在 Windows 系统上,使用 Certbot 生成 Let's Encrypt 的泛域名证书
<p>https://www.cnblogs.com/liucai/p/17460451.html</p><p>https://zhuanlan.zhihu.com/p/627526278</p>
<h1 class="postTitle"><span>在 Windows 系统上,你可以使用 Certbot 生成 Let's Encrypt 的泛域名证书。以下是具体步骤</span></h1>
<p>软件准备:</p>
<ol>
<li>
<p>安装 OpenSSL:首先,你需要在你的 Windows 系统上安装 OpenSSL。你可以从 OpenSSL 官方网站 下载适合你系统的版本。</p>
</li>
<li>
<p>安装 Certbot:然后,你需要安装 Certbot。你可以从 Certbot 官方网站 下载适合你系统的版本。 </p>
</li>
</ol>
<p>在 Windows 系统上,你可以使用 Certbot 生成 Let's Encrypt 的泛域名证书。以下是具体步骤:</p>
<ol>
<li>
<p>安装 Certbot 的 DNS 插件:首先,你需要安装 Certbot 的 DNS 插件。DNS 插件的具体名称取决于你的 DNS 提供商。例如,如果你使用的是 Cloudflare,你需要安装 <code>certbot-dns-cloudflare</code> 插件。你可以在 Certbot 的官方网站上找到插件的安装指南。</p>
</li>
<li>
<p>获取 API 凭据:你需要从你的 DNS 提供商那里获取 API 凭据,以便 Certbot 可以自动更新 DNS 记录。你需要将这些凭据保存在一个文件中,Certbot 将使用这个文件来验证你的域名。</p>
</li>
<li>
<p>生成证书:打开命令提示符,然后运行以下命令来生成证书:certbot certonly --manual --preferred-challenges dns -d <span class="hljs-string">"*.yourdomain.com"</span></p>
</li>
</ol>
<p>在这个命令中,你需要将 <code>yourdomain.com</code> 替换为你的实际域名。</p>
<ol start="4">
<li>
<p>验证域名:Certbot 会提供一些指示,告诉你如何添加一个 DNS TXT 记录到你的域名。你需要登录到你的 DNS 提供商,然后按照 Certbot 的指示添加 TXT 记录。</p>
</li>
<li>
<p>完成验证:在你添加了 TXT 记录之后,回到命令提示符,然后按 Enter。Certbot 会验证你的域名,如果验证成功,它将生成证书。</p>
</li>
<li>
<p>安装证书:最后,你需要在你的服务器上安装证书。安装过程取决于你的服务器类型。</p>
</li>
</ol>
<p>Certbot 生成的证书通常是 PEM 格式的,而 Windows 通常需要 PFX(也称为 PKCS#12)格式的证书。你可以使用 OpenSSL 将 PEM 格式的证书转换为 PFX 格式。</p>
<p>以下是具体步骤:</p>
<ol>
<li>
<p>找到你的证书和私钥:Certbot 生成的证书和私钥通常位于 <code>/etc/letsencrypt/live/yourdomain.com/</code> 目录下,其中 <code>yourdomain.com</code> 是你的域名。证书文件通常是 <code>fullchain.pem</code>,私钥文件通常是 <code>privkey.pem</code>。</p>
</li>
<li>
<p>转换证书:打开命令提示符,然后运行以下命令来转换证书:openssl pkcs12 -<span class="hljs-built_in">export -out certificate.pfx -inkey privkey.pem -<span class="hljs-keyword">in fullchain.pem</span></span></p>
</li>
</ol>
<p>在这个命令中,你需要将 <code>privkey.pem</code> 和 <code>fullchain.pem</code> 替换为你的实际文件路径。<code>certificate.pfx</code> 是输出的 PFX 证书文件。</p>
<ol start="3"><ol start="3">
<li>
<p>输入密码:OpenSSL 会提示你输入一个密码。这个密码将用于保护 PFX 文件。当你在 Windows 上安装证书时,你需要输入这个密码。</p>
</li>
<li>
<p>安装证书:最后,你可以在 Windows 上安装 PFX 证书。你可以双击 PFX 文件,然后按照提示进行操作。</p>
</li>
</ol></ol>
<p> </p>
<h1 class="Post-Title">windows下使用Certbot申请通配符证书</h1>
<h2 data-first-child="">一、下载并安装软件</h2>
<p data-pid="RvfJLBzZ">在这个网站下载最新的软件并安装https://github.com/certbot/certbot/</p>
<p class="ztext-empty-paragraph"> </p>
<p><img src="https://pic1.zhimg.com/v2-0f1de0a1cfd872d02d533c1b5f0a97a8_b.jpg" width="1437" class="origin_image zh-lightbox-thumb" title="" data-size="normal" data-rawwidth="1437" data-rawheight="469" data-original="https://pic1.zhimg.com/v2-0f1de0a1cfd872d02d533c1b5f0a97a8_r.jpg"></p>
<p class="ztext-empty-paragraph"> </p>
<p data-pid="9zsqnn_Q">下载完成后直接双击安装就行了</p>
<p data-pid="AsNPbwB2">安装完成后,以管理员方式运行cmd,输入cretbot --version,如果有显示就说明安装成功了</p>
<div class="highlight">
<pre><code class="language-python"><span class="n">C<span class="p">:\<span class="n">Windows\<span class="n">System32<span class="o">><span class="n">certbot <span class="o">--<span class="n">version
