申請Let's Encrypt萬用字元SSL證書
阿新 • • 發佈:2019-03-17
前言
本文在自己的電腦上安裝certbot。
通過DNS驗證域名所有權。90天后,需要手動續簽證書。
證書獲取後手動上傳至伺服器,只適合開發模式。
自動化簽發流程,請參考其他文章。
流程
-
安裝
CertBot(Let's Encrypt用於頒發證書的工具,python編譯)brew是軟體一個軟體管理工具,非常好用,自動下載依賴包。$ brew install certbot如果有提示,根據提示安裝依賴環境。完成後重新執行上一行語句。
$ xcode-select --install -
執行請求指令
具體相關引數,請查閱
Let's Encrypt和certbot官方文件。$ sudo certbot certonly -d "*.你的域名" -d "你的域名" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -
輸入相關資訊
Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 你的郵箱 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a // 同意 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y // 同意 Obtaining a new certificate Performing the following challenges: dns-01 challenge for 你的域名 dns-01 challenge for 你的域名 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y // 同意 -
DNS解析驗證
新增
TXT型別的解析。- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.你的域名 with the following value: 18eEXZpvkS0WPSog8T9YtWZEeUWf6r2lyScf_NfAurc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue -
成功結果
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/你的域名/fullchain.pem // 證書儲存路徑 Your key file has been saved at: /etc/letsencrypt/live/你的域名/privkey.pem // 證書儲存路徑 Your cert will expire on 2019-06-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le -
獲取證書
$ sudo cat /etc/letsencrypt/live/你的域名/fullchain.pem | pbcopy$ sudo cat /etc/letsencrypt/live/你的域名/privkey.pem | pbcopy -
續簽證書
$ sudo certbot renew