Leif160519的blog
——————
目录
如何自签发免费通配符域名证书并实现自动化----Let's Encrypt
如何自签发免费通配符域名证书并实现自动化----Let's Encrypt 置顶!
前置条件
- 一个二级域名,如
example.com - 公网服务器ip,如
12.34.56.78 - 你的邮箱,如zhangsan@126.com
- 云账号的
securityid和securitykey - 保证你的二级域名域名正确解析到公网服务器ip地址上
工具准备
安装certbot
apt-get install -ycertbot
或
yum install -y certbot
获取证书
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos
参数说明:
certonly: 只签发证书-d: 想要签发的证书支持的域名--manual: 手动签发,需要做一些额外操作,比如添加TXT类型的dns解析记录,来验证你有域名的控制权-m:邮箱,关联证书与签发者的邮箱,以便当证书出现问题时,方便用邮箱联系到签发者--preferred-challenges dns:用于设置证书申请使用的验证方式,这里设置为 DNS 验证,来验证域名控制权--config-dir:certbot的配置目录,即配置文件的存储目录,默认在/etc/letsencrypt/--work-dir:certbot的工作目录,即证书存放目录,默认在/var/lib/letsencrypt/,推荐和--config-dir一致,保证数据完整性和一致性--cert-name:证书名称--agree-tos: 自动同意协议
命令执行后:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
这时请先不要回车继续,请在dns解析记录里面添加一条类型为TXT的记录,内容为 sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc,域名为 _acme-challenge.example.com(后面会介绍如何不登录阿里云如何自动化添加解析记录)
添加完成后,清使用下面的命令验证解析记录是否生效:
dig -t txt _acme-challenge.example.com @8.8.8.8
; <<>> DiG 9.16.1-Ubuntu <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47952
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.example.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.example.com. 600 IN TXT "sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc"
;; Query time: 87 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 10 10:17:39 CST 2023
;; MSG SIZE rcvd: 111
确认生效后,继续回车执行,证书即可正确签发,路径为:
tree /data/workspace/certbot/live/example.com/
/data/workspace/certbot/live/example.com/
├── cert.pem -> ../../archive/example.com/cert1.pem
├── chain.pem -> ../../archive/example.com/chain1.pem
├── fullchain.pem -> ../../archive/example.com/fullchain1.pem
├── privkey.pem -> ../../archive/example.com/privkey1.pem
└── READM
如果是nginx负载均衡,只需要使用 fullchain.pem和 privkey.pem这两个证书即可
说明
证书有效期为三个月,到期之前需要更新证书,更新流程就是重新执行一遍上面的操作,新证书会在你申请证书的日期上加三个月。
如何自动化
自动化添加阿里云dns解析记录:
项目原地址:python-alidns
自动添加txt类型的解析记录:./alidns.py add TXT sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc
自动化续签域名证书
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos \
--non-interactive \
--manual-auth-hook /data/certbot/auth-script.sh \
--force-renew
参数说明:
--non-interactive:无交互--manual-auth-hook:手动模式下的执行脚本,主要是自动添加dns解析记录,如果是到期续签的话,解析记录还是首次签发时生成的那个,所以这个脚本可以随便写一些返回值为0的脚本,这个参数是必选项--force-renew:强制签发,即未满三个月也要签发,如果一天之内强制签发次数太多,会被Let's Encrypt限制24小时,所以没到期的话,还是不要强制续签
/data/certbot/auth-script.sh内容可以如下
#!/bin/bash
echo "Creating TXT record"
res=$(dig +nocmd _acme-challenge.example.com TXT +noall +answer @8.8.8.8 | grep 'sCj6ygbgs1Rxaz0qlNJNtE9c4dmLeWmG2TsnwZvwKhc')
if [ -n "$res" ]
then
echo "Record created and propagated"
fi
将自动化签发证书的命令另存为 ssl.sh,假定solo博客证书域名存放地址为 /data/solo/ssl/,域名证书名称为 STAR.example.com.pem,STAR.example.com.key,nginx部署在docker中,ssl.sh完整内容如下:
#!/bin/bash
certbot certonly \
-d *.example \
-d example.com \
--manual \
-m zhangsan@126.com \
--preferred-challenges dns \
--config-dir /data/certbot \
--work-dir /data/certbot \
--cert-name example.com \
--agree-tos \
--non-interactive \
--manual-auth-hook /data/certbot/auth-script.sh \
--force-renew
cat /data/certbot/live/example.com/fullchain.pem > /data/solo/ssl/STAR.example.com.pem
cat /data/certbot/live/example.com/privkey.pem > /data/solo/ssl/STAR.example.com.key
echo "======STAR.example.com======"
cat /data/solo/ssl/STAR.example.com.pem
echo "======STAR.example.com======"
cat /data/solo/ssl/STAR.example.com.key
docker exec nginx nginx -s reload
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
脚本准备好之后,设置定时任务执行,每三个月执行一次即可:
0 0 1 */3 * /data/certbot/ssl.sh
参考
“The first 90% of the code accounts for the first 90% of the development time. The remaining 10% of the code accounts for the other 90% of the development time.” – Tom Cargill
标 题:如何自签发免费通配符域名证书并实现自动化----Let's Encrypt作 者:Leif160519
出 处:https://github.icu/articles/2023/06/10/1686364528354.html
关于博主:坐标六朝古都南京,服务器运维工程师+桌面运维工程师,如有问题探讨可以直接下方留言。
声援博主:如果您觉得文章对您有帮助,可以评论、订阅、收藏。您的鼓励是博主的最大动力!