恬静荒芜的时光
cerbot
song
  2023-09-01 09:54:53   2024-11-05 13:55:18

使用Certbot的手动模式向Let’s Encrypt 申请证书

安装certbot

1
2
yum install epel-release -y
yum install certbot -y

申请泛证书

申请使用的命令

1
sudo certbot certonly --manual --preferred-challenges=dns-01

修正:续约的时候使用这个才成功

1
sudo certbot --manual --preferred-challenges dns certonly

certonly是子命令,只申请或续约证书,不安装。让你可以在任意一台联网的PC设备上申请证书,不必是你的服务器

–manual 选项指以交互或Shell脚本的方式提交信息,我没有脚本,默认是交互方式

–preferred-challenges 选项以指定域名认证方式,http-01是文件认证,dns-01是DNS解析指定TXT认证,这里用的DNS认证,文件认证没试过,毕竟我的目标是脱离服务器来申请证书

一般还会加一个选项–server https://acme-staging-v02.api.letsencrypt.org/directory 用以指定Let’s Encrypt 服务器目录,但如果你仔细看过Certbot的帮助文档,你会发现默认的就是这个服务器,这里可以省略

提交信息

运行上面的命令后,则进入交互模式,以提交相关信息,先是邮箱,然后是必定要同意的协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxxxxxx@xxx.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

再然后是一些新闻之类的邮件推送,可以不接受

1
2
3
4
5
6
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: n

输入域名,通配符域名不包含主域名,所以要填上两个,用逗号分隔

1
2
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): mikubar.xyz,*.mikubar.xyz

通过DNS认证域所有权

接下来会给出需要做DNS TXT记录验证的信息,这里需要注意,这里会出现两次Press Enter to Continue,每一次都给出一串TXT验证字符, 出现第二次的时候一定要等DNS生效再按回车键

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Requesting a certificate for mikubar.xyz and *.mikubar.xyz
Performing the following challenges:
dns-01 challenge for mikubar.xyz
dns-01 challenge for mikubar.xyz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mikubar.xyz with the following value:

1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXE

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.mikubar.xyz with the following value:

sXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXo

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Press Enter to Continue

DNS解析设置

为域名添加两个名称为_acme-challenge.mikubar.xyz 的TXT记录
image

可以使用下面命令查看DNS解析是否生效,查询的时候就需要名称+域名了

  • Linux: dig -t txt _acme-challenge.mikubar.xyz
  • Windows: nslookup -q=txt _acme-challenge.mikubar.xyz

获取证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mikubar.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mikubar.xyz/privkey.pem
   Your certificate will expire on 2023-11-30. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书密钥相关保存在/etc/letsencrypt/live/mikubar.xyz目录下。

手动续期

你只需要在到期前,再手动执行生成证书的命令,再重复一下配置 DNS 解析的操作就 OK 啦。

自动续期

~~

letsencrypt4个证书文件说明

文件名 描述
cert.pem 服务端证书
chain.pem 浏览器所需要的证书,但不包括服务端证书,比如根证书和中间证书
fullchain.pem 包括了cert.pem和chain.pem
privkey.pem 证书的私钥
  1. 1. 使用Certbot的手动模式向Let’s Encrypt 申请证书
    1. 1.1. 安装certbot
    2. 1.2. 申请泛证书
      1. 1.2.1. 提交信息
      2. 1.2.2. 通过DNS认证域所有权
    3. 1.3. DNS解析设置
    4. 1.4. 获取证书
    5. 1.5. 手动续期
    6. 1.6. 自动续期
  2. 2. letsencrypt4个证书文件说明
© 2024 - 2025    song
由 Hexo 驱动 & 主题 Keep
  1. 1. 使用Certbot的手动模式向Let’s Encrypt 申请证书
    1. 1.1. 安装certbot
    2. 1.2. 申请泛证书
      1. 1.2.1. 提交信息
      2. 1.2.2. 通过DNS认证域所有权
    3. 1.3. DNS解析设置
    4. 1.4. 获取证书
    5. 1.5. 手动续期
    6. 1.6. 自动续期
  2. 2. letsencrypt4个证书文件说明