生成免费SSL通配证书

时间:2021-05-11 12:01:50

通过Let's Encrypt 生成免费SSL证书 有效期是3个月

1.下载工具certbot-auto

wget https://dl.eff.org/certbot-auto

chmod +x certbot-auto

2.生成证书,默认会安装openssl-devel等依赖包

# 需要root 权限

# 按照提示输入 邮箱地址,是否遵从相关权益等操作

# 注:在提示域名解析后在敲回车操作部分

[root@BOSS_SUPPORT_ADP ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxapp.com" --manual --preferred-challenges dns-01 certonly

3.如果一路回车错过域名解析部分会提示报错

# 可以重新执行以上部操作

[root@BOSS_SUPPORT_ADP ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxapp.com" --manual --preferred-challenges dns-01 certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for xxapp.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y                                               ###########  输入 Y 之后,请勿敲回车

                                                                    ###########  在域名解析商 做 TXT 解析

                                                                    # _acme-chxxxxxxnge.xxapp.com      TXT解析到      tvz7vfOMn9QT4XPxxxxxnvYygohV-scq72E0B_366s

                                                                    # 解析测试 dig _acme-chxxxxxxnge.xxapp.com txt       # 成功后 敲回车

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.xxapp.com with the following value:

tvz7vfOMn9QT4XPxxxxxnvYygohV-scq72E0B_366s

Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/xxapp.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/xxapp.com/privkey.pem

   Your cert will expire on 2019-04-22. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

4.证书生成位置

# 下相应的域名

/etc/letsencrypt/live/

5.证书名称类型

-rw-r--r-- 1 root root 1907 Jan 22 03:07 cert1.pem            # 证书正文

-rw-r--r-- 1 root root 1647 Jan 22 03:07 chain1.pem           #

-rw-r--r-- 1 root root 3554 Jan 22 03:07 fullchain1.pem       # cert1.pem和chain1.pem 合并的证书  用于证书链

-rw------- 1 root root 1704 Jan 22 03:07 privkey1.pem         # 证书秘钥 key

6.自动更新已申请的ssl证书

certbot 提供了更新证书的命令cerbot renew,会自动更新所有已申请的ssl证书。

相关文章