Certbot(Let's Encrypt)是一个非盈利性认证机构通过运行互联网安全研究小组(ISRG)提供X.509 证书的传输层安全性不收取任何费用(TLS)加密。证书有效期为90天,在此期间可以随时续订。提供一个自动化流程,旨在克服安全网站的手动创建,验证,签名,安装和续订证书。
前言
因不想在部署环境安装Certbot -> 强迫症 哈哈哈,所以将在其他机子上申请SSL证书(使用手动模式DNS验证) 官方文档
材料
- 属于自己的域名(可以修改解析的)。
- 可联网的Linux系统(这里是CentOS7)。
安装环境
Certbot包在EPEL中,需要先安装epel-release,再安装certbot。
[root@localhost ~]: yum install epel-release -y
…………
[root@localhost ~]: yum install certbot -y
…………
另一种获取Certbot环境的方式(官方文档):
[root@localhost ~]: wget https://dl.eff.org/certbot-auto
[root@localhost ~]: chmod a+x ./certbot-auto
申请SSL证书
certbot certonly --manual --preferred-challenges dns -d 域名
(多个域名就继续加参数-d 域名A -d 域名B)
添加域名解析TXT记录。
然后到/etc/letsencrypt/目录下找到对应域名的证书即可。
以下为详细操作步骤:
[root@localhost ~]: certbot certonly --manual --preferred-challenges dns -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
这里输入一个邮箱(用于紧急更新或安全通知)。
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
这里输入a同意。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
如果想接收一些新闻推广之类的邮件就输入y,否则n。
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
这里输入y(必须同意记录IP才会继续处理)。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.www.example.com with the following value:
EblBJHP……EUNACE
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
打开域名解析,添加主机记录_acme-challenge.www,选择记录类型为TXT, 记录值为EblBJHP……EUNACE(给你提供的一段字符串)。
回到CentOS,最好等待几分钟,然后按Enter继续。等待验证。
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
Your cert will expire on 2019-06-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
…………
这里提示证书、私钥保存的位置以及证书的有效期。
附
删除证书及配置信息
[root@localhost ~]: certbot delete
[root@localhost ~]: rm -rf /etc/letsencrypt/accounts/*
附2
本机站点根目录的验证方式
[root@localhost ~]: certbot certonly --webroot -w /opt/web -d www.example.com
附3
7天之内每个域名地址最多只能成功申请5个哟。查看更多限制
附4
证书续期(这个不在限制范围内的哦)
[root@localhost ~]: certbot renew