一、环境准备:
- 建议Debain操作系统,比如Ubuntu
- Python 2.7以及以上版本
- git
- pip源修改:~/.pip/pip.conf(选做)
二、获取SSL证书:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sudo ./letsencrypt-auto certonly --manual --preferred-challenges dns --email 1282148721@qq.com -d fangxinpei.cn -d www.fangxinpei.cn
生成证书时,验证的方法有很多。这里我们用手动指定DNS验证的方法。
介绍下相关参数:
- certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
- –manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
- -d 为那些主机申请证书,如果是通配符,输入 *.newyingyong.cn(可以替换为你自己的域名)
- –preferred-challenges dns,使用 DNS 方式校验域名所有权
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ywdblog@gmail.com
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for newyingyong.cn
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y
上述有两个交互式的提示:
- 是否同意 Let’s Encrypt 协议要求
- 询问是否对域名和机器(IP)进行绑定
确认同意才能继续。
继续查看命令行的输出,非常关键
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.newyingyong.cn with the following value:
2_8KBE_jXH8nYZ2unEViIbW52LhIqxkg6i9mcwsRvhQ
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
要求配置 DNS TXT 记录,从而校验域名所有权,也就是判断证书申请者是否有域名的所有权。
上面输出要求给 _acme-challenge.fangxinpei.cn 配置一条 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。
在阿里云操作DNS解析后,输入以下命令,查看TXT记录是否已经生效:
$ dig -t txt _acme-challenge.fangxinpei.cn @8.8.8.8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.fangxinpei.cn. IN TXT
;; ANSWER SECTION:
_acme-challenge.fangxinpei.cn.cn. 599 IN TXT "2_8KBE_jXH8nYZ2unEViIbW52LhIqxkg6i9mcwsRvhQ"
确认生效后,回车执行,输出如下:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fangxinpei.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fangxinpei.cn/privkey.pem
Your cert will expire on 2019-06-09. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
恭喜您,证书申请成功,证书和密钥保存在下列目录:
$ tree /etc/letsencrypt/archive/fangxinpei.cn
.
├── cert1.pem
├── chain1.pem
├── fullchain1.pem
└── privkey1.pem
然后校验证书信息,输入如下命令:
sudo openssl x509 -in /etc/letsencrypt/archive/fangxinpei.cn/cert1.pem -noout -text
关键输出如下:
X509v3 Subject Alternative Name:
DNS:fangxinpei.cn, DNS:www.fangxinpei.cn
其他生成证书方式:
./certbot certonly --webroot -w /usr/share/nginx/html -d ubock.com -d www.ubock.com
./letsencrypt-auto certonly --standalone --email xxxxx@qq.com -d fangxinpei.cn -d www.fangxinpei.cn
以上两种方式坑略多,不建议这么操作。
三、证书的应用:
在完成Let’s Encrypt证书的生成之后,我们会在”/etc/letsencrypt/live/zhaoheqiang.me/“域名目录下有4个文件就是生成的密钥证书文件(软连接)。
cert.pem - Apache服务器端证书
chain.pem - Apache根证书和中继证书
fullchain.pem - Nginx所需要ssl_certificate文件
privkey.pem - 安全证书KEY文件
如果我们使用的Nginx环境,那就需要用到fullchain.pem和privkey.pem两个证书文件,在部署Nginx的时候需要用到。在Nginx环境中,只要将对应的ssl_certificate和ssl_certificate_key路径设置成我们生成的2个文件就可以
#打开linux配置文件,找到HTTPS 443端口配置的server
ssl_certificate /etc/letsencrypt/live/zhaoheqiang.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zhaoheqiang.me/privkey.pem
四、证书续期的问题:
Let’s Encrypt证书是有效期90天的,需要我们自己手工更新续期才可以。
./letsencrypt-auto certonly --renew-by-default --email quiniton@163.com -d zhaoheqiang.me -d www.zhaoheqiang.me
这样我们在90天内再去执行一次就可以解决续期问题,这样又可以继续使用90天。如果我们怕忘记的话也可以利用linux crontab定时执行更新任务
30 4 * * 1 certbot renew --renew-hook "systemctl restart nginx" --quiet > /dev/null 2>&1 &
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 lxwno.1@163.com