<span class="n">certbot <span class="mf">2.5<span class="o">.<span class="mi">0</span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="OjUqZXSM">命令行工具使用说明</p>
<p class="ztext-empty-paragraph"> </p>
<div class="highlight">
<pre><code class="language-python"><span class="err">用法<span class="p">:
<span class="n">certbot <span class="p">[<span class="err">子命令<span class="p">] <span class="p">[<span class="err">选项<span class="p">] <span class="p">[<span class="o">-<span class="n">d <span class="err">域名<span class="p">] <span class="p">[<span class="o">-<span class="n">d <span class="err">域名<span class="p">] <span class="o">...
<span class="err">
<span class="n">Certbot工具用于获取和安装 <span class="n">HTTPS<span class="o">/<span class="n">TLS<span class="o">/<span class="n">SSL <span class="err">证书。默认情况下,<span class="n">Certbot会尝试为本地网页服务器
<span class="p">(<span class="err">如果不存在会默认安装一个到本地<span class="p">)<span class="err">获取并安装证书。最常用的子命令和选项如下<span class="p">:
<span class="err">
<span class="err">获取<span class="p">, <span class="err">安装<span class="p">, <span class="err">更新证书<span class="p">:
<span class="p">(<span class="err">默认<span class="p">) <span class="n">run <span class="err">获取并安装证书到当前网页服务器
<span class="n">certonly <span class="err">获取或更新证书,但是不安装
<span class="n">renew <span class="err">更新已经获取但快过期的所有证书
<span class="o">-<span class="n">d <span class="err">域名列表 <span class="err">指定证书对应的域名列表,域名之间使用逗号分隔
<span class="err">
<span class="o">--<span class="n">apache <span class="err">使用<span class="n">Apache插件进行身份认证和安装
<span class="o">--<span class="n">standalone <span class="err">运行一个独立的网页服务器用于身份认证
<span class="o">--<span class="n">nginx <span class="err">使用<span class="n">Nginx插件进行身份认证和安装
<span class="o">--<span class="n">webroot <span class="err">把身份认证文件放置在服务器的网页根目录下
<span class="o">--<span class="n">manual <span class="err">使用交互式或脚本钩子的方式获取证书
<span class="err">
<span class="o">-<span class="n">n <span class="err">非交互式运行
<span class="o">--<span class="n">test<span class="o">-<span class="n">cert <span class="err">从预交付服务器上获取测试证书
<span class="o">--<span class="n">dry<span class="o">-<span class="n">run <span class="err">测试获取或更新证书,但是不存储到本地硬盘
<span class="err">
<span class="err">证书管理<span class="p">:
<span class="n">certificates <span class="err">显示使用<span class="n">Certbot生成的所有证书的信息
<span class="n">revoke <span class="err">撤销证书<span class="p">(<span class="n">supply <span class="o">--<span class="n">cert<span class="o">-<span class="n">path<span class="p">)
<span class="n">delete <span class="err">删除证书</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<h2>二、申请通配符证书的命令</h2>
<div class="highlight">
<pre><code class="language-python"><span class="n">certbot <span class="n">certonly <span class="o">-<span class="n">d <span class="s2">"*.example.top" <span class="o">-<span class="n">d <span class="n">example<span class="o">.<span class="n">top <span class="o">--<span class="n">manual <span class="o">--<span class="n">preferred<span class="o">-<span class="n">challenges <span class="n">dns<span class="o">-<span class="mo">01 <span class="o">--<span class="n">server <span class="n">https<span class="p">:<span class="o">//<span class="n">acme<span class="o">-<span class="n">v02<span class="o">.<span class="n">api<span class="o">.<span class="n">letsencrypt<span class="o">.<span class="n">org<span class="o">/<span class="n">directory</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="0ful51Kx">命令说明:</p>
