certbot泛域名证书申请
前⾔
什么是Let’s Encrypt?
⽬前世界上就只有为数不多的⼏家域名证书签发机构得到浏览器的认可,⽽Let‘s Encrypt
就是其中⼀家,并且你可以申请到免费的证书,当然你如果想要付费也⾏,很多机构证书动辄⼏千⼏万⼀年。如果我们只想搭建个测试环境有需要https,我们肯定不会去花这个冤枉钱,当然免费的午餐并没有那么好吃,Let's Encrypt申请的证书只有90天有效期,所以到期你得进⾏续期操作。并且还有各种各样得条件限制,⽐如⼀周你只能申请多少次,同⼀个ip⼀天只能操作多少次之类,详见
假如你使⽤jdk⽣成的域名证书能不能⽤呢?当然是可以⽤的,只不过浏览器会告诉你这个证书我不承认。也就是左上⾓会给你挂个不安
全的警告。
什么叫泛域名证书?
例如:*.xxx 也就是这个证书可以给某个域名的所有顶级域名以及⼆级域名使⽤,就叫做泛域名证书。
Let's Encrypt 官⽅推荐我们使⽤certbot 脚本申请证书,以下是申请步骤基于centos7python2.7.5如果你在操作过程中遇到什么报错,请多考虑python⼯具包的版本问题之类的。
安装步骤
git clone github/letsencrypt/letsencrypt
如果你没安装git 直接使⽤ yum install -y git 安装
cd letsencrypt
#直接执⾏以下命令
./certbot-auto certonly --manual -d *.1233s2b --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server ac me-v02./directory
参数说明
certonly 表⽰只申请证书。
--agree-tos 同意ACME协议。
--no-bootstrap 需要⽤户同意的系统级操作直接选N。
nginx ssl证书配置--manual-public-ip-logging-ok ⾃动允许ip被记录,默认是询问,如果不同意将不能申请通过。
--manual 表⽰交互式申请。
-d 为那些主机申请证书如 *.xxx(此处为泛域名)
--preferred-challenges dns,使⽤ DNS ⽅式校验域名所有权,可以配置多个
--server Let's Encrypt ACME v2 版本使⽤的服务器不同于 v1 版本,需要显⽰指定。
执⾏完以上命令将会打印如下记录
Creating
Installing #这⾥会卡⽐较久,如果卡很久或者报错,建议切换pip源
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that dat e. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at pip.pypa.io/en/latest/developm ent/release-process/#python-2-support
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): #输⼊你的邮箱按c取消退出,回车继续
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y#是否允许给你发送邮件都可以
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxx
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_ with the following value:
vTQ65N5PxxxxxxxxxxxxxxfD4VQ66uG8
###执⾏到这⾥需要先去配置域名TXT解析,即将_acme-challenge 解析到值vTQ65N5xxxxxxxxxxxxxxxfD4VQ66uG8
#解析⽣效后回车继续执⾏
###解析⽣效校验命令 dig -t txt _
###校验成功后
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx/fullchain.pem ####⽣成的证书路径
Your key file has been saved at:
/etc/letsencrypt/live/xxx/privkey.pem  ###私钥路径
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"  ####告诉你续费命令
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:  /donate
Donating to EFF:                    /donate-le
解析⽣效校验命令 dig -t txt _
申请完证书你就可以愉快的玩耍了,你可以将证书配置到nginx 或者tomcat如果你是云平台你也可以配置到云平台。⼀次⽣成到处使⽤,不管你解析多少的⼆级域名都可以使⽤这个证书。

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。