通过Let's Encrypt 生成免费SSL证书 有效期是3个月
1.下载工具certbot-auto
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto2.生成证书,默认会安装openssl-devel等依赖包
# 需要root 权限
# 按照提示输入 邮箱地址,是否遵从相关权益等操作
# 注:在提示域名解析后在敲回车操作部分
[root@BOSS_SUPPORT_ADP ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxapp.com" --manual --preferred-challenges dns-01 certonly3.如果一路回车错过域名解析部分会提示报错
# 可以重新执行以上部操作
[root@BOSS_SUPPORT_ADP ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxapp.com" --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxapp.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y ########### 输入 Y 之后,请勿敲回车
########### 在域名解析商 做 TXT 解析
# _acme-chxxxxxxnge.xxapp.com TXT解析到 tvz7vfOMn9QT4XPxxxxxnvYygohV-scq72E0B_366s
# 解析测试 dig _acme-chxxxxxxnge.xxapp.com txt # 成功后 敲回车
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxapp.com with the following value:
tvz7vfOMn9QT4XPxxxxxnvYygohV-scq72E0B_366s
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxapp.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxapp.com/privkey.pem
Your cert will expire on 2019-04-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le4.证书生成位置
# 下相应的域名
/etc/letsencrypt/live/5.证书名称类型
-rw-r--r-- 1 root root 1907 Jan 22 03:07 cert1.pem # 证书正文
-rw-r--r-- 1 root root 1647 Jan 22 03:07 chain1.pem #
-rw-r--r-- 1 root root 3554 Jan 22 03:07 fullchain1.pem # cert1.pem和chain1.pem 合并的证书 用于证书链
-rw------- 1 root root 1704 Jan 22 03:07 privkey1.pem # 证书秘钥 key6.自动更新已申请的ssl证书
certbot 提供了更新证书的命令cerbot renew,会自动更新所有已申请的ssl证书。