Let's encrypt 生成通配符证书

Let's encrypt 是一个很方便的免费证书,主流的浏览器都已经支持了。

现在简单介绍下如何用Let's encrypt生成一个通配符证书,并且每三个月手动renew一次。

我的环境是 centos7。

Prequistion

1) certbot version 1.0.0 (sudo yum install certbot)

2) have admin config to modify dns configuration (阿里云直接添加一条解析)

Install process

1) check certbot version

# certbot --version

2) run commend then add txt record to your domain and to prove you have own it

#certbot -d *.XXX.cn -d XXX.cn \

--manual \

--preferred-challenges \

dns certonly \

--server https://acme-v02.api.letsencrypt.org/directory

Please deploy a DNS TXT record under the name

_acme-challenge.XXX.cn with the specifed value

3) setting up your wildcard domain

# certbot \

--authenticator standalone \

--installer nginx \

--pre-hook "systemctl stop nginx.service" \

--post-hook "systemctl start nginx.service" \

--server https://acme-v02.api.letsencrypt.org/directory

Renew process

1) install plugin if needed (Optional)

Plugins selected: Authenticator standalone, Installer nginx

# certbot \

--authenticator standalone \

--installer nginx \

--pre-hook "systemctl stop nginx.service" \

--post-hook "systemctl start nginx.service" \

--server https://acme-v02.api.letsencrypt.org/directory

answered domain: XXX.cn/redirect

2) renew (Must)

======================

# systemctl stop nginx.service

# ps -aux | grep nginx

# kill {pid}

# list certificates

certbot certificates

# renew manually

certbot -d *.XXX.cn -d XXX.cn --manual --preferred-challenges dns certonly --pre-hook "systemctl stop nginx.service" --post-hook "systemctl start nginx.service" --server https://acme-v02.api.letsencrypt.org/directory

=============================

# This is for normal renew, it failed for wildcard domain renew

certbot renew

systemctl stop nginx.service

systemctl start nginx.service

你可能感兴趣的:(Let's encrypt 生成通配符证书)