LetsEncrypt Free SSL 通配符证书申请方法
通过官方推荐工具certbot申请
[TOC]
第一步
certbot-2 certonly -d *.lixuedong.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
certonly,表示安装模式,Certbot有安装模式和验证模式两种类型的插件。
--manual表示手动安装插件,Certbot有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
-d为那些主机申请证书,如果是通配符,输入* .lixuedong.com(替换为你自己的域名)
-
--preferred-challenge dns,使用DNS方式校验域名所有权
- 客户在申请Let's Encrypt证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:
- dns-01:给域名添加一个DNS TXT记录。
- http-01:在域名对应的Web服务器下放置一个HTTP着名的URL资源文件。
- tls-sni-01:在域名对应的Web服务器下放置一个HTTPS着名的URL资源文件
- 申请通配符证书,只能使用dns-01的方式
- 客户在申请Let's Encrypt证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:
--server,让我们加密ACME v2版本使用的服务器不同于v1版本,需要显示指定
交互式命令行输出
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
请阅读服务条款
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf。 你必须
同意以便在ACME服务器上注册
https://acme-v02.api.letsencrypt.org/directory
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lixuedong.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
选择的插件:Authenticator manual,Installer None
启动新的HTTPS连接(1):acme-v02.api.letsencrypt.org
获得新证书
执行以下挑战:
dix-01挑战lixuedong.com
注意:本机的IP将公开记录为已请求此项
证书。 如果您在非手动模式下以手动模式运行certbot
你的服务器,请确保你没事。
您的IP被记录了吗?
(Y)es /(N)o:y
(就是问你的域名有没有解析到公网IP)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lixuedong.com with the following value:
z55lrkHoxYaFoGsvUASE0WgaIifiP-iiVwac-JUd-94
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
配置解析记录
配置DNS TXT记录,校验域名所有权,在没有确认TXT记录生效之前不要回车执行。
截图
证书申请成功
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/lixuedong.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/lixuedong.com/privkey.pem
Your cert will expire on 2019-04-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书申请成功
保存在 /etc/letsencrypt/archive/lixuedong.com
手动安装证书
我用的是Apache服务器
进入Apache服务器安装目录
创建一个保存证书的目录
cd /usr/local/apache && mkdir cert
将证书从默认路径下复制过来
mv /etc/letsencrypt/archive/lixuedong.com/* /usr/local/apache/cert
修改配置文件
vim /usr/local/apache/conf/extra/http-ssl.conf
<VirtualHost 0.0.0.0:443>
DocumentRoot "/home/www/htdocs"
ServerName www.lixuedong.com
SSLEngine on
SSLCertificateFile cert/fullchain1.pem
SSLCertificateKeyFile cert/privkey1.pem
SSLCertificateChainFile cert/chain1.pem
</VirtualHost>
重启Apache服务器
/usr/local/apache/bin/apachectl stop && /usr/local/apache/bin/apachectl start
大功告成!
20190123144758.png
20190123144742.png
错误问题
certbot 执行报错
我遇到的是
Traceback (most recent call last):
File "/usr/bin/certbot-2", line 9, in <module>
load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2662, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2316, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2322, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 23, in <module>
from certbot import client
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
解决办法
yum install certbot
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3
