ssl - 使用certbot 申请ssl wildcard证书

访问量: 33

refer to: https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal

1 打开这个页面后,先选择你的web server 和 操作系统:

2. 选择 wild card: 

3. 查看你的域名DNS提供商是否支持(可以看到, cloudflare, digitalocean, google, linode 都是可以被直接支持的,安装对应的plugin就好了)

接下来我们以cloudflare为例子

4. 安装snapd  

sudo apt install snapd

sudo snap install core; sudo snap refresh core

sudo apt-get remove certbot

5. 开始安装 certbot: 

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

sudo snap set certbot trust-plugin-with-root=ok

6. 安装plugin 

sudo snap install certbot-dns-cloudflare

7. 设置credentials :  参考:  https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

我的DNS提供商是cloudflare, 所以就选择了 https://certbot-dns-cloudflare.readthedocs.io/en/stable/

7.1 创建一个文件   ~/cloudflare.ini , 内容如下:

dns_cloudflare_api_token=O4c???????????????????????????????????

然后 chmod 700 ~/cloudflare.ini

7.2 创建证书  (假设你的域名是 lueluelue.com ) 

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/cloudflare.ini -d lueluelue.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): shensiwei@sina.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for lueluelue.com
Unsafe permissions on credentials configuration file: /home/ubuntu/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/lueluelue.com/fullchain.pem   (重要)
Key is saved at:         /etc/letsencrypt/live/lueluelue.com/privkey.pem     (重要)
This certificate expires on 2022-06-24.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

在上面产生的文件中, 

Certificate is saved ....  fullchain.pem , 这个就是阿里云上的.pem文件

Key is saved at : . ...... privkey.pem  这个就是 阿里云上的.key 文件 

(上面2句是我乱猜的, 因为官方文档到这里就没有了)

实际上我们去购买SSL证书的时候,最后获得的也就是这两个文件 

订阅/RSS Feed

Subscribe