letsencrypt证书-使用certbot申请wildcard证书

目录

• 1. certbot安装
• 2. 认证方式
• 3. 运行命令
• 4. 更新
  • 1：下载
  • 2：配置
  • 3：申请证书
  • 4：续期证书

1. certbot安装

cd /usr/local/src
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2. 认证方式

客户在申请 Let’s Encrypt 证书的时候，需要校验域名的所有权，证明操作者有权利为该域名申请证书，目前支持三种验证方式：

dns-01：给域名添加一个 DNS TXT 记录。
http-01：在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
tls-sni-01：在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。

3. 运行命令

 ./certbot-auto certonly  -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

注意这里 -d archerwong.cn 最好写上，否则archerwong.cn将无法被信任，只有xxx.archerwong.cn这样的二级 域名才被信任

介绍下相关参数：

certonly，表示安装模式，Certbot 有安装模式和验证模式两种类型的插件。
--manual  表示手动安装插件，Certbot 有很多插件，不同的插件都可以申请证书，用户可以根据需要自行选择
-d 为那些主机申请证书，如果是通配符，输入 *.newyingyong.cn（可以替换为你自己的域名）
--preferred-challenges dns，使用 DNS 方式校验域名所有权
--server，Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本，需要显示指定。

交互界面如下

[root@host src]# sudo  ./certbot-auto certonly  -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@163.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.archerwong.cn with the following value:

apQPzp-NYZ0md_D_2_fKr465Il3dDbdR_BlOSOJTYAo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

注意这里我把交互页面截断，很重要，先不要回车，将上面的txt值，填到你的域名解析里面，等确认生效后再回车，我填写如下

然后测试是否生效

$ dig  -t txt  _acme-challenge.archerwong.cn @8.8.8.8 

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> -t txt _acme-challenge.archerwong.cn @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.archerwong.cn.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.archerwong.cn. 599 IN	TXT	"apQPzp-NYZ0md_D_2_fKZ465Il3dDbdR_BlOSOJTYbo"

;; Query time: 306 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 17 21:34:43 CST 2018
;; MSG SIZE  rcvd: 114

确认生效后，按回车键，交互界面继续

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/archerwong.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/archerwong.cn/privkey.pem
   Your cert will expire on 2019-03-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

至此已经成功生成了wildcard证书，查看下证书

tree  /etc/letsencrypt/live/archerwong.cn
/etc/letsencrypt/live/archerwong.cn
├── cert.pem -> ../../archive/archerwong.cn/cert1.pem
├── chain.pem -> ../../archive/archerwong.cn/chain1.pem
├── fullchain.pem -> ../../archive/archerwong.cn/fullchain1.pem
├── privkey.pem -> ../../archive/archerwong.cn/privkey1.pem
└── README

生成证书后,配置 Nginx

打开 nginx server 配置文件加入如下设置：

server {
    listen 443
    ssl on;
    ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem;

     ## 其他配置
}

强制跳转 https

https 默认是监听 443 端口的，没开启 https 访问的话一般默认是 80 端口。如果你确定网站 80 端口上的站点都支持 https 的话加入下面的配件可以自动重定向到 https

server {
    listen 80;
    server_name your.domain.com;
    return 301 https://$server_name$request_uri;
}

4. 更新

使用的库：letsencrypt通配符证书，其实这个库就是写了一个钩子，通过钩子来自动填写txt dns记录。当然这个库也可以方便的申请通配符证书，感谢作者的付出。

1：下载

$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
$ cd certbot-letencrypt-wildcardcertificates-alydns-au
$ chmod 0777 au.sh autxy.sh python-version/au.sh

// 我是移动到了/etc/letsencrypt目录下，然后重命名manual-auth-hook

2：配置

目前该工具支持三种运行环境：

• au.sh：操作阿里云 DNS hook shell（PHP 环境）。
• autxy.sh：操作腾讯云 DNS hook shell（PHP 环境）。
• python-version/au.py：操作阿里云 DNS hook shell（Python 2.7/3.6）,感谢 @Duke-Wu 的 PR。