<ul>
<li data-pid="Hpwst74o">certonly 安装模式</li>
<li data-pid="oKoxj5Jg">-d 申请证书的域名,如果是通配符域名输入 *.http://example.com</li>
<li data-pid="jl_NXLCx">–manual 使用交互式或脚本钩子的方式获取证书</li>
<li data-pid="VgO_RC-Y">–preferred-challenges dns 使用 DNS 方式校验域名所有权</li>
<li data-pid="gI-4MEAa">–server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定</li>
</ul>
<p class="ztext-empty-paragraph"> </p>
<p><img src="https://pic4.zhimg.com/v2-5022f475ac526d7dae10740d25773fbb_b.jpg" width="1253" class="origin_image zh-lightbox-thumb" data-size="normal" data-rawwidth="1253" data-rawheight="999" data-original="https://pic4.zhimg.com/v2-5022f475ac526d7dae10740d25773fbb_r.jpg"></p>
<p class="ztext-empty-paragraph"> </p>
<p data-pid="sY6WBW3Y">*.example.top换成你想要申请的域名就可以了,接下来,会提示需要进行手动验证DNS:</p>
<div class="highlight">
<pre><code class="language-python"><span class="n">Saving <span class="n">debug <span class="n">log <span class="n">to <span class="n">C<span class="p">:\<span class="n">Certbot\<span class="n">log\<span class="n">letsencrypt<span class="o">.<span class="n">log
<span class="n">Requesting <span class="n">a <span class="n">certificate <span class="k">for <span class="o">*.<span class="n">example<span class="o">.<span class="n">top <span class="ow">and <span class="n">example<span class="o">.<span class="n">top
<span class="err">
<span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">-
<span class="n">Please <span class="n">deploy <span class="n">a <span class="n">DNS <span class="n">TXT <span class="n">record <span class="n">under <span class="n">the <span class="n">name<span class="p">:
<span class="err">
<span class="n">_acme<span class="o">-<span class="n">challenge<span class="o">.<span class="n">example<span class="o">.<span class="n">top<span class="o">.
<span class="err">
<span class="k">with <span class="n">the <span class="n">following <span class="n">value<span class="p">:
<span class="err">
<span class="n">MeZetcO<span class="o">-<span class="mi">5<span class="n">n_7WeJIitM_eAR8lWUZ2EQriWOg1OxBcaE
<span class="err">
<span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">-
<span class="n">Press <span class="n">Enter <span class="n">to <span class="n">Continue</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="FOcKv0tV">我的域名是阿里云申请的域名,去域名解析那手动添加一条TXT记录就可以了,我这里申请的是通配符域名,还有一级域名,就需要添加两条记录来验证</p>
<div class="highlight">
<pre><code class="language-python"><span class="n">Please <span class="n">deploy <span class="n">a <span class="n">DNS <span class="n">TXT <span class="n">record <span class="n">under <span class="n">the <span class="n">name<span class="p">:
<span class="err">
<span class="n">_acme<span class="o">-<span class="n">challenge<span class="o">.<span class="n">example<span class="o">.<span class="n">top<span class="o">.
