安装
# 下载
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod a+x certbot-auto
申请证书
# 注xxx.com请根据自己的域名自行更改
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly
无法应用到主域名
如需把主域名也增加到证书的覆盖范围,请在开始申请证书步骤的那个指令把主域名也加上-d "xxx.com",如下:
需要注意的是,这样的话需要修改两次解析记录
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" -d "xxx.com" --manual --preferred-challenges dns-01 certonly
执行完这一步之后,会下载一些需要的依赖,稍等片刻之后,会提示输入邮箱
邮箱很重要,主要用于安全提醒,以及续期提醒
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
- cancel):
+ cancel): 这里填写邮箱地址
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
- (A)gree/(C)ancel:
+ (A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
- (Y)es/(N)o:
+ (Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for showgold.com
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
- (Y)es/(N)o:
+ (Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
+ _acme-challenge.xxx.com # 添加解析记录为txt
with the following value:
+ VBsfRHG______4t_drxcEFQlyOS0puAlJFypAYQTA #记录值
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
+ 不要心急着按回车,先执行dig _acme-challenge.xxx.com txt确认解析记录是否生效,生效之后再回去按回车确认
Waiting for verification...
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
+ /etc/letsencrypt/live/xxx.com/fullchain.pem
Your key file has been saved at:
+ /etc/letsencrypt/live/xxx.com/privkey.pem
Your cert will expire on 2018-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
+ "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
注意:
申请通配符证书是要经过DNS认证的,按照提示,前往域名后台添加对应的DNS TXT记录。
添加之后,不要心急着按回车,先执行 dig xxxx.xxx.com txt确认解析记录是否生效,生效之后再回去按回车确认
查看证书的过期时间
certbot-auto certificates
//certbot certificates
nginx应用该证书的例子
server {
server_name xxx.com;
listen 443 http2 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
}
如果是阿里云,可以免费申请
相关文档
https://help.aliyun.com/document_detail/28548.html?spm=a2c4g.11186623.6.556.1fba7ab3IiIWLh
网友评论