女足赢了 發表於 2021-1-26 17:33:00

用certbot申请Let's Encrypt泛域名证书

<h2>什么是Let's Encrypt?</h2>
<p>目前世界上就只有为数不多的几家域名证书签发机构得到浏览器的认可,而<code>Let‘s Encrypt</code></p>
<p>就是其中一家,并且你可以申请到免费的证书,当然你如果想要付费也行,很多机构证书动辄几千几万一年。如果我们只想搭建个测试环境有需要<code>https</code>,我们肯定不会去花这个冤枉钱,当然免费的午餐并没有那么好吃,<code>Let's Encrypt</code>申请的证书只有90天有效期,所以到期你得进行续期操作。并且还有各种各样得条件限制,比如一周你只能申请多少次,同一个<code>ip</code>一天只能操作多少次之类,详见</p>
<p>https://letsencrypt.org/docs/rate-limits/</p>
<p>假如你使用<code>jdk</code>生成的自签证书能不能用呢?当然是可以用的,只不过浏览器会告诉你这个证书我不承认。也就是左上角会给你挂个<span style="color: rgba(255, 0, 0, 1)">不安全</span>的警告。</p>
<h2>什么是泛域名证书?</h2>
<p>例如:<code>*.xxx.cn</code>&nbsp;也就是这个证书可以给某个域名的所有<span style="color: rgba(255, 0, 0, 1)"><strong>二级域名</strong></span>使用,就叫做泛域名证书(也称作通配符证书)。</p>
<p><code>Let's Encrypt</code>&nbsp;官方推荐我们使用<code>certbot</code>&nbsp;脚本申请证书(当然也可以使用acme.sh等方式),以下是申请步骤基于<code>Debian10</code>&nbsp;<code>python3.7.3</code>如果你在操作过程中遇到什么报错,请多考虑<code>python</code>工具包的版本问题之类的。</p>
<p>Let's Encrypt自2018年开始支持申请泛域名证书,相比于单域名证书,泛域名证书更利于日常的维护。</p>
<h2>准备工作</h2>
<p>下载 certbot,这个很多发行版的源中都已经自带了。比如Debian的:</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">sudo</span> apt <span style="color: rgba(0, 0, 255, 1)">install</span> certbot</pre>
</div>
<p>需要有域名的管理权限,因为申请泛解析证书需要使用 DNS 验证,这就需要你能够根据要求操作 DNS 解析记录,以此证明你对域名的权限。</p>
<h2>开始申请泛域名证书</h2>
<div class="cnblogs_code">
<pre>certbot certonly --preferred-challenges dns --manual-d *.xx.cn --server https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">acme-v02.api.letsencrypt.org/directory<br></span></pre>
<p>Saving debug log to /var/log/letsencrypt/letsencrypt.log<br>Plugins selected: Authenticator manual, Installer None<br>Obtaining a new certificate<br>Performing the following challenges:<br>dns-01 challenge for xx.cn</p>
<pre></pre>
<p>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>NOTE: The IP of this machine will be publicly logged as having requested this<br>certificate. If you're running certbot in manual mode on a machine that is not<br>your server, please ensure you're okay with that.</p>
<pre></pre>
<p>Are you OK with your IP being logged?<br>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>(Y)es/(N)o: y</p>
<pre></pre>
<p>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>Please deploy a DNS TXT record under the name<br>_acme-challenge.xx.cn with the following value:</p>
<pre></pre>
<p>nI0DhzH-vn0W7STVuLi2O-oIKuFNlqQx5EnjB-zewvs</p>
<pre></pre>
<p>Before continuing, verify the record is deployed.<br>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>Press Enter to Continue&nbsp; &nbsp;<span style="color: rgba(51, 102, 255, 1)">#让你的二级域名_acme-challenge.xx.cn用TXT方式解析到nI0DhzH-vn0W7STVuLi2O-oIKuFNlqQx5EnjB-zewvs</span></p>
<pre><span style="color: rgba(51, 102, 255, 1)">#可用dig -t txt _acme-challenge.xx.cn验证解析是否生效,然后按下Enter通过验证。 debian可用</span><span style="color: rgba(51, 102, 255, 1)"><span style="color: rgba(255, 0, 0, 1)"><strong>apt install dnsutils</strong></span>来安装dig命令。<br>#也可以用nslookup命令来验证。</span></pre>
<p>Waiting for verification...<br>Cleaning up challenges</p>
<pre></pre>
<p>IMPORTANT NOTES:<br> - Congratulations! Your certificate and chain have been saved at:<br>   /etc/letsencrypt/live/xx.cn/fullchain.pem<br>   Your key file has been saved at:<br>   /etc/letsencrypt/live/xx.cn/privkey.pem<br>   Your cert will expire on 2021-04-26. To obtain a new or tweaked<br>   version of this certificate in the future, simply run certbot<br>   again. To non-interactively renew *all* of your certificates, run<br>   "certbot renew"<br> - If you like Certbot, please consider supporting our work by:</p>
<pre></pre>
<p> Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br>   Donating to EFF:                  https://eff.org/donate-le</p>
<p><span style="color: rgba(51, 102, 255, 1)">#至此证书申请成功</span></p>