<span class="err">
<span class="k">with <span class="n">the <span class="n">following <span class="n">value<span class="p">:
<span class="err">
<span class="mi">8<span class="n">eBntKwxymhu1erZuE7J9KPZnuxmE6kiYnBrDD3DkXU
<span class="err">
<span class="p">(<span class="n">This <span class="n">must <span class="n">be <span class="nb">set <span class="n">up <span class="ow">in <span class="n">addition <span class="n">to <span class="n">the <span class="n">previous <span class="n">challenges<span class="p">; <span class="n">do <span class="ow">not <span class="n">remove<span class="p">,
<span class="n">replace<span class="p">, <span class="ow">or <span class="n">undo <span class="n">the <span class="n">previous <span class="n">challenge <span class="n">tasks <span class="n">yet<span class="o">. <span class="n">Note <span class="n">that <span class="n">you <span class="n">might <span class="n">be
<span class="n">asked <span class="n">to <span class="n">create <span class="n">multiple <span class="n">distinct <span class="n">TXT <span class="n">records <span class="k">with <span class="n">the <span class="n">same <span class="n">name<span class="o">. <span class="n">This <span class="ow">is
<span class="n">permitted <span class="n">by <span class="n">DNS <span class="n">standards<span class="o">.<span class="p">)
<span class="err">
<span class="n">Before <span class="n">continuing<span class="p">, <span class="n">verify <span class="n">the <span class="n">TXT <span class="n">record <span class="n">has <span class="n">been <span class="n">deployed<span class="o">. <span class="n">Depending <span class="n">on <span class="n">the <span class="n">DNS
<span class="n">provider<span class="p">, <span class="n">this <span class="n">may <span class="n">take <span class="n">some <span class="n">time<span class="p">, <span class="kn">from <span class="nn">a <span class="nn">few <span class="nn">seconds <span class="nn">to <span class="nn">multiple <span class="nn">minutes. <span class="nn">You <span class="nn">can
<span class="n">check <span class="k">if <span class="n">it <span class="n">has <span class="n">finished <span class="n">deploying <span class="k">with <span class="n">aid <span class="n">of <span class="n">online <span class="n">tools<span class="p">, <span class="n">such <span class="k">as <span class="n">the <span class="n">Google
<span class="n">Admin <span class="n">Toolbox<span class="p">: <span class="n">https<span class="p">:<span class="o">//<span class="n">toolbox<span class="o">.<span class="n">googleapps<span class="o">.<span class="n">com<span class="o">/<span class="n">apps<span class="o">/<span class="n">dig<span class="o">/<span class="c1">#TXT/_acme-challenge.example.top.
<span class="n">Look <span class="k">for <span class="n">one <span class="ow">or <span class="n">more <span class="n">bolded <span class="n">line<span class="p">(<span class="n">s<span class="p">) <span class="n">below <span class="n">the <span class="n">line <span class="s1">';ANSWER'<span class="o">. <span class="n">It <span class="n">should <span class="n">show <span class="n">the
<span class="n">value<span class="p">(<span class="n">s<span class="p">) <span class="n">you<span class="s1">'ve just added.
<span class="err">
<span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">-
<span class="n">Press <span class="n">Enter <span class="n">to <span class="n">Continue</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="qotaUvLO">根据提示操作完成后,在域名解析那就有两条TXT记录了,如下:</p>
<p class="ztext-empty-paragraph"> </p>
<p><img src="https://pic3.zhimg.com/v2-e86d0c4690fa78184b61c37049481ed2_b.png" width="1553" class="origin_image zh-lightbox-thumb" data-size="normal" data-rawwidth="1553" data-rawheight="222" data-original="https://pic3.zhimg.com/v2-e86d0c4690fa78184b61c37049481ed2_r.jpg"></p>
<p class="ztext-empty-paragraph"> </p>
<p data-pid="TGFDp-bZ">接着就会显示申请成功的信息了</p>
<div class="highlight">
<pre><code class="language-python"><span class="n">Successfully <span class="n">received <span class="n">certificate<span class="o">.
<span class="n">Certificate <span class="ow">is <span class="n">saved <span class="n">at<span class="p">: <span class="n">C<span class="p">:\<span class="n">Certbot\<span class="n">live\<span class="n">example<span class="o">.<span class="n">top\<span class="n">fullchain<span class="o">.<span class="n">pem
<span class="n">Key <span class="ow">is <span class="n">saved <span class="n">at<span class="p">: <span class="n">C<span class="p">:\<span class="n">Certbot\<span class="n">live\<span class="n">example<span class="o">.<span class="n">top\<span class="n">privkey<span class="o">.<span class="n">pem
<span class="n">This <span class="n">certificate <span class="n">expires <span class="n">on <span class="mi">2023<span class="o">-<span class="mi">08<span class="o">-<span class="mf">05.
