LetsEncrypt Free SSL 通配符證書申請(qǐng)方法

通過(guò)官方推薦工具certbot申請(qǐng)

?

[TOC]

第一步

certbot-2 certonly -d *.lixuedong.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

• certonly，表示安裝模式，Certbot有安裝模式和驗(yàn)證模式兩種類型的插件。

• --manual表示手動(dòng)安裝插件，Certbot有很多插件，不同的插件都可以申請(qǐng)證書，用戶可以根據(jù)需要自行選擇

• -d為那些主機(jī)申請(qǐng)證書，如果是通配符，輸入* .lixuedong.com（替換為你自己的域名）

• --preferred-challenge dns，使用DNS方式校驗(yàn)域名所有權(quán)

  • 客戶在申請(qǐng)Let's Encrypt證書的時(shí)候，需要校驗(yàn)域名的所有權(quán)，證明操作者有權(quán)利為該域名申請(qǐng)證書，目前支持三種驗(yàn)證方式：
    • dns-01：給域名添加一個(gè)DNS TXT記錄。
    • http-01：在域名對(duì)應(yīng)的Web服務(wù)器下放置一個(gè)HTTP著名的URL資源文件。
    • tls-sni-01：在域名對(duì)應(yīng)的Web服務(wù)器下放置一個(gè)HTTPS著名的URL資源文件
  • 申請(qǐng)通配符證書，只能使用dns-01的方式

• --server，讓我們加密ACME v2版本使用的服務(wù)器不同于v1版本，需要顯示指定

交互式命令行輸出

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

請(qǐng)閱讀服務(wù)條款
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf。 你必須
同意以便在ACME服務(wù)器上注冊(cè)
https://acme-v02.api.letsencrypt.org/directory

Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lixuedong.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

選擇的插件：Authenticator manual，Installer None
啟動(dòng)新的HTTPS連接（1）：acme-v02.api.letsencrypt.org
獲得新證書
執(zhí)行以下挑戰(zhàn)：
dix-01挑戰(zhàn)lixuedong.com
注意：本機(jī)的IP將公開記錄為已請(qǐng)求此項(xiàng)
證書。 如果您在非手動(dòng)模式下以手動(dòng)模式運(yùn)行certbot
你的服務(wù)器，請(qǐng)確保你沒(méi)事。

您的IP被記錄了嗎？
（Y）es /（N）o：y
(就是問(wèn)你的域名有沒(méi)有解析到公網(wǎng)IP)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lixuedong.com with the following value:

z55lrkHoxYaFoGsvUASE0WgaIifiP-iiVwac-JUd-94

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

配置解析記錄

配置DNS TXT記錄，校驗(yàn)域名所有權(quán),在沒(méi)有確認(rèn)TXT記錄生效之前不要回車執(zhí)行。

截圖

證書申請(qǐng)成功

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lixuedong.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lixuedong.com/privkey.pem
   Your cert will expire on 2019-04-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

證書申請(qǐng)成功

保存在 /etc/letsencrypt/archive/lixuedong.com

手動(dòng)安裝證書

我用的是Apache服務(wù)器

進(jìn)入Apache服務(wù)器安裝目錄

創(chuàng)建一個(gè)保存證書的目錄

cd /usr/local/apache && mkdir cert

將證書從默認(rèn)路徑下復(fù)制過(guò)來(lái)

mv /etc/letsencrypt/archive/lixuedong.com/* /usr/local/apache/cert

修改配置文件

vim /usr/local/apache/conf/extra/http-ssl.conf

<VirtualHost 0.0.0.0:443>
        DocumentRoot "/home/www/htdocs"
        ServerName www.lixuedong.com
        SSLEngine on
        SSLCertificateFile cert/fullchain1.pem
        SSLCertificateKeyFile cert/privkey1.pem
        SSLCertificateChainFile cert/chain1.pem
</VirtualHost>

重啟Apache服務(wù)器

/usr/local/apache/bin/apachectl stop && /usr/local/apache/bin/apachectl start

大功告成!

20190123144758.png

20190123144742.png

錯(cuò)誤問(wèn)題

certbot 執(zhí)行報(bào)錯(cuò)

我遇到的是

Traceback (most recent call last):
  File "/usr/bin/certbot-2", line 9, in <module>
    load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2662, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2316, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2322, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 23, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
    urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'

解決辦法

yum install certbot
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3