Let’s Encrypt是从今年三月份开始支持通配证书的,个人很多测试环境都是使用的frognew.com的二级域名,因此开始折腾一下通配证书将带来很大的方便。 在支持通配证书之前,Let’s Encrypt支持以下两种证书:

  • 单域名证书:即证书仅包含一个主机

  • SAN证书:一个证书可以包含多个主机。之前用的就是这种,每次需要添加新的二级域名时都要使用下面的命令扩展添加,这点还是比较繁琐的,而且据说支持的主机数量有限制:

    1certbot certonly --expand --cert-name frognew.com \
    2--webroot \
    3-d frognew.com \
    4-d www.frognew.com \
    5-d blog.frognew.com \
    6-d k8s.frognew.com
    

    为了申请通配证书需要将certbot升级到0.22以上版本:

1wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
2rpm -ivh epel-release-latest-7.noarch.rpm
3yum install certbot
4
5certbot --version
6certbot 0.26.1

在使用certbot命令申请Let’s Encrypt证书时,会验证域名的所有权,如果申请的是通配证书,只支持dns-01即给域名添加一个DNS TXT记录的方式。

 1certbot certonly  \
 2 -d *.frognew.com \
 3 -d frognew.com \
 4 --manual \
 5 --preferred-challenges dns \
 6 --server https://acme-v02.api.letsencrypt.org/directory 
 7
 8- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 9NOTE: The IP of this machine will be publicly logged as having requested this
10certificate. If you're running certbot in manual mode on a machine that is not
11your server, please ensure you're okay with that.
12
13Are you OK with your IP being logged?
14- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15(Y)es/(N)o: Y
16
17- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18Please deploy a DNS TXT record under the name
19_acme-challenge.frognew.com with the following value:
20
21UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w
22
23Before continuing, verify the record is deployed.
24- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
25Press Enter to Continue

接下来按照提示为域名_acme-challenge.frognew.com添加DNS的TXT记录UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w。 TXT记录添加完成后,按回车继续:

 1Press Enter to Continue
 2Waiting for verification...
 3Resetting dropped connection: acme-v02.api.letsencrypt.org
 4Cleaning up challenges
 5
 6IMPORTANT NOTES:
 7 - Congratulations! Your certificate and chain have been saved at:
 8   /etc/letsencrypt/live/frognew.com-0001/fullchain.pem
 9   Your key file has been saved at:
10   /etc/letsencrypt/live/frognew.com-0001/privkey.pem
11......

证书和秘钥被保存在了/etc/letsencrypt/live/frognew.com-0001目录中。

参考