前言
什麼是Let’s Encrypt?
目前世界上就只有爲數不多的幾家域名證書籤發機構得到瀏覽器的認可,而Let‘s Encrypt
就是其中一家,並且你可以申請到免費的證書,當然你如果想要付費也行,很多機構證書動輒幾千幾萬一年。如果我們只想搭建個測試環境有需要https,我們肯定不會去花這個冤枉錢,當然免費的午餐並沒有那麼好吃,Let's Encrypt申請的證書只有90天有效期,所以到期你得進行續期操作。並且還有各種各樣得條件限制,比如一週你只能申請多少次,同一個ip一天只能操作多少次之類,詳見
https://letsencrypt.org/docs/rate-limits/
假如你使用jdk生成的域名證書能不能用呢?當然是可以用的,只不過瀏覽器會告訴你這個證書我不承認。也就是左上角會給你掛個不安全的警告。
什麼叫泛域名證書?
例如:*.xxx.com 也就是這個證書可以給某個域名的所有頂級域名以及二級域名使用,就叫做泛域名證書。
Let's Encrypt 官方推薦我們使用certbot 腳本申請證書,以下是申請步驟基於centos7 python2.7.5如果你在操作過程中遇到什麼報錯,請多考慮python工具包的版本問題之類的。
安裝步驟
git clone https://github.com/letsencrypt/letsencrypt
如果你沒安裝git 直接使用 yum install -y git 安裝
cd letsencrypt
#直接執行以下命令
./certbot-auto certonly --manual -d *.1233s2b.cn --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
參數說明
certonly 表示只申請證書。
--agree-tos 同意ACME協議。
--no-bootstrap 需要用戶同意的系統級操作直接選N。
--manual-public-ip-logging-ok 自動允許ip被記錄,默認是詢問,如果不同意將不能申請通過。
--manual 表示交互式申請。
-d 爲那些主機申請證書如 *.xxx.cn(此處爲泛域名)
--preferred-challenges dns,使用 DNS 方式校驗域名所有權,可以配置多個
--server Let's Encrypt ACME v2 版本使用的服務器不同於 v1 版本,需要顯示指定。
執行完以上命令將會打印如下記錄
Creating virtual environment...
Installing Python packages... #這裏會卡比較久,如果卡很久或者報錯,建議切換pip源
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): #輸入你的郵箱 按c取消退出,回車繼續
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y#是否允許給你發送郵件都可以
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxx.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxx.cn with the following value:
vTQ65N5PxxxxxxxxxxxxxxfD4VQ66uG8
###執行到這裏需要先去配置域名TXT解析,即將_acme-challenge 解析到值vTQ65N5xxxxxxxxxxxxxxxfD4VQ66uG8
#解析生效後回車繼續執行
###解析生效校驗命令 dig -t txt _acme-challenge.xxx.cn
###校驗成功後
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.cn/fullchain.pem ####生成的證書路徑
Your key file has been saved at:
/etc/letsencrypt/live/xxx.cn/privkey.pem ###私鑰路徑
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew" ####告訴你續費命令
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
解析生效校驗命令 dig -t txt _acme-challenge.xxx.cn
申請完證書你就可以愉快的玩耍了,你可以將證書配置到nginx 或者tomcat如果你是雲平臺你也可以配置到雲平臺。一次生成到處使用,不管你解析多少的二級域名都可以使用這個證書。