</div>
<p>参数说明:</p>
<p>certonly 表示只申请证书。</p>
<p>--no-bootstrap 需要用户同意的系统级操作直接选N。</p>
<p>--manual 表示交互式申请。 </p>
<p>-d 为那些主机申请证书如 *.xxx.cn(此处为泛域名) </p>
<p>--preferred-challenges dns,使用 DNS 方式校验域名所有权,可以配置多个 </p>
<p>--server Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本(V2版本才支持泛域名解析),需要显示指定。</p>
<p>证书签发成功后去Nginx或Apache配置新生成的证书文件即可。</p>
<h2>撤销证书</h2>
<p>倘若有不需要的证书了,可撤销删除。</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">sudo</span> certbot revoke --cert-path /etc/letsencrypt/archive/xx.cn/cert1.pem</pre>
<p>Saving debug log to /var/log/letsencrypt/letsencrypt.log</p>
<p>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>Would you like to delete the cert(s) you just revoked, along with all earlier<br>and later versions of the cert?<br>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>(Y)es (recommended)/(N)o: y #是否删除证书</p>





</div>
<h2>自动验证的方式申请证书</h2>
<p>上面的方式需要手动去到DNS解析服务商更改解析通过验证,其实通过Certbot&nbsp;官方的插件可以实现自动更新DNS通过验证。https://certbot.eff.org/docs/using.html#manual</p>
<p><img src="https://img2020.cnblogs.com/blog/1591919/202104/1591919-20210419181301845-655397526.png" alt="" loading="lazy"></p>
<p>支持上面这些服务商。</p>
<h3>准备</h3>
<p>安装对应的DNS插件</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">sudo</span> apt <span style="color: rgba(0, 0, 255, 1)">install</span> python3-certbot-dns-<span style="color: rgba(0, 0, 0, 1)">cloudflare
#</span><span style="color: rgba(0, 0, 255, 1)">sudo</span> apt <span style="color: rgba(0, 0, 255, 1)">install</span> python2-certbot-dns-cloudflare<br>#我用到的服务商是Cloudflare</pre>
</div>
<h3><strong><strong>配置 DNS 插件</strong></strong></h3>
<p>在cloudflare获取KEY/TOKEN</p>
<p><strong><strong><img src="https://img2020.cnblogs.com/blog/1591919/202104/1591919-20210419181733019-979737159.png" alt="" loading="lazy"></strong></strong></p>
<p><strong><strong><img src="https://img2020.cnblogs.com/blog/1591919/202104/1591919-20210419181809158-1035264150.png" alt="" loading="lazy"></strong></strong></p>
<p>&nbsp;两种方式均可,只是token的方式需要2.3.1版本以上的python*-certbot-dns-cloudflare插件。出于安全因素,推荐前者的方式。</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)"># Cloudflare API credentials used by Certbot
dns_cloudflare_email </span>=<span style="color: rgba(0, 0, 0, 1)"> cloudflare@example.com
dns_cloudflare_api_key </span>= 0123456789abcdef0123456789abcdef01234567</pre>
</div>
<p>将上面的配置信息写入~/cloudflare.ini。</p>
<h3>申请</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">sudo</span> certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/cloudflare.ini --dns-cloudflare-propagation-seconds <span style="color: rgba(128, 0, 128, 1)">60</span> --preferred-challenges dns -d *.example.win --server https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">acme-v02.api.letsencrypt.org/directory<br></span></pre>
<pre>#--dns-cloudflare-propagation-seconds 60 #等待60秒, 等DNS解析生效</pre>
</div>
<p><img src="https://img2020.cnblogs.com/blog/1591919/202104/1591919-20210419182841714-116089198.png" alt="" loading="lazy"></p>
<p>由于这里的泛域名证书之前已申请过,且存在于服务器,Certbot自动进行了续期操作。</p>
<p>至此,泛域名证书申请完成。</p>
<h2>续期</h2>
<p><span style="color: rgba(255, 0, 0, 1)">若是通过手动更改DNS解析的方式申请的域名,我们执行certbot renew时会报错。</span></p>
<p><img src="https://img2020.cnblogs.com/blog/1591919/202104/1591919-20210419183315394-1944350128.png" alt="" loading="lazy"></p>
<p>此时只有重新按照申请证书的步骤再来一遍。</p>
<div class="cnblogs_code">
<pre>certbot certonly --preferred-challenges dns --manual-d *.xx.cn --server https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">acme-v02.api.letsencrypt.org/directory</span></pre>
</div>
<p><span style="background-color: rgba(255, 255, 255, 1); color: rgba(255, 0, 0, 1)">若是通过API自动验证的方式申请的,则可以直接用cerbot renew的方式更新证书!</span></p>

</div>
<div id="MySignature" role="contentinfo">
    <b>作者</b>:書劍飄零
<div><b>出处</b>:https://www.cnblogs.com/oboth-zl</div>
<div>本文版权归作者和博客园所有,欢迎转载,但未经作者同意,必须保留此段声明,且在文章页面醒目位置显示原文连接,否则保留追究法律责任的权利。</div><br><br>
来源:https://www.cnblogs.com/oboth-zl/p/14330854.html
頁: [1]
查看完整版本: 用certbot申请Let's Encrypt泛域名证书