在Ubuntu上使用Certbot申请Let’s Encrypt SSL证书

1 引言

要使用HTTPS就必须得有SSL证书。理论上，证书是可以通过像OpenSSL这样得工具生成的。不过这种证书只能自己测试用，浏览器上面是不认的，会提示用户不安全。也就是说，浏览器只接受一些特定的证书颁发机构（CA）发布的证书。正规的商业应用上，这些证书是需要像这些机构购买的。不过好在还是有像Let’s Encrypt这样开放的证书颁发机构，可以免费向其申请SSL证书，不过缺点是证书有效期只能有90天。

2 详叙

2.1 安装

Certbot是一个免费、自动化、开源的工具，可以用于向Let’s Encrypt申请SSL证书。在Ubuntu下使用如下指令安装Certbot：

sudo apt install certbot

如果提示不识别Certbot，那么可能需要添加Certbot的官方PPA源：

sudo apt install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt update

另外，使用Snap也可以安装Certbot：

sudo snap install --classic certbot

2.2 域名

一般来说，我们申请到的域名都是主域名，例如笔者申请的charlee44.com。除此之外，泛域名：*.charlee44.com也很常用。比如使用charlee44.com建了一个网站，随着功能的扩充，你就有了建立子网站sub.charlee44.com的需求了。因此最好是让主域名和泛域名合用同一个证书，以避免重复申请。

2.3 步骤

在终端中执行如下指令：

certbot certonly -d charlee44.com -d *.charlee44.com --manual --preferred-challenges dns

这个指令的意思是给charlee44.com和*.charlee44.com一起申请一个证书。此时会有如下提示：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for charlee44.com and *.charlee44.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.charlee44.com.

with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

这段命令提示的意思是将xxxxxxxxxxxxxxxxxxxxxxxxxxxx这段字符串设置成域名_acme-challenge.charlee44.com的TXT类型解析结果。这个步骤需要在域名服务商的后台中进行配置。

点击回车：

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.charlee44.com.

with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxx

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.charlee44.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

因为我们是给两个域名生成证书，因此需要将之前的步骤再来一遍。注意，主域名和泛域名是将不同的xxxxxxxxxxxxxxxxxxxxxxxxxxxx字符串，设置成相同域名_acme-challenge.charlee44.com的TXT类型解析结果。在阿里云域名后台中，就是给_acme-challenge.charlee44.com域名解析提供两个结果，如下所示：

点击回车：

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/charlee44.com-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/charlee44.com-0001/privkey.pem
This certificate expires on 2025-09-29.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

可以看到生成了两个SSL证书文件：

• /etc/letsencrypt/live/charlee44.com-0001/fullchain.pem：服务器需要发送给客户端的完整证书链。
• /etc/letsencrypt/live/charlee44.com-0001/privkey.pem：证书私钥，与证书一起使用，以证明拥有该证书对应的公钥。

一般的HTTPS使用这两个证书文件即可。

3 参考

1. 使用Certbot申请免费 HTTPS 证书及自动续期
2. 解决certbot通配符及基础域名共用一个证书some challenges have failed问题