听同事说,Let's Encrypt支持免费的通配符证书了,这是个好东西.之前弄免费证书,一直用阿里云的,一年一次,只能一个域名.这个泛域名证书虽然90天,申请一次,但是好在可以自动申请,话不多说,开工
下载 certbot
mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
申请泛域名证书
./certbot-auto certonly \
-d "*.cnrainbird.com" \
--manual \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cnrainbird.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cnrainbird.com with the following value:
J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
注意,此处要去dns域名提供商添加txt记录
各家大同小异吧,我用的dnspod
添加完成后,记得验证一下
nslookup -type=txt _acme-challenge.cnrainbird.com
Server: 139.162.16.5
Address: 139.162.16.5#53
Non-authoritative answer:
_acme-challenge.cnrainbird.com text = "J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q"
Authoritative answers can be found from:
cnrainbird.com nameserver = f1g1ns1.dnspod.net.
cnrainbird.com nameserver = f1g1ns2.dnspod.net.
一般新加记录,无需太长等待,一两分钟即可.如上面能得到text的返回说明添加成功. 可以去前面的窗口,Press Enter to Continue
回车继续了
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cnrainbird.com/privkey.pem
Your cert will expire on 2020-06-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
如上,成功申请通配符证书,过期时间是90天后
证书文件存放
/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com/privkey.pem
有一个地方是需要注意的,*.cnrainbird.com这个证书并不包含主域cnrainbird.com.所以,我们还需要单独申请一次cnrainbird.com的证书
申请主域名证书
申请泛域名证书,我们使用的是手动+dns的方式
申请主域证书, 我们使用自动认证的方式,此处要注意:/opt/certbot是,网站默认网站路径,即,直接输入ip,访问到的目录
./certbot-auto certonly \
--preferred-challenges http \
-d cnrainbird.com \
--webroot -w /opt/certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cnrainbird.com
Using the webroot path /opt/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
Your cert will expire on 2020-06-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
全程自动进行,无需参与,得到主域证书
/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
生成 dhparams
使用 openssl 工具生成 dhparams
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
Nginx配置
blog.cnrainbird.com.conf配置:
server {
server_name blog.cnrainbird.com;
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/cnrainbird.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cnrainbird.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}
然后重启 nginx 服务就可以了
/etc/init.d/nginx reload
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
强制跳转 https
既然证书都有了,对于默认http的访问,我们进行一次301跳转
server {
server_name blog.cnrainbird.com;
listen 80;
return 301 https://$server_name$request_uri;
}
证书更新
这个比较简单
./certbot-auto renew
就可以更新全部域名
当然也可以更新指定域名
./certbot-auto renew -d cnrainbird.com
crontab添加计划任务
#每两个月更新一次
45 2 */2 * * cd /opt/certbot&& ./certbot-auto renew && /etc/init.d/nginx reload
Safair效果
that's all
来源:51CTO
作者:rainbird2
链接:https://blog.51cto.com/rainbird/2479846