快速配置Let's encrypt通配符證書

本文首發自個人博客：https://blog.smile13.com

1.簡介

Let’s Encrypt已經支持申請免費的通配符證書，只需要對域名申請https證書，該域名下所有的子域名都可以使用。有一點需要說明，Let’s Encrypt的通配符證書只是針對二級域名，不針對主域名，例如blog.smile13.com和smile13.com則被認爲是兩個域名，申請證書的時候都需要申請。

2.配置環境

操作系統：centos7.4
配置域名：smile13.com，*.smile13.com

3.申請證書

3.1.下載Certbot並設置執行權限

1. wget https://dl.eff.org/certbot-auto
2. chmod +x certbot-auto

3.2.生成證書

./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

相關參數說明：
-certonly：表示安裝模式，Certbot 有安裝模式和驗證模式兩種類型的插件。
-manual：表示手動安裝插件，Certbot 有很多插件，不同的插件都可以申請證書，用戶可以根據需要自行選擇。
-d：爲哪些主機申請證書，如果是通配符，輸入 *.smile13.com（替換爲自己的域名）。
-preferred-challenges：使用 DNS 方式校驗域名所有權。
-server：Let’s Encrypt ACME v2 版本使用的服務器不同於 v1 版本，需要顯示指定。

下面是命令執行過程中的相關操作：

[root@eric201 software-package]# cd /etc/letsencrypt/live/
-bash: cd: /etc/letsencrypt/live/: No such file or directory
[root@eric201 software-package]# ./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for smile13.com
dns-01 challenge for smile13.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.smile13.com with the following value:

nQjdBo-5myb3mfnMJ1e0lDyfp6cAZap9FBR8AcM4FFE

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

注意：在這裏需要去域名的管理臺配置 DNS TXT 記錄，校驗域名的所有權，否則直接敲回車進入下一步，證書會生成失敗的，具體怎樣配置DNS TXT 記錄，請往下看。

Please deploy a DNS TXT record under the name
_acme-challenge.smile13.com with the following value:

jc8GXEczmoV6hs1K5GXH3NKa-IB2okf7ZWzAVfx8tYY

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

同理，在這裏也需要去域名的管理臺配置 DNS TXT 記錄，校驗域名的所有權。

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/smile13.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/smile13.com/privkey.pem
   Your cert will expire on 2019-02-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

DNS TXT配置如下（如果申請多個域名，需要配置多條）

在 /etc/letsencrypt/live/smile13.com/下可以看到生成的文件：

3.3.更新證書

Let’s encrypt 的免費證書默認有效期爲 90 天，到期後如果要續期可以執行,下面的命令可以配置定時任務自動執行

certbot-auto renew

4.配置證書

我使用的是nginx，所以這裏只講述在nginx中怎樣配，apache類似，以後再補充。下面是ssl相關的配置，其他部分如location不變。

server {
listen 443 ssl;
server_name blog.smile13.com; #你的域名
#ssl on;
ssl_certificate /etc/letsencrypt/live/smile13.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/smile13.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/smile13.com/chain.pem;

ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
......
}
}

配置好後重啓nginx（systemctl restart nginx）就可以了。

版權聲明：本文爲博主原創文章，轉載請註明出處！