背景
因 certbot-auto 不再支持所有的操作系统!
根据作者的说法,certbot团队认为维护certbot-auto在几乎所有流行的UNIX系统以及各种环境上的正常运行是一项繁重的工作,加之certbot-auto是基于python 2编写的,而python 2即将寿终正寝,将certbot-auto迁移至python 3需要大量工作,这非常困难,因此团队决定放弃certbot-auto的维护。
既然如此,现在我们还能继续使用certbot吗?certbot团队使用了基于snap的新的分发方法。
安装过程如下
- snapd只为了安装certbot,后续可停用,无需开机自启
yum install snapd -y service snapd start ln -s /var/lib/snapd/snap /snap sudo snap install core; sudo snap refresh core sudo snap install --classic certbot
开始申请
- 以下为申请
*.nestealin.com
三级泛域名证书为例。
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d "*.nestealin.com" -d "nestealin.com" --manual --preferred-challenges dns-01 certonly
注意事项
第一步需要输入email地址
- 或者在申请参数中加上
--register-unsafely-without-email
参数跳过
- 或者在申请参数中加上
然后一路 y 下去,遇到两处 txt 记录验证,自行在域名后台修改即可
每一次可以使用 dig 命令校验记录是否生效再继续
- 例如:
dig txt _acme-challenge.nestealin.com @8.8.8.8 >>> (!!主要查看 ANSWER SECTION 部分!!) ; <<>> DiG 9.10.6 <<>> txt _acme-challenge.nestealin.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8496 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.nestealin.com. IN TXT ;; ANSWER SECTION: _acme-challenge.nestealin.com. 599 IN TXT "wXdwlR5e-5QkzVhNUCaDPuBBg81Ncp179Ed1Xe3o9Zk" _acme-challenge.nestealin.com. 599 IN TXT "Hhx2L3fyt2Rhk3rB13UqdKKB2RpvVZhgnLQ8v9WG3q4" ;; Query time: 83 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Jun 19 20:18:07 CST 2021 ;; MSG SIZE rcvd: 170
- 例如:
申请过程如下
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): nestealin@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for *.nestealin.com and nestealin.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.nestealin.com.
with the following value:
Hhx2L3fyt2Rhk3rB13UqdKKB2RpvVZhgnLQ8v9WG3q4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.nestealin.com.
with the following value:
wXdwlR5e-5QkzVhNUCaDPuBBg81Ncp179Ed1Xe3o9Zk
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.nestealin.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/nestealin.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/nestealin.com/privkey.pem
This certificate expires on 2021-09-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
获取证书
- 默认安装下,申请完的证书归档在
/etc/letsencrypt/archive/
路径下
一般只需要使用cd /etc/letsencrypt/archive/nestealin.com total 20 -rw-r--r-- 1 root root 1862 Jun 19 20:18 cert1.pem -rw-r--r-- 1 root root 3749 Jun 19 20:18 chain1.pem -rw-r--r-- 1 root root 5611 Jun 19 20:18 fullchain1.pem -rw------- 1 root root 1704 Jun 19 20:18 privkey1.pem
fullchain
作为公钥证书,privkey
作为私钥,在nginx即可使用。