Let』s Encrypt之前一直有提供免費三個月的單域名證書,市面上比較多見,在早期的時候官方就說要發布泛域名的證書,直到今天我們才可以正式申請到,目前泛域名的證書也是三個月的,你可以設定cron自動執行,快到三個月的時候自動更新申請到一個新的證書。由於使用到ACME V2 的dns技術申請,僅支持 CloudXNS、DNSpod、Cloudflare 等。推薦全自動化部署:https://certbot.eff.org/
centos申請方法:
1、下載acm.sh
curl https://get.acme.sh | sh
2、請求證書(泛域名以*.s-b.me為例)
cd /.acme.sh ./acme.sh --issue -d *.s-b.me -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
輸出:
[Sat Mar 24 13:10:07 UTC 2018] Registering account [Sat Mar 24 13:10:08 UTC 2018] Registered [Sat Mar 24 13:10:08 UTC 2018] ACCOUNT_THUMBPRINT='hS_gwvXaqMtxJh2Bz0asmWK3r7iMYIknkOWDqO1a76U' [Sat Mar 24 13:10:08 UTC 2018] Creating domain key [Sat Mar 24 13:10:09 UTC 2018] The domain key is here: /root/.acme.sh/*.s-b.me/*.s-b.me.key [Sat Mar 24 13:10:09 UTC 2018] Multi domain='DNS:*.s-b.me,DNS:s-b.me' [Sat Mar 24 13:10:09 UTC 2018] Getting domain auth token for each domain [Sat Mar 24 13:10:10 UTC 2018] Getting webroot for domain='*.s-b.me' [Sat Mar 24 13:10:10 UTC 2018] Getting webroot for domain='s-b.me' [Sat Mar 24 13:10:10 UTC 2018] Add the following TXT record: [Sat Mar 24 13:10:10 UTC 2018] Domain: '_acme-challenge.s-b.me' [Sat Mar 24 13:10:10 UTC 2018] TXT value: '6sf1Iuh7r****************bHPs8QriJf8ibpszRk' [Sat Mar 24 13:10:10 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain [Sat Mar 24 13:10:10 UTC 2018] so the resulting subdomain will be: _acme-challenge.s-b.me [Sat Mar 24 13:10:10 UTC 2018] Add the following TXT record: [Sat Mar 24 13:10:10 UTC 2018] Domain: '_acme-challenge.s-b.me' [Sat Mar 24 13:10:10 UTC 2018] TXT value: 'iA68V9A14****************mlrsZx24raM-S0gmpI' [Sat Mar 24 13:10:10 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain [Sat Mar 24 13:10:10 UTC 2018] so the resulting subdomain will be: _acme-challenge.s-b.me [Sat Mar 24 13:10:10 UTC 2018] Please add the TXT records to the domains, and re-run with --renew. [Sat Mar 24 13:10:10 UTC 2018] Please add '--debug' or '--log' to check more details. [Sat Mar 24 13:10:10 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
3、參考輸出,添加域名txt記錄,以驗證域名所有權
_acme-challenge.s-b.me txt iA68V9A14****************mlrsZx24raM-S0gmpI _acme-challenge.s-b.me txt 6sf1Iuh7r****************bHPs8QriJf8ibpszRk
4、申請泛解析證書
./acme.sh --renew -d *.s-b.me -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
如果順利,會在當前目錄下生成以泛域名為名字的證書目錄
/root/.acme.sh *.s-b.me/ ├── ca.cer ├── fullchain.cer ├── *.s-b.me.cer ├── *.s-b.me.conf ├── *.s-b.me.csr ├── *.s-b.me.csr.conf └── *.s-b.me.key
5、配置nginx或其他web server以支持SSL訪問
.cer 是證書文件 .key 是私鑰文件 fullchain.cer 是證書鏈證書
6、證書續期
通過crontab或者其他定時任務系統執行
./acme.sh --renew -d *.s-b.me -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
在 Debian下申請
- 下載相關依賴
1
|
apt–get update && apt–get install curl –y && apt–get install cron –y && apt–get install socat –y
|
- 下載 ACME.SH
1
|
curl https://get.acme.sh | sh
|
- 獲取 CloudXNS 的 API KEY 和 Secret KEY
1
2
|
API KEY: XXXXXXXXXXX
SECRET KEY:YYYYYYYYYYYY
|
註意:務必將你安裝 ACME.SH 的 VPS IP 設定進入白名單
- 執行簽發程序此處以我的域名為例 gov.com.sb
1
|
~/.acme.sh/acme.sh —issue –d *.gov.com.sb —dns dns_cx
|
- 證書獲取, 此處以我的域名為例 gov.com.sb
CSR、KEY、CERT 都在此路徑下:
1
|
/root/.acme.sh/gov.com.sb
|
原创文章,作者:然星,如若转载,请注明出处:https://gov.com.sb/lets-encrypt-2.html