<span class="n">These <span class="n">files <span class="n">will <span class="n">be <span class="n">updated <span class="n">when <span class="n">the <span class="n">certificate <span class="n">renews<span class="o">.
<span class="err">
<span class="n">NEXT <span class="n">STEPS<span class="p">:
<span class="o">- <span class="n">This <span class="n">certificate <span class="n">will <span class="ow">not <span class="n">be <span class="n">renewed <span class="n">automatically<span class="o">. <span class="n">Autorenewal <span class="n">of <span class="o">--<span class="n">manual <span class="n">certificates <span class="n">requires <span class="n">the <span class="n">use <span class="n">of <span class="n">an <span class="n">authentication <span class="n">hook <span class="n">script <span class="p">(<span class="o">--<span class="n">manual<span class="o">-<span class="n">auth<span class="o">-<span class="n">hook<span class="p">) <span class="n">but <span class="n">one <span class="n">was <span class="ow">not <span class="n">provided<span class="o">. <span class="n">To <span class="n">renew <span class="n">this <span class="n">certificate<span class="p">, <span class="n">repeat <span class="n">this <span class="n">same <span class="n">certbot <span class="n">command <span class="n">before <span class="n">the <span class="n">certificate<span class="s1">'s expiry date.
<span class="err">
<span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">-
<span class="n">If <span class="n">you <span class="n">like <span class="n">Certbot<span class="p">, <span class="n">please <span class="n">consider <span class="n">supporting <span class="n">our <span class="n">work <span class="n">by<span class="p">:
<span class="o">* <span class="n">Donating <span class="n">to <span class="n">ISRG <span class="o">/ <span class="n">Let<span class="s1">'s Encrypt: https://letsencrypt.org/donate
<span class="o">* <span class="n">Donating <span class="n">to <span class="n">EFF<span class="p">: <span class="n">https<span class="p">:<span class="o">//<span class="n">eff<span class="o">.<span class="n">org<span class="o">/<span class="n">donate<span class="o">-<span class="n">le
<span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">- <span class="o">-</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="AwfgwM6l">这里已经提示的证书的存放位置,直接进c盘去找就好了,这里发现这些文件是快捷方式,然后还有一个readme文件,打开里面提示是不要移动也不要修改名称,看一下快捷方式的属性就发现证书文件存在了另一个文件夹:C:\Certbot\archive</p>
<div class="highlight">
<pre><code class="language-python"><span class="n">This <span class="n">directory <span class="n">contains <span class="n">your <span class="n">keys <span class="ow">and <span class="n">certificates<span class="o">.
<span class="err">
<span class="sb">`privkey.pem`<span class="p">: <span class="n">the <span class="n">private <span class="n">key <span class="k">for <span class="n">your <span class="n">certificate<span class="o">.
<span class="sb">`fullchain.pem`<span class="p">: <span class="n">the <span class="n">certificate <span class="nb">file <span class="n">used <span class="ow">in <span class="n">most <span class="n">server <span class="n">software<span class="o">.
<span class="sb">`chain.pem` <span class="p">: <span class="n">used <span class="k">for <span class="n">OCSP <span class="n">stapling <span class="ow">in <span class="n">Nginx <span class="o">>=<span class="mf">1.3<span class="o">.<span class="mf">7.
<span class="sb">`cert.pem` <span class="p">: <span class="n">will <span class="k">break <span class="n">many <span class="n">server <span class="n">configurations<span class="p">, <span class="ow">and <span class="n">should <span class="ow">not <span class="n">be <span class="n">used
<span class="n">without <span class="n">reading <span class="n">further <span class="n">documentation <span class="p">(<span class="n">see <span class="n">link <span class="n">below<span class="p">)<span class="o">.
<span class="err">
<span class="n">WARNING<span class="p">: <span class="n">DO <span class="n">NOT <span class="n">MOVE <span class="n">OR <span class="n">RENAME <span class="n">THESE <span class="n">FILES<span class="err">!
