certbot泛域名证书申请

前言

什么是Let’s Encrypt?

目前世界上就只有为数不多的几家域名证书签发机构得到浏览器的认可,而Let‘s Encrypt

就是其中一家,并且你可以申请到免费的证书,当然你如果想要付费也行,很多机构证书动辄几千几万一年。如果我们只想搭建个测试环境有需要https,我们肯定不会去花这个冤枉钱,当然免费的午餐并没有那么好吃,Let's Encrypt申请的证书只有90天有效期,所以到期你得进行续期操作。并且还有各种各样得条件限制,比如一周你只能申请多少次,同一个ip一天只能操作多少次之类,详见

https://letsencrypt.org/docs/rate-limits/

假如你使用jdk生成的域名证书能不能用呢?当然是可以用的,只不过浏览器会告诉你这个证书我不承认。也就是左上角会给你挂个不安全的警告。

什么叫泛域名证书?

例如:*.xxx.com 也就是这个证书可以给某个域名的所有顶级域名以及二级域名使用,就叫做泛域名证书。

Let's Encrypt 官方推荐我们使用certbot 脚本申请证书,以下是申请步骤基于centos7 python2.7.5如果你在操作过程中遇到什么报错,请多考虑python工具包的版本问题之类的。

安装步骤

git clone https://github.com/letsencrypt/letsencrypt

如果你没安装git 直接使用 yum install -y git 安装

cd letsencrypt
#直接执行以下命令
./certbot-auto certonly --manual -d *.1233s2b.cn --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

参数说明

certonly 表示只申请证书。
--agree-tos 同意ACME协议。
--no-bootstrap 需要用户同意的系统级操作直接选N。
--manual-public-ip-logging-ok 自动允许ip被记录,默认是询问,如果不同意将不能申请通过。
--manual 表示交互式申请。
-d 为那些主机申请证书如 *.xxx.cn(此处为泛域名)
--preferred-challenges dns,使用 DNS 方式校验域名所有权,可以配置多个
--server Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。

执行完以上命令将会打印如下记录

Creating virtual environment...
Installing Python packages... #这里会卡比较久,如果卡很久或者报错,建议切换pip源
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): #输入你的邮箱 按c取消退出,回车继续

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y#是否允许给你发送邮件都可以
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxx.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxx.cn with the following value:

vTQ65N5PxxxxxxxxxxxxxxfD4VQ66uG8
###执行到这里需要先去配置域名TXT解析,即将_acme-challenge 解析到值vTQ65N5xxxxxxxxxxxxxxxfD4VQ66uG8
#解析生效后回车继续执行
###解析生效校验命令 dig -t txt _acme-challenge.xxx.cn
###校验成功后
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.cn/fullchain.pem ####生成的证书路径
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.cn/privkey.pem  ###私钥路径
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"  ####告诉你续费命令
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

解析生效校验命令 dig -t txt _acme-challenge.xxx.cn

申请完证书你就可以愉快的玩耍了,你可以将证书配置到nginx 或者tomcat如果你是云平台你也可以配置到云平台。一次生成到处使用,不管你解析多少的二级域名都可以使用这个证书。

你可能感兴趣的:(linux系统,nginx)