更换博客HTTPS证书为Let's Encrypt的通配证书
2018-07-14
Let’s Encrypt是从今年三月份开始支持通配证书的,个人很多测试环境都是使用的frognew.com的二级域名,因此开始折腾一下通配证书将带来很大的方便。 在支持通配证书之前,Let’s Encrypt支持以下两种证书:
单域名证书:即证书仅包含一个主机
SAN证书:一个证书可以包含多个主机。之前用的就是这种,每次需要添加新的二级域名时都要使用下面的命令扩展添加,这点还是比较繁琐的,而且据说支持的主机数量有限制:
1certbot certonly --expand --cert-name frognew.com \ 2--webroot \ 3-d frognew.com \ 4-d www.frognew.com \ 5-d blog.frognew.com \ 6-d k8s.frognew.com
为了申请通配证书需要将certbot升级到0.22以上版本:
1wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
2rpm -ivh epel-release-latest-7.noarch.rpm
3yum install certbot
4
5certbot --version
6certbot 0.26.1
在使用certbot命令申请Let’s Encrypt证书时,会验证域名的所有权,如果申请的是通配证书,只支持dns-01即给域名添加一个DNS TXT记录的方式。
1certbot certonly \
2 -d *.frognew.com \
3 -d frognew.com \
4 --manual \
5 --preferred-challenges dns \
6 --server https://acme-v02.api.letsencrypt.org/directory
7
8- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9NOTE: The IP of this machine will be publicly logged as having requested this
10certificate. If you're running certbot in manual mode on a machine that is not
11your server, please ensure you're okay with that.
12
13Are you OK with your IP being logged?
14- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15(Y)es/(N)o: Y
16
17- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18Please deploy a DNS TXT record under the name
19_acme-challenge.frognew.com with the following value:
20
21UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w
22
23Before continuing, verify the record is deployed.
24- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
25Press Enter to Continue
接下来按照提示为域名_acme-challenge.frognew.com
添加DNS的TXT记录UUN3Xf4jat9SWh_YssVK36P8EHaB2D40g0nInjyAN3w
。
TXT记录添加完成后,按回车继续:
1Press Enter to Continue
2Waiting for verification...
3Resetting dropped connection: acme-v02.api.letsencrypt.org
4Cleaning up challenges
5
6IMPORTANT NOTES:
7 - Congratulations! Your certificate and chain have been saved at:
8 /etc/letsencrypt/live/frognew.com-0001/fullchain.pem
9 Your key file has been saved at:
10 /etc/letsencrypt/live/frognew.com-0001/privkey.pem
11......
证书和秘钥被保存在了/etc/letsencrypt/live/frognew.com-0001目录中。