Let’s Encrypt是从今年三月份开始支持通配证书的,个人很多测试环境都是使用的frognew.com的二级域名,因此开始折腾一下通配证书将带来很大的方便。 在支持通配证书之前,Let’s Encrypt支持以下两种证书:

  • 单域名证书:即证书仅包含一个主机
  • SAN证书:一个证书可以包含多个主机。之前用的就是这种,每次需要添加新的二级域名时都要使用下面的命令扩展添加,这点还是比较繁琐的,而且据说支持的主机数量有限制: certbot certonly --expand --cert-name frognew.com \ --webroot \ -d frognew.com \ -d www.frognew.com \ -d blog.frognew.com \ -d k8s.frognew.com

为了申请通配证书需要将certbot升级到0.22以上版本:

1
2
3
4
5
6
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum install certbot

certbot --version
certbot 0.26.1

在使用certbot命令申请Let’s Encrypt证书时,会验证域名的所有权,如果申请的是通配证书,只支持dns-01即给域名添加一个DNS TXT记录的方式。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
certbot certonly  \
 -d *.frognew.com \
 -d frognew.com \
 --manual \
 --preferred-challenges dns \
 --server https://acme-v02.api.letsencrypt.org/directory 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.frognew.com with the following value:

UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

接下来按照提示为域名_acme-challenge.frognew.com添加DNS的TXT记录UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w。 TXT记录添加完成后,按回车继续:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/frognew.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/frognew.com-0001/privkey.pem
......

证书和秘钥被保存在了/etc/letsencrypt/live/frognew.com-0001目录中。

参考