安装证书步骤
要配置的域名:xxxxx.cn, *.xxxxx.cn
按以下步骤安装证书
安装letsencrypt证书管理Certbot
生成证书
安装letsencrypt证书管理Certbot
certbot是管理letsencrypt的开源工具:
安装:
# yum install certbot //centos下使用该命令
# sudo apt-get install certbot //ubuntu下使用该命令生成证书
运行如下命令:
# certbot certonly --preferred-challenges dns --manual -d "*.xxxxx.cn" -d "xxxxx.cn" --server https://acme-v02.api.letsencrypt.org/directory注意:这里指定了2个域名:
*.xxxxx.cn,xxxxx.cn,前者通配域名不包含后者。
certonly– 表示安装模式,certbot可以有安装模式和验证模式-d– 指定域名--manual手动安装--preferred-challenges dns使用dns方式证明域名所有权,要使用通配域名只能使用dns方式。-server– Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定
生成过程如下:
# certbot certonly --preferred-challenges dns --manual -d "*.xxxxx.cn" -d "xxxxx.cn" --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): youremail@domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxxxx.cn
dns-01 challenge for xxxxx.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxxxx.cn with the following value:
xG_fwAgSBY5L34e1VDkB84Yiysf59PrrvuS10zH68ng
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxxxx.cn with the following value:
As5ziCS4pwG5jDUpPemM7FVSuudoON13ZgJqOdscx_k
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxxxx.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxxxx.cn/privkey.pem
Your cert will expire on 2021-10-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
上面操作中,中间有个步骤要求为你的域名添加txt解析,这个步骤就是证明域名是你的。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.3b8.cn with the following value:
kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue在域名商(阿里云,腾讯云)域名解析里,添加一条txt记录:
然后在命令行中,按回车键继续,验证通过生成证书。
3. NGINX配置证书
证书已经生成好了,需要配置nginx server,完整配置文件如下:
server {
charset utf-8;
client_max_body_size 200M;
listen 443 ssl;
#listen [::]:80 default ipv6only=on; ## listen for ipv6
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_session_timeout 5m;
}证书续期
证书有效期最长只有3个月,到期前一段时间会发邮件通知你。对于通配域名证书,执行certbot renew续期证书会报错:
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:意思是在自动续期的模式下,必须提供证明域名是你的脚本,使用选项--manual-auth-hook指定。这个脚本要实现自动修改域名txt解析记录的功能。网上已有很多相关实现,实现过程相当繁琐,可以搜搜。
比较简单解决办法是,再手动生成以下证书,过程与第一次生成证书一样:
# certbot certonly --preferred-challenges dns --manual -d "*.qikegu.com" -d "qikegu.com" --server https://acme-v02.api.letsencrypt.org/directory过程中间会提示修改域名txt解析记录,按前面所述操作进行即可。
¥ 1.88微信扫描即可打赏
服务器好贵
网站需要运营
给点小费以表支持
评论已关闭