letsencrypt证书-使用certbot申请wildcard证书
1. certbot安装
cd /usr/local/src
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
2. 认证方式
客户在申请 Let’s Encrypt 证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:
dns-01:给域名添加一个 DNS TXT 记录。
http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。
3. 运行命令
./certbot-auto certonly -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
注意这里 -d archerwong.cn
最好写上,否则archerwong.cn将无法被信任,只有xxx.archerwong.cn这样的二级 域名才被信任
介绍下相关参数:
certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
--manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
-d 为那些主机申请证书,如果是通配符,输入 *.newyingyong.cn(可以替换为你自己的域名)
--preferred-challenges dns,使用 DNS 方式校验域名所有权
--server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
交互界面如下
[root@host src]# sudo ./certbot-auto certonly -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@163.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.archerwong.cn with the following value:
apQPzp-NYZ0md_D_2_fKr465Il3dDbdR_BlOSOJTYAo
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
注意这里我把交互页面截断,很重要,先不要回车,将上面的txt值,填到你的域名解析里面,等确认生效后再回车,我填写如下
然后测试是否生效
$ dig -t txt _acme-challenge.archerwong.cn @8.8.8.8
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> -t txt _acme-challenge.archerwong.cn @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.archerwong.cn. IN TXT
;; ANSWER SECTION:
_acme-challenge.archerwong.cn. 599 IN TXT "apQPzp-NYZ0md_D_2_fKZ465Il3dDbdR_BlOSOJTYbo"
;; Query time: 306 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 17 21:34:43 CST 2018
;; MSG SIZE rcvd: 114
确认生效后,按回车键,交互界面继续
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/archerwong.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/archerwong.cn/privkey.pem
Your cert will expire on 2019-03-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
至此已经成功生成了wildcard证书,查看下证书
tree /etc/letsencrypt/live/archerwong.cn
/etc/letsencrypt/live/archerwong.cn
├── cert.pem -> ../../archive/archerwong.cn/cert1.pem
├── chain.pem -> ../../archive/archerwong.cn/chain1.pem
├── fullchain.pem -> ../../archive/archerwong.cn/fullchain1.pem
├── privkey.pem -> ../../archive/archerwong.cn/privkey1.pem
└── README
生成证书后,配置 Nginx
打开 nginx server 配置文件加入如下设置:
server {
listen 443
ssl on;
ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem;
## 其他配置
}
强制跳转 https
https 默认是监听 443 端口的,没开启 https 访问的话一般默认是 80 端口。如果你确定网站 80 端口上的站点都支持 https 的话加入下面的配件可以自动重定向到 https
server {
listen 80;
server_name your.domain.com;
return 301 https://$server_name$request_uri;
}
4. 更新
使用的库:letsencrypt通配符证书,其实这个库就是写了一个钩子,通过钩子来自动填写txt dns记录。当然这个库也可以方便的申请通配符证书,感谢作者的付出。
1:下载
$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
$ cd certbot-letencrypt-wildcardcertificates-alydns-au
$ chmod 0777 au.sh autxy.sh python-version/au.sh
// 我是移动到了/etc/letsencrypt目录下,然后重命名manual-auth-hook
2:配置
目前该工具支持三种运行环境:
- au.sh:操作阿里云 DNS hook shell(PHP 环境)。
- autxy.sh:操作腾讯云 DNS hook shell(PHP 环境)。
- python-version/au.py:操作阿里云 DNS hook shell(Python 2.7/3.6),感谢 @Duke-Wu 的 PR。
这三种运行环境什么意思呢?就是可根据自己服务器环境和域名服务商选择任意一个 hook shell(操作的时候任选其一即可)。
DNS API 密钥:
- alydns.php,修改 accessKeyId、accessSecrec 变量,阿里云 API key 和 Secrec 官方申请文档。
- txydns.php,修改 txyaccessKeyId、txyaccessSecrec 变量,腾讯云 API 密钥官方申请文档。
- python-version/alydns27.py,修改 ACCESS_KEY_ID、ACCESS_KEY_SECRET,阿里云 API key 和 Secrec 官方申请文档。
这个 API 密钥什么意思呢?由于需要通过 API 操作阿里云 DNS 或腾讯云 DNS 的记录,所以需要去域名服务商哪儿获取 API 密钥。
3:申请证书
特别说明: --manual-auth-hook 指定的 hook 文件三个任选其一(au.sh、autxy.sh、python-version/au.sh),其他操作完全相同。
测试是否有错误
$ ./certbot-auto certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook /脚本目录/au.sh(autxy.sh 或 python-version/27.py,下面统一以 au.sh 介绍) --dry-run
# 实际申请
$ ./certbot-auto certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook /脚本目录/au.sh
这里我实际运行了测试
[root@host src]# ./certbot-auto certonly -d *.archerwong.cn --manual --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengevnc1ol1jxXcQnX8ggc40-HFXPdca7xTzhDZRDKzHla8
END
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
4:续期证书
1、对机器上所有证书 renew
$ ./certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook /脚本目录/au.sh
实际更新下,结果如下
[root@host src]# ./certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/archerwong.cn/fullchain.pem expires on 2019-03-18 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@host src]# ./certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn
dns-01 challenge for archerwong.cn
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengeapQPzp-NYaZfafamd_D_2_fKr46fafafaR_BlOSOJTYAo
END
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengeNnS-4PfafavlFuvgm1vjzfafafaD5Ux_JfQoohs
END
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/archerwong.cn/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/archerwong.cn/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2、对某一张证书进行续期
先看看机器上有多少证书:
$ ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: archerwong.cn-0001
Domains: *.archerwong.cn archerwong.cn
Expiry Date: 2019-03-17 13:24:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/archerwong.cn-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/archerwong.cn-0001/privkey.pem
Certificate Name: test.archerwong.cn-0001
Domains: test.archerwong.cn
Expiry Date: 2019-03-18 05:36:23+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/test.archerwong.cn-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.archerwong.cn-0001/privkey.pem
Certificate Name: archerwong.cn
Domains: *.archerwong.cn
Expiry Date: 2019-03-17 12:34:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/archerwong.cn/fullchain.pem
Private Key Path: /etc/letsencrypt/live/archerwong.cn/privkey.pem
记住证书名,比如 archerwong.cn,然后运行下列命令 renew:
$ ./certbot-auto renew --cert-name archerwong.cn --manual-auth-hook /脚本目录/au.sh
3、加入 crontab
编辑文件 /etc/crontab :
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook /脚本目录/au.sh
上面的意思是,每隔一天的一点一分运行一次脚本
crontab的文件格式
分 时 日 月 星期 要运行的命令
- 第1列分钟0~59
- 第2列小时0~23(0表示子夜)
- 第3列日1~31
- 第4列月1~12
- 第5列星期0~7(0和7表示星期天)
- 第6列要运行的命令
参考:
https://www.jianshu.com/p/c5c9d071e395
https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au