Certbot issues and renews pan-domain SSL certificates (verifies domain name validity through DNS TXT records)

Enterprise 2023-10-03 05:54:28 views: null

When we use let's encrypt to obtain a free HTTPS certificate, let's encrypt needs to verify the domain name to ensure that the domain name is your own.
Before, the default file verification method always had strange problems and failed. I was also very helpless, so I changed it. Use the method of verifying DNS-TXT records to verify, and it seems that if you apply for a pan-domain name certificate, you can only verify it through this method.

Originally, I only planned to write down the method of verifying DNS records to issue certificates in this article, but I have never written about how to use certbot to issue free Let's Encrypt SSL certificates, so I will write the process all over again.

1. Install Certbot

1.1 Install according to the instructions on the official website

First go to the Certbot official website , select the server software and system version to use on the web page, it will jump to the installation document, and
install it according to the prompts.

1.2 Install using automatic installation script

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto # 给脚本执行权限

Next, you can directly use this script to issue certificates and other operations.
The dependencies will be automatically installed the first time you use this script.

The official website prompts you to install certbot through software package management, and then you can directly use the certbot command to operate it.
In my next description, the default command to execute is to directly use the certbot command.
If you use the automatic installation script certbot-auto, directly use To operate this script, replace certbot in the command I describe below with ./certbot-auto

2. Obtain an SSL certificate

2.1 Obtain the issuing certificate (standalone)

Use certbot directly

The certonly command can start the issuance. According to the prompts, first select the mode, usually standalone (to use standalone, you need to stop nginx and other servers first), and then list the domain names that need to be signed according to the prompts, and then the verification will start. After passing, the generated Certificate file is saved.

2.2 Obtain a pan-domain name issuance certificate

The title of Obtaining a Pan-Domain Name Issuing Certificate (manual, verifying domain name validity through DNS-TXT records)
is online. This article mainly talks about this verification issue. I feel that it is more stable to issue it in this way .

certbot certonly  --preferred-challenges dns -d "*.example.com" -d example.com --manual

Use this command to manually verify DNS issuance.
Here I use example.com to assume the domain name to be signed. -d is followed by a domain name. If there are multiple domain names to be signed, remember to write -d before each individual domain name.
I specified two -d parameters because certbot's generic domain name only supports *.example.com. If you want to use example.com directly, you must issue a separate one for it.

After pressing Enter, you will be prompted to add a TXT resolution record to your domain name.

You will be prompted here to add a _acme-challenge TXT record for the domain name, and the record value is a generated string of characters.
This only requires you to go to the DNS service provider to add it. If you -d several different second-level domain names, then a record must be added for each second-level domain name; after you add the record value of a domain name, in the control After pressing Enter, you will be prompted for the record value of the next domain name.

After you add the record save, it's a good idea to check the parsed record .
Enter the following command in another terminal (example.com, remember to modify):

nslookup -type=txt _acme-challenge.example.com 8.8.8.8
# 或者
dig -t txt _acme-challenge.example.com

If it contains the record value you added, then the addition is successful.

Now you can continue to press Enter in the console. The issued certificate file will be saved without any accident. The console prints out the storage location of the certificate file. Generally, it will be saved in the /etc/letsencrypt/live/example.com directory. Down

There are generally four files in this directory:

cert.pem: Server certificate
chain.pem: Contains the certificate or additional intermediate certificate required by the web browser to authenticate the server
fullchain.pem: cert.pem + chain.pem
privkey.pem: The private key of the certificate

We generally use fullchain.pem and privkey.pem.

3. Configure and use certificates in Nginx

I won’t go into details here. It’s basically enough to set ssl_certificate and ssl_certificate_key on the listening 443 port.
I’ll post an example of my own here.

server {
    listen  443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location / {
        # 你自己配置;
    }
}

4. Certificate renewal and cancellation

4.1 Renewal

The free let's encrypt is valid for 3 months and needs to be renewed before expiration.
If you enter your email address when using certbot to sign for the first time, an email will be sent to remind you before the certificate is about to expire.

To renew a single domain name, use the following command

certbot renew --dry-run

To set up automatic renewal, you only need to write a script and run it regularly in Cron. crontab -e opens the crontab script and adds the following script.

0 3 */7 * * /bin/certbot renew --renew-hook "/where/your/nginx -s reload"

This script means that every 7 days, the check renewal command will be automatically executed at 3 o'clock in the night. After the renewal is completed, restart the nginx service

After adding it, restart the cron service.

service crond restart

The (automatic) renewal of pan-domain names through DNS-TXT records
is a little more troublesome. We need to use the API provided by the DNS service provider. When renewing the certificate, we can automatically add and update the TXT record to achieve automatic renewal. Of course, a DNS service is generally required. The API key provided by the provider to users ensures security, etc.
I will first list the addresses of some DNS plug-ins. For details, you can check the plug-in installation and use methods. Of course, other third-party DNS plug-ins can also be found in github.

List of DNS plug-ins provided by certbot
Alibaba Cloud DNS plug-in
dnspod plug-in (Tencent Cloud)

I am using DNSPOD here, so I will only describe the following situation of using the dnspod plug-in.

Download the certbot-auth-dnspod script

wget https://raw.githubusercontent.com/al-one/certbot-auth-dnspod/master/certbot-auth-dnspod.sh
chmod +x certbot-auth-dnspod.sh
  • Get user DNSPOD token

After logging in to dnspod, find "API Token" under User Center -> Security Settings in the console. After opening and creating the token, copy the id and token.

  • Configure token information
echo "id,token" > /etc/dnspod_token

Replace idand tokenwith the real content you just copied, and then you can use the plug-in to renew .

certbot renew --manual --preferred-challenges dns --manual-auth-hook /path/to/certbot-auth-dnspod.sh --force-renewal

If you want to renew automatically, you can add the following code to crontab and restart the cron service. The specific process has been mentioned above and will not be repeated here.

29 3 1 * * root /bin/certbot renew --manual --preferred-challenges dns  --manual-auth-hook /path/to/certbot-auth-dnspod.sh --force-renewal --post-hook "/where/your/nginx -s reload"

This is to perform a mandatory certificate update at 3:29 on the 1st of every month and then restart nginx.

Of course, it is also possible to use plug-ins to apply for automatic DNS verification of certificates.

certbot certonly --manual --preferred-challenges dns-01 --email [email protected] -d laravel.run -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /path/to/certbot-auth-dnspod.sh

4.2 Logout

Use the following command to view the generated certificate information, including the certificate name, domain name included, expiration time, and certificate file path

certbot certificates

Find the certificate you want to cancel, copy the path to the certificate file, and then use the following command to cancel

certbot revoke --cert-path   /etc/letsencrypt/live/example.com/fullchain.pem

Reference link: https://blog8.flyky.org/20191108/certbot-DNS-TXT-check/

Guess you like

Origin blog.csdn.net/cljdsc/article/details/133461361
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com