Let's encrypt申请泛域名证书

1、下载工具

wget https://dl.eff.org/certbot-auto

chmod a+x ./certbot-auto

 

2、初始化

./certbot-auto

 

3、获取证书(1)

./certbot-auto certonly --manual -d *.mydomain.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

将*.mydomain.com换成你的域名。

注意:mydomain.com域名必须为你自己所有,且你能操作跟它相关的DNS记录。同时,执行certbot-auto命令的服务器必须就是mydomain.com所对应的服务器。

 

当我们看到类似以下信息时,就需要停一会:

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:

xfnee7V1DS2ZlOLllasdkv-HltYfsdfahrradfU47xxs

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

 

4、配置DNS记录

根据第3步的信息,登录我们的DNS控制台,添加TXT记录:

TXT  _acme-challenge.mydomain.com  xfnee7V1DS2ZlOLllasdkv-HltYfsdfahrradfU47xxs

 

5、获取证书(2)

等DNS信息生效后,就继续获取证书(1)的步骤,按下回车,系统会自动开始认证。

等待一会,如果出现以下信息,则说明证书生成成功。

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.com/privkey.pem
Your cert will expire on 2019-01-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

6、使用证书

/etc/letsencrypt/live/mydomain.com/fullchain.pem

/etc/letsencrypt/live/mydomain.com/privkey.pem

 

复制这俩文件到正确的位置,比如nginx的配置目录下,然后修改nginx配置文件:

server {

    listen 443 ssl;

    server_name www.mydomain.com;

    server_name img.mydomain.com;  // 这行不要加,这里是为了说明泛域名可以作用于所有二级域名。

    ssl_certificate  /etc/letsencrypt/live/example.com/fullchain.pem;

    ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;

    location / {

        root html;

    }

}

 

7、更新证书

// 更新即将到期的证书

./certbot-auto renew

 

// 强制更新一个证书(这个证书也许还有很久才到期)

./certbot-auto renew --force-renewal

 

将更新命令加入定时任务,让它自动更新。(如何判断快到90天了)

 

posted @ 2019-01-11 18:09  道霖  阅读(3408)  评论(0编辑  收藏  举报