准备
centos 7.4
Let's Encrypt certbot-auto
部署certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
mv certbot-auto /usr/local/bin/
手动创建证书
这里的domainname可以是 *.domain.com也可以是 aa.domain.com
certbot-auto certonly -d 'domainname' --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
第一次运行需要填写域名到期的通知地地址
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): email@qq.com
开始创建证书:
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
(Y)es/(N)o: N
-------------------------------------------------------------------------------
Are you OK with your IP being logged?
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.domainname.com with the following value:
FTctTRfyr6zmfwtI7Gcv7Omgj5Jf202UgCJ-NIX3GtE
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
-
添加DNS记录
记录类型:TXT
主机记录:_acme-challenge.domainname.com
记录值:FTctTRfyr6zmfwtI7Gcv7Omgj5Jf202UgCJ-NIX3GtE -
获取证书
证书路径:
ls /etc/letsencrypt/live/{domainname}
cert.pem chain.pem fullchain.pem privkey.pem README
其中
fullchain.pem 重命名为{domainname}.pem
privkey.pem 重命名为{domainname}.key
这两个文件就可以给nginx作为证书了
- 问题记录
- 需要域名解析:看看是不是txt域名配置错误
challenge failed for domain
- 失败次数过多:一个小时后再试 或者个ip重试
自动nginx
- 直接输入
certbot-auto --nginx
- 选择域名
网友评论