Let's encrypt 是一个很方便的免费证书,主流的浏览器都已经支持了。
现在简单介绍下如何用Let's encrypt生成一个通配符证书,并且每三个月手动renew一次。
我的环境是 centos7。
Prequistion
1) certbot version 1.0.0 (sudo yum install certbot)
2) have admin config to modify dns configuration (阿里云直接添加一条解析)
Install process
1) check certbot version
# certbot --version
2) run commend then add txt record to your domain and to prove you have own it
#certbot -d *.XXX.cn -d XXX.cn \
--manual \
--preferred-challenges \
dns certonly \
--server https://acme-v02.api.letsencrypt.org/directory
Please deploy a DNS TXT record under the name
_acme-challenge.XXX.cn with the specifed value
3) setting up your wildcard domain
# certbot \
--authenticator standalone \
--installer nginx \
--pre-hook "systemctl stop nginx.service" \
--post-hook "systemctl start nginx.service" \
--server https://acme-v02.api.letsencrypt.org/directory
Renew process
1) install plugin if needed (Optional)
Plugins selected: Authenticator standalone, Installer nginx
# certbot \
--authenticator standalone \
--installer nginx \
--pre-hook "systemctl stop nginx.service" \
--post-hook "systemctl start nginx.service" \
--server https://acme-v02.api.letsencrypt.org/directory
answered domain: XXX.cn/redirect
2) renew (Must)
======================
# systemctl stop nginx.service
# ps -aux | grep nginx
# kill {pid}
# list certificates
certbot certificates
# renew manually
certbot -d *.XXX.cn -d XXX.cn --manual --preferred-challenges dns certonly --pre-hook "systemctl stop nginx.service" --post-hook "systemctl start nginx.service" --server https://acme-v02.api.letsencrypt.org/directory
=============================
# This is for normal renew, it failed for wildcard domain renew
certbot renew
systemctl stop nginx.service
systemctl start nginx.service