Let’s Encrypt generating Wildcard SSL certificate using Certbot
安装 Certbot
Certbot 是一个非常简单方便的工具,它可以帮助我们生成 SSL 证书,自动更新 SSL 证书,并且将证书配置到 Web 服务上。
可以运行以下命令,从 EPEL 仓库中安装 Certbot:
|
1 |
sudo yum install certbot |
生成 Dh (Diffie-Hellman) 组
Diffie–Hellman 密匙交换是一种可以在不安全的通信信道上安全交换密钥的方法。
现在运行以下命令,可以来生成一个新的 2048 位的 DH 参数:
|
1 |
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
2048 位,生成时间大概 3-5 分钟左右。当然,如果您愿意也可以将大小改为 4096 位,但是这样的话,可能生成的时间至少需要花费 30 分钟,此操作具体时长取决于系统熵。
生成 SSL 证书
|
1 2 3 4 5 6 7 |
certbot certonly --manual \ --preferred-challenges=dns \ --email marcin@hotmail.com \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --manual-public-ip-logging-ok \ -d "*.domain.com" |
|
1 2 3 4 5 6 7 8 |
例: certbot certonly --manual \ --preferred-challenges=dns \ --email jerrywang@pixelshift.ai \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --manual-public-ip-logging-ok \ -d "*.local.aniplay.co" |
回车之后会问你是否支持并且加入到开源贡献当中去
并且会让你去域名管理处添加一条txt解析记录
|
1 |
_acme-challenge.play.co => txt记录至 qs4-5l-ssdfgRZ3sdfgsdfgM7YfgfghfghsdfghzLWT8n-s |
|
1 2 3 4 |
Please deploy a DNS TXT record under the name _acme-challenge.local.aniplay.co with the following value: qs4-5l-ssdfgRZ3sdfgsdfgM7YfgfghfghsdfghzLWT8n-s |
txt记录添加到位后,按Enter继续,您将在下面显示所需的输出。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.domain.com with the following value: SiPbTUGdqp37WnMNnG17N4qoZEVIiuO_MivrrhYmW-Y Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2020-09-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" |
证书生成完毕后,你会得到4个文件
|
1 2 3 4 |
cd /etc/letsencrypt/live/domain.com/ ls cert.pem chain.pem fullchain.pem privkey.pem |
|
1 2 3 |
privkey.pem #证书的私钥。 fullchain.pem #所有证书,包括服务器证书(又名叶子证书或最终实体证书)。服务器证书是此文件中的第一个证书,其后是任何中间证书。 cert.pem,chain.pem #本身包含服务器证书,并chain.pem包含Web浏览器为了验证服务器证书将需要的其他中间证书。如果你提供一个这样的文件到您的Web服务器,你必须提供他们两个,或有些浏览器会显示"此连接不受信任"的错误为您的网站 |
验证由Certbot生成的SSL证书的有效性
为此,您可以运行以下命令
|
1 |
certbot certificates |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Found the following certs: Certificate Name: domain.com Serial Number: 4c006834c40af115ed6336331bc93034c97 Domains: *.domain.com Expiry Date: 2020-09-06 07:51:47+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain.com/privkey.pem Certificate Name: domain.io Serial Number: 318d565040c512614e31c77e938f024d256 Domains: *.domain.io Expiry Date: 2020-09-06 06:28:59+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/domain.io/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain.io/privkey.pem Certificate Name: domain.net Serial Number: 31a5f3ecf68387f2a023758f2a7cac58b93 Domains: *.domain.net Expiry Date: 2020-09-06 07:47:34+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/domain.net/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain.net/privkey.pem |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
找到以下证书: 证书名称:domain.com 序列号:4c006834c40af115ed6336331bc93034c97 域:* .domain.com 到期日期:2020-09-06 07:51:47 + 00:00(有效期:89天) 证书路径:/ etc /letsencrypt/live/domain.com/fullchain.pem 私钥路径:/etc/letsencrypt/live/domain.com/privkey.pem 证书名称:domain.io 序列号:318d565040c512614e31c77e938f024d256 域:* .domain.io 到期日期: 2020-09-06 06:28:59 + 00:00( 有效期:89天)证书路径:/etc/letsencrypt/live/domain.io/fullchain.pem 私钥路径:/ etc / letsencrypt / live / domain。 io / privkey.pem 证书名称:domain.net 序列号:31a5f3ecf68387f2a023758f2a7cac58b93 域:* .domain.net 到期日期:2020-09-06 07:47:34 + 00:00(有效期:89天) 证书路径:/etc/letsencrypt/live/domain.net/fullchain。 pem 私钥路径:/etc/letsencrypt/live/domain.net/privkey.pem |
请注意,在上面的输出中,我为三个不同的域提供了三个通配符SSL证书。
将证书部署至nginx请看:https://zhuanlan.zhihu.com/p/57155589
重要说明,每个证书的有效期为90天,因此建议根据文档每60天更新一次。
续订:
从0.10.0版开始,Certbot支持一项操作,以检查所有已安装的证书是否即将到期,并尝试执行以下操作:renew更新 他们。最简单的形式就是在命令行直接运行:
|
1 |
certbot renew |
更新相关请看 :https://certbot.eff.org/docs/using.html?highlight=renew#renewing-certificates
- 本文固定链接: https://www.yoyoask.com/?p=4675
- 转载请注明: shooter 于 SHOOTER 发表
这个作者貌似有点懒,什么都没有留下。