使用certbot 生成 Let‘s Encrypt 泛域名ssl证书

一、更新证书报错

• 问题描述
  更新SSL证书时报 too many failed authorizations 错误

• 原因分析

当前要更新的域名一个小时触发失败次数过多,需要过段时间在验证。

注：官方提示：https://letsencrypt.org/docs/rate-limits/

其实最主要还是我们使用certbot申请的免费证书太多了，建议申请泛域名证书

二、Let’s Encrypt 泛域名ssl证书申请

我们这里依然使用的是Certbot来签发。

官网文档：https://certbot.eff.org/docs/using.html

• 直接使用官网首页的安装方法是无法使用最新的Let’s Encrypt的v2 API，这里加参数

--server https://acme-v02.api.letsencrypt.org/directory

• 现在的命令是：

certbot certonly --standalone -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory

• 结果提示：

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

• 原因是没有DNS验证，需要添加参数：

--preferred-challenges dns

• 扒官方文档后，发现泛域名需要dns-01验证。文档说明了改验证方法可自动验证，但需要安装插件，且DNS服务商为下列服务商：

cloudflare
cloudxns
digitalocean
dnsimple
dnsmadeeasy
google
luadns
nsone
rfc2136
route53

• 我用的免费解析，没有API来自动验证，故添加参数：

--manual

• 总结一下，最后的命令为：

certbot certonly --preferred-challenges dns --manual  -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory

签发证书时提示添加TXT记录

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.aattec.com
Performing the following challenges:
dns-01 challenge for aattec.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.aattec.com with the following value:

1q3iA_qE3i7ytfNU-xSs0x4mhfij4TXuoXXlxbrQDMQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

在域名管理界面解析一下TXT记录，大概等待五分钟生效后，回车即可

这样等待签发完成即可

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/aattec.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/aattec.com-0001/privkey.pem
   Your certificate will expire on 2023-06-12. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le