challenge.wzlinux.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_acme-challenge.wzlinux.com.INTXT ;; ANSWER SECTION: _acme-challenge.wzlinux.com. 58INTXT"Fd-T8Q_R_9k4UqerXohPkTWu-aZOaU0mxxozERPRU5M" ;; Query time: 0 msec ;; WHEN: Thu Jun 06 07:04:07 UTC 2019 ;; MSG SIZE rcvd: 112
1.4 证书查看
复制代码
1[root@ ~]# ll /etc/letsencrypt/live/wepego.cn/
1.5 证书使用
我们这里以 nginx 服务为例,配置证书,nginx 的配置文件为下:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53server { listen 443 ssl http2; #listen [::]:443 ssl http2; server_name www.wepego.cn; index index.html index.htm index.php default.html default.htm default.php; root /usr/share/nginx/html/; ssl on; ssl_certificate /etc/letsencrypt/live/wepego.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wepego.cn/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES 256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5"; ssl_session_cache builtin:1000 shared:SSL:10m; # openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048 #ssl_dhparam /usr/local/nginx/ssl/dhparam.pem; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*.php$ { deny all; } location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /. { deny all; } access_log off; } server { listen 80; server_name wepego.cn; return 301 https://$server_name$request_uri; }
1.6 证书更新
可以使用指令certbot renew进行更新,添加一个定时任务。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14[root@ ~]# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/wepego.cn.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/wepego.cn/fullchain.pem expires on 2020-05-07 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
定时任务。
复制代码
130 1 10 * * /usr/bin/certbot renew && service nginx res
最后
以上就是凶狠春天最近收集整理的关于使用Let's Encrypt 通配符 HTTPS 证书的全部内容,更多相关使用Let's内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复