<span class="n">Certbot <span class="n">expects <span class="n">these <span class="n">files <span class="n">to <span class="n">remain <span class="ow">in <span class="n">this <span class="n">location <span class="ow">in <span class="n">order
<span class="n">to <span class="n">function <span class="n">properly<span class="err">!
<span class="err">
<span class="n">We <span class="n">recommend <span class="ow">not <span class="n">moving <span class="n">these <span class="n">files<span class="o">. <span class="n">For <span class="n">more <span class="n">information<span class="p">, <span class="n">see <span class="n">the <span class="n">Certbot
<span class="n">User <span class="n">Guide <span class="n">at <span class="n">https<span class="p">:<span class="o">//<span class="n">certbot<span class="o">.<span class="n">eff<span class="o">.<span class="n">org<span class="o">/<span class="n">docs<span class="o">/<span class="n">using<span class="o">.<span class="n">html<span class="c1">#where-are-my-certificates.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="NNJw_ECM">既然不让我移动或改名,那我复制出来使用就可以了。</p>
<h2>三、关于续签证书</h2>
<p data-pid="UpW9Iiw9">刚刚申请成功的地方,有一个关于续签的说明如下:</p>
<div class="highlight">
<pre><code class="language-python"><span class="n">NEXT <span class="n">STEPS<span class="p">:
<span class="o">- <span class="n">This <span class="n">certificate <span class="n">will <span class="ow">not <span class="n">be <span class="n">renewed <span class="n">automatically<span class="o">. <span class="n">Autorenewal <span class="n">of <span class="o">--<span class="n">manual <span class="n">certificates <span class="n">requires <span class="n">the <span class="n">use <span class="n">of <span class="n">an <span class="n">authentication <span class="n">hook <span class="n">script <span class="p">(<span class="o">--<span class="n">manual<span class="o">-<span class="n">auth<span class="o">-<span class="n">hook<span class="p">) <span class="n">but <span class="n">one <span class="n">was <span class="ow">not <span class="n">provided<span class="o">. <span class="n">To <span class="n">renew <span class="n">this <span class="n">certificate<span class="p">, <span class="n">repeat <span class="n">this <span class="n">same <span class="n">certbot <span class="n">command <span class="n">before <span class="n">the <span class="n">certificate<span class="s1">'s expiry date.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p data-pid="sXrFCUXs">翻译过来就是说:</p>
<p data-pid="7a6HoTnW">下一个步骤:</p>
<p data-pid="ObAAXNhI">—该证书不会自动更新。——manual证书的自动更新需要使用身份验证挂钩脚本(——manual-auth-hook),但没有提供。要更新该证书,请在证书到期之前重复相同的certbot命令。</p>
<p data-pid="UtAUGs71">我理解就是如果下次经续签,可能就是要重新申请一次。反正也不麻烦,大概几分钟就搞定了,那就下次再重新申请吧。</p>
<p data-pid="UtAUGs71"> </p>
<h1 class="topictitle1">华为云HTTPS证书配置提交时提示“证书链不齐全”,如何进行证书链补齐?</h1>
<p data-pid="UtAUGs71">https://support.huaweicloud.com/usermanual-cdn/cdn_01_0086.html</p>
<p id="cdn_01_0086__p4441683518185">HTTPS配置仅支持PEM格式的证书/私钥内容上传,针对不同的证书颁发机构,对证书内容的上传有不同的要求。</p>
<div id="cdn_01_0086__section47392574183850" class="section">
<h4 id="section0" class="sectiontitle">Root CA机构颁发的证书</h4>
<p id="cdn_01_0086__p34448046183858">Root CA机构颁发的证书是一份完整的证书,配置HTTPS时,仅上传该证书即可。</p>