这三种运行环境什么意思呢？就是可根据自己服务器环境和域名服务商选择任意一个 hook shell（操作的时候任选其一即可）。

DNS API 密钥：

• alydns.php，修改 accessKeyId、accessSecrec 变量，阿里云 API key 和 Secrec 官方申请文档。
• txydns.php，修改 txyaccessKeyId、txyaccessSecrec 变量，腾讯云 API 密钥官方申请文档。
• python-version/alydns27.py，修改 ACCESS_KEY_ID、ACCESS_KEY_SECRET，阿里云 API key 和 Secrec 官方申请文档。

这个 API 密钥什么意思呢？由于需要通过 API 操作阿里云 DNS 或腾讯云 DNS 的记录，所以需要去域名服务商哪儿获取 API 密钥。

3：申请证书

特别说明： --manual-auth-hook 指定的 hook 文件三个任选其一（au.sh、autxy.sh、python-version/au.sh），其他操作完全相同。

测试是否有错误

$ ./certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns  --manual-auth-hook /脚本目录/au.sh（autxy.sh 或 python-version/27.py，下面统一以 au.sh 介绍）  --dry-run  

# 实际申请
$ ./certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns  --manual-auth-hook /脚本目录/au.sh

这里我实际运行了测试

[root@host src]# ./certbot-auto certonly  -d *.archerwong.cn --manual --preferred-challenges dns  --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengevnc1ol1jxXcQnX8ggc40-HFXPdca7xTzhDZRDKzHla8
END

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

4：续期证书

1、对机器上所有证书 renew

$ ./certbot-auto renew  --manual --preferred-challenges dns  --manual-auth-hook /脚本目录/au.sh

实际更新下，结果如下

[root@host src]# ./certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/archerwong.cn/fullchain.pem expires on 2019-03-18 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@host src]# ./certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook /etc/letsencrypt/manual-auth-hook/autxy.sh --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn
dns-01 challenge for archerwong.cn
Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengeapQPzp-NYaZfafamd_D_2_fKr46fafafaR_BlOSOJTYAo
END

Output from autxy.sh:
/etc/letsencrypt/manual-auth-hook/alydns.php
archerwong.cn_acme-challengeNnS-4PfafavlFuvgm1vjzfafafaD5Ux_JfQoohs
END

Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/archerwong.cn/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/archerwong.cn/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2、对某一张证书进行续期

先看看机器上有多少证书：

$ ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: archerwong.cn-0001
    Domains: *.archerwong.cn archerwong.cn
    Expiry Date: 2019-03-17 13:24:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/archerwong.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/archerwong.cn-0001/privkey.pem
  Certificate Name: test.archerwong.cn-0001
    Domains: test.archerwong.cn
    Expiry Date: 2019-03-18 05:36:23+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/test.archerwong.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.archerwong.cn-0001/privkey.pem
  Certificate Name: archerwong.cn
    Domains: *.archerwong.cn
    Expiry Date: 2019-03-17 12:34:52+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/archerwong.cn/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/archerwong.cn/privkey.pem

记住证书名，比如 archerwong.cn，然后运行下列命令 renew：

$ ./certbot-auto renew --cert-name archerwong.cn --manual-auth-hook /脚本目录/au.sh

3、加入 crontab

编辑文件 /etc/crontab :

1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns  --manual-auth-hook /脚本目录/au.sh

上面的意思是，每隔一天的一点一分运行一次脚本

crontab的文件格式

分 时 日 月 星期 要运行的命令

• 第1列分钟0～59
• 第2列小时0～23（0表示子夜）
• 第3列日1～31
• 第4列月1～12
• 第5列星期0～7（0和7表示星期天）
• 第6列要运行的命令

参考：

https://www.jianshu.com/p/c5c9d071e395

https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au