如何自己申请免费的通配符证书(基于 Let‘s Encrypt 的免费证书) ゝ一纸荒年。 2022-11-21 01:13 187阅读 0赞 最近项目上线,需要用到https,在网上找到了可以白嫖的证书,记录一下使用过程 Let’s Encrypt一个非盈利性的证书颁发机构,并且已经被大多数浏览器所信任,而我们可以使用Certbot(一个免费的开源软件工具),用于在手动管理的网站上自动使用Let’s Encrypt证书来启用HTTPS。 ## 前提条件 ## 要有一台服务器(nginx)和一个已经备案好的证书 ## 安装Certbot ## 所有的证书相关的操作,都可以通过 Certbot 软件实现,直接下载就可以使用 # 下载 Certbot 客户端 wget https://dl.eff.org/certbot-auto # 设为可执行权限 chmod a+x certbot-auto # 查看帮助 ./certbot-auto --help all ## 申请证书 ## ./certbot-auto certonly -d “\*.域名” --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory 进入交互模式 [root@localhost ~]# ./certbot-auto certonly -d "*.域名" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for 域名 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? 注意:此计算机的IP将被公开记录为已请求此操作证书。如果您在一台没有运行certbot的机器上以手动模式运行certbot 你的服务器,请确保你没问题。 你能接受你的IP被记录吗? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes(输入yes ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 注意 这个地方一定要先在域名解析的地方加上一条TXT解析后,在按enter Please deploy a DNS TXT record under the name _acme-challenge(这个是主机记录).域名 with the following value: ur_8Rd55kGtmgMG8Qm-7BFRGePFBvsXaTYac_imEeaQ(这一行是记录值) Before continuing, verify the record is deployed. 在配置好后,再在终端处按回车键 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/域名-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/域名-0001/privkey.pem Your cert will expire on 2021-01-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate 在执行完成后,我们就能看到生成好的证书了,接下来就该配置nginx了 可以使用certificates检测证书状态 [root@localhost ~]# ./certbot-auto certificates Found the following certs: Certificate Name: yxonline.art-0001 Serial Number: 4af57dfc042762fbde35acdcb4490c50d30 Domains: *.域名 Expiry Date: 2021-01-22 04:49:59+00:00 (VALID: 84 days) Certificate Path: /etc/letsencrypt/live/域名-0001/fullchain.pem Private Key Path: /etc/letsencrypt/live/域名-0001/privkey.pem ## 配置nginx ## 在nginx配置文件中,配置443 ssl 将证书位置指向刚生成的证书位置上 ssl_certificate /etc/letsencrypt/live/域名-0001/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/域名-0001/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/域名-0001/chain.pem; 在检查nginx配置文件,并重新加载nginx就可以了 在网页中打开相应的域名就可以看到证书信息了![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkzMTM1OA_size_16_color_FFFFFF_t_70_pic_center] 为了安全,免费证书的有效时间是三个月,不过可以通过 ./certbot-auto renew 命令可以续签 将该命令放入计划任务中 在每天凌晨3点运行。该命令将检查服务器上的证书是否将在未来30天内过期,如果是,则进行更新。–quiet 指令告诉 certbot 不要生成输出。 0 3 * * * /root/certbot-auto renew --quiet 以上免费的通配符域名就生成成功啦 [watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkzMTM1OA_size_16_color_FFFFFF_t_70_pic_center]: /images/20221120/aafe7050c2874ba1a3c5dc833f660e59.png
还没有评论,来说两句吧...