<p id="cdn_01_0086__p5903233120615">通过记事本打开*.PEM格式的证书文件,可以查看到类似图1所示的全部证书信息。</p>
<p id="cdn_01_0086__p20741690184513">PEM格式证书:</p>
<ul id="cdn_01_0086__ul14511621185146">
<li id="cdn_01_0086__li59237257185146">以证书链“-----BEGIN CERTIFICATE-----”开头,以证书链“-----END CERTIFICATE-----”结尾。</li>
<li id="cdn_01_0086__li5078421191042">证书链之间的内容,要求每行64个字符,最后一行允许不足64个字符。</li>
<li id="cdn_01_0086__li46916516191730">证书内容不包含空格。</li>
</ul>
</div>
<div id="cdn_01_0086__fig62782747144849" class="fignone"><span class="figcap">图1 PEM格式证书<br><img src="https://support.huaweicloud.com/usermanual-cdn/zh-cn_image_0111376247.png" width="523.6875" height="352.1175" id="cdn_01_0086__image4574834135615" class="imgResize" title="点击放大"></span></div>
<div id="cdn_01_0086__section23934614192754" class="section">
<h4 id="section1" class="sectiontitle">中级机构颁发的证书</h4>
<p id="cdn_01_0086__p16266749193232">中级机构颁发的证书文件包含多份证书,配置HTTPS时,需要将所有证书拼接在一起组成一份完整的证书后再上传。拼接后的证书类似图2。</p>
<div id="cdn_01_0086__p2849012620233" class="p">通过记事本打开所有*.PEM格式的证书文件,将<span><span>服务器证书放在首位,再放置<span>中间证书。一般情况下,机构在颁发证书的时候会有对应说明,请注意查阅相关规则。通用的规则如下:</span></span></span>
<ul id="cdn_01_0086__ul42151648195820">
<li id="cdn_01_0086__li19069893195820">证书之间没有空行。</li>
<li id="cdn_01_0086__li26752037195947">证书链的格式如下:
<p id="cdn_01_0086__p435060252009">-----BEGIN CERTIFICATE-----</p>
<p id="cdn_01_0086__p5935134120032">-----END CERTIFICATE-----</p>
<p id="cdn_01_0086__p6440002620032">-----BEGIN CERTIFICATE-----</p>
<p id="cdn_01_0086__p5114236920040">-----END CERTIFICATE-----</p>
</li>
</ul>
</div>
</div>
<div id="cdn_01_0086__fig26971979202252" class="fignone"><span class="figcap">图2 拼接后的PEM证书<br><img src="https://support.huaweicloud.com/usermanual-cdn/zh-cn_image_0111376409.png" id="cdn_01_0086__image74611749125614"></span></div>
<div id="cdn_01_0086__section28051642201353" class="section">
<h4 id="section2" class="sectiontitle">RSA私钥格式要求</h4>
<p id="cdn_01_0086__p35450414203252">PEM格式的文件可以存放证书或私钥,如果*.PEM只包含私钥,一般用*.KEY代替。</p>
<p id="cdn_01_0086__p7304756203449">通过记事本打开*.PEM或*.KEY的私钥文件,可以查看到类似图3所示的全部私钥信息。</p>
<p id="cdn_01_0086__p54814370203449">RSA格式私钥:</p>
<ul id="cdn_01_0086__ul23567290203449">
<li id="cdn_01_0086__li10779025203449">以证书链“-----BEGIN RSA PRIVATE KEY-----”开头,以证书链“-----END RSA PRIVATE KEY-----”结尾。</li>
<li id="cdn_01_0086__li29902369203449">证书链之间的内容,要求每行64个字符,最后一行允许不足64个字符。</li>
<li id="cdn_01_0086__li685865203449">证书内容不包含空格。</li>
</ul>
</div>
<div id="cdn_01_0086__fig4908845816121" class="fignone"><span class="figcap">图3 RSA格式私钥<br><img src="https://support.huaweicloud.com/usermanual-cdn/zh-cn_image_0111376574.png" width="523.6875" height="422.94" id="cdn_01_0086__image86234720575" class="imgResize" title="点击放大"></span></div>
<p id="cdn_01_0086__p3646989220441">当私钥的证书链带有“-----BEGIN PRIVATE KEY-----,-----END PRIVATE KEY-----”或者“-----BEGIN ENCRYPTED PRIVATE KEY-----,-----END ENCRYPTED PRIVATE KEY-----”信息时,需要使用OpenSSL工具执行以下命令进行转换:</p>
<div class="pre-box">
<pre class="screen ctnc">openssl rsa -in old_key.key -out new_key.key</pre>
</div>
</div>
<div id="MySignature" role="contentinfo">
纵有白头俱老意,奈何缘浅路芊芊.<br><br>
来源:https://www.cnblogs.com/hanby/p/17583275.html
頁:
[1]