LetsEncrypt Free SSL 通配符证书申请方法

LetsEncrypt Free SSL 通配符证书申请方法

通过官方推荐工具certbot申请

[TOC]

第一步

certbot-2 certonly -d *.lixuedong.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
  • certonly,表示安装模式,Certbot有安装模式和验证模式两种类型的插件。

  • --manual表示手动安装插件,Certbot有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择

  • -d为那些主机申请证书,如果是通配符,输入* .lixuedong.com(替换为你自己的域名)

  • --preferred-challenge dns,使用DNS方式校验域名所有权

    • 客户在申请Let's Encrypt证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:
      • dns-01:给域名添加一个DNS TXT记录。
      • http-01:在域名对应的Web服务器下放置一个HTTP着名的URL资源文件。
      • tls-sni-01:在域名对应的Web服务器下放置一个HTTPS着名的URL资源文件
    • 申请通配符证书,只能使用dns-01的方式
  • --server,让我们加密ACME v2版本使用的服务器不同于v1版本,需要显示指定

交互式命令行输出

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
请阅读服务条款
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf。 你必须
同意以便在ACME服务器上注册
https://acme-v02.api.letsencrypt.org/directory
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lixuedong.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

选择的插件:Authenticator manual,Installer None
启动新的HTTPS连接(1):acme-v02.api.letsencrypt.org
获得新证书
执行以下挑战:
dix-01挑战lixuedong.com
注意:本机的IP将公开记录为已请求此项
证书。 如果您在非手动模式下以手动模式运行certbot
你的服务器,请确保你没事。

您的IP被记录了吗?
(Y)es /(N)o:y
(就是问你的域名有没有解析到公网IP)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lixuedong.com with the following value:

z55lrkHoxYaFoGsvUASE0WgaIifiP-iiVwac-JUd-94

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

配置解析记录

配置DNS TXT记录,校验域名所有权,在没有确认TXT记录生效之前不要回车执行。
截图

证书申请成功

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lixuedong.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lixuedong.com/privkey.pem
   Your cert will expire on 2019-04-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


证书申请成功

保存在 /etc/letsencrypt/archive/lixuedong.com

手动安装证书

我用的是Apache服务器

进入Apache服务器安装目录

创建一个保存证书的目录

cd /usr/local/apache && mkdir cert

将证书从默认路径下复制过来

mv /etc/letsencrypt/archive/lixuedong.com/* /usr/local/apache/cert

修改配置文件

vim /usr/local/apache/conf/extra/http-ssl.conf
<VirtualHost 0.0.0.0:443>
        DocumentRoot "/home/www/htdocs"
        ServerName www.lixuedong.com
        SSLEngine on
        SSLCertificateFile cert/fullchain1.pem
        SSLCertificateKeyFile cert/privkey1.pem
        SSLCertificateChainFile cert/chain1.pem
</VirtualHost>

重启Apache服务器

/usr/local/apache/bin/apachectl stop && /usr/local/apache/bin/apachectl start

大功告成!

20190123144758.png

20190123144742.png

错误问题

certbot 执行报错

我遇到的是

Traceback (most recent call last):
  File "/usr/bin/certbot-2", line 9, in <module>
    load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2662, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2316, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2322, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 23, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
    urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'

解决办法

yum install certbot
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

推荐阅读更多精彩内容

  • ES6 http://es6.ruanyifeng.com 目录 1 let 和 const 命令 2 变量的解构...
    雪夜不下雪阅读 6,596评论 0 41
  • Swift1> Swift和OC的区别1.1> Swift没有地址/指针的概念1.2> 泛型1.3> 类型严谨 对...
    cosWriter阅读 5,101评论 1 19
  • 2017年10月5日完成 国画水墨山水画系列
    春城怡景阅读 85评论 1 8
  • 搞不懂为什么活着这么疲倦,更搞不懂我为什么这么贪生。
    若言喵喵阅读 89评论 1 2
  • 小王子曾游历在寂寞、悲凉、空虚的世界中,遇见了许多人:毫无目的寻找的人、永不满足的人、追求权威财富的人、与世隔绝的...
    洗心33阅读 18评论 0 0