更换博客HTTPS证书为Let's Encrypt的通配证书

2018-07-14 阅读: HTTPS

Let’s Encrypt是从今年三月份开始支持通配证书的,个人很多测试环境都是使用的frognew.com的二级域名,因此开始折腾一下通配证书将带来很大的方便。 在支持通配证书之前,Let’s Encrypt支持以下两种证书:

  • 单域名证书:即证书仅包含一个主机
  • SAN证书:一个证书可以包含多个主机。之前用的就是这种,每次需要添加新的二级域名时都要使用下面的命令扩展添加,这点还是比较繁琐的,而且据说支持的主机数量有限制:
    certbot certonly --expand --cert-name frognew.com \
    --webroot \
    -d frognew.com \
    -d www.frognew.com \
    -d blog.frognew.com \
    -d k8s.frognew.com
    

    为了申请通配证书需要将certbot升级到0.22以上版本:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum install certbot

certbot --version
certbot 0.26.1

在使用certbot命令申请Let’s Encrypt证书时,会验证域名的所有权,如果申请的是通配证书,只支持dns-01即给域名添加一个DNS TXT记录的方式。

certbot certonly  \
 -d *.frognew.com \
 -d frognew.com \
 --manual \
 --preferred-challenges dns \
 --server https://acme-v02.api.letsencrypt.org/directory 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.frognew.com with the following value:

UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

接下来按照提示为域名_acme-challenge.frognew.com添加DNS的TXT记录UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w。 TXT记录添加完成后,按回车继续:

Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/frognew.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/frognew.com-0001/privkey.pem
......

证书和秘钥被保存在了/etc/letsencrypt/live/frognew.com-0001目录中。

参考

标题:更换博客HTTPS证书为Let's Encrypt的通配证书
本文链接:https://blog.frognew.com/2018/07/lets-encrypt-wildcard-certificates.html
转载请注明出处。

目录