目 录
[隐藏]

1.通配符证书

          通配符 SSL 证书旨在保护主域名以及旗下不限数量的子域,即用户可通过单个通配符 SSL 证书可保护任意数量的子域。要保护主域名及其子域名,用户先要为域名 * .domain.com 部署支持通配符功能的SSL证书;这里 * 带有无限的子域安全功能,称为“一级通配域名安全性”。

2.下载

##
#  Download certbot-auto

[root@d0o0bz download]# wget https://dl.eff.org/certbot-auto
--2018-11-21 18:32:12--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 151.101.108.201, 2a04:4e42:1a::201
Connecting to dl.eff.org (dl.eff.org)|151.101.108.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 62299 (61K) [application/octet-stream]
Saving to: ‘certbot-auto’

100%[===================================================================>] 62,299       325KB/s   in 0.2s   

2018-11-21 18:32:13 (325 KB/s) - ‘certbot-auto’ saved [62299/62299]

##
#  复制到 /usr/bin 目录
#  添加可执行权限

[root@d0o0bz download]# cp certbot-auto /usr/bin/

[root@d0o0bz download]# chmod +x /usr/bin/certbot-auto 
##
#  查看版本号

[root@d0o0bz ~]# certbot-auto --version
certbot 0.28.0

3.生成证书

        用户在申请 Let’s Encrypt 证书的时候,需要校验域名的所有权,目前支持三种验证方式:

  • dns-01:给域名添加一个 DNS TXT 记录。
  • http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
  • tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。

        注意:通配符证书,仅能使用 dns-01 的方式验证。

##
#  Obtaining a new certificate
#  certonly,Obtain or renew a certificate, but do not install it(获取或更新证书,但不要安装它。)
#  --preferred-challenges dns,使用 DNS 方式校验域名所有权
#  --server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要指定
#  
[root@d0o0bz ~]# certbot-auto certonly --email d0o0bz@qq.com -d *.d0o0bz.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for d0o0bz.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.d0o0bz.cn with the following value:

MoRM0ZHbgWD7Oj4bDS64vwe3qJMGHz2mXwOUPUlAkM8

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

要求配置 DNS TXT 记录,校验申请者是否拥有此域名所有权。
在确认 _acme-challenge.d0o0bz.cn  TXT 记录生效之后,按回车继续执行。

##
#  检查 TXT 记录是否已经生效,@1.1.1.1 或 @8.8.8.8 

[e.c.com@ec-hp ~]$ dig -t txt _acme-challenge.d0o0bz.cn @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t txt _acme-challenge.d0o0bz.cn @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9892
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;_acme-challenge.d0o0bz.cn.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.d0o0bz.cn. 600	IN	TXT	"MoRM0ZHbgWD7Oj4bDS64vwe3qJMGHz2mXwOUPUlAkM8"

.....
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/d0o0bz.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/d0o0bz.cn/privkey.pem
   Your cert will expire on 2019-02-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
##
#  /etc/letsencrypt/live/d0o0bz.cn/
#  fullchain.pem 机构证书+域名证书
#  chain.pem 机构证书
#  cert.pem 域名证书
#  privkey.pem 域名私钥

[root@d0o0bz live]# ll d0o0bz.cn/
total 4
-rw-r--r-- 1 root root 692 Nov 21 19:23 README
lrwxrwxrwx 1 root root  33 Nov 21 19:23 cert.pem -> ../../archive/d0o0bz.cn/cert1.pem
lrwxrwxrwx 1 root root  34 Nov 21 19:23 chain.pem -> ../../archive/d0o0bz.cn/chain1.pem
lrwxrwxrwx 1 root root  38 Nov 21 19:23 fullchain.pem -> ../../archive/d0o0bz.cn/fullchain1.pem
lrwxrwxrwx 1 root root  36 Nov 21 19:23 privkey.pem -> ../../archive/d0o0bz.cn/privkey1.pem

4.校验证书信息

##
#  Verify certificate 

[root@d0o0bz ~]# openssl x509 -in /etc/letsencrypt/live/d0o0bz.cn/cert.pem -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:c0:f6:35:14:db:bc:c2:01:5c:88:9b:95:8c:0f:16:95:f2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Nov 21 07:23:30 2018 GMT
            Not After : Feb 19 07:23:30 2019 GMT
        Subject: CN=*.d0o0bz.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:fd:4b:b3:4c:e6:a6:b9:d7:ed:18:8d:f9:f9:ac:
                    c5:f2:1b:1b:fc:1e:92:39:ab:c2:46:f5:af:0a:2f:
                    62:fd:8c:3a:93:dd:cc:95:27:34:1b:3a:b8:af:ac:
                    68:ce:c3:2d:8b:fa:e1:03:6d:c9:88:c0:ef:a3:0f:
                    0f:a7:1a:02:c7:ab:74:55:14:6f:2a:e1:66:f2:40:
                    b7:0c:9f:69:04:b0:8c:bf:80:ee:1f:5b:d6:6b:17:
                    a0:fd:4d:7f:f4:d2:31:9e:20:1b:65:cd:09:a6:f2:
                    eb:ca:c8:eb:d3:cc:49:06:c8:6a:42:24:ab:ad:de:
                    38:cb:b7:ec:7d:0d:4b:e7:29:2c:1f:95:2f:04:30:
                    75:2d:80:67:ab:2c:92:98:19:cd:c8:0f:ed:b4:f2:
                    88:4e:02:bc:7e:92:a3:8f:0d:e6:98:03:86:f4:9c:
                    34:a9:a9:06:2b:ff:d1:bc:a7:ce:47:f2:c3:b5:42:
                    fc:98:47:cd:0e:4e:28:2c:76:53:60:2c:08:20:d6:
                    88:1a:c5:85:b3:d4:a6:b4:f2:a8:4c:24:90:d0:cf:
                    8f:d3:1a:b1:e4:2d:9e:fe:4a:d6:46:94:de:45:20:
                    38:1c:52:6e:b8:69:65:46:0a:9b:b4:4d:fd:c6:54:
                    73:fe:7a:6c:b9:03:8c:35:cf:73:95:05:d4:61:4d:
                    08:1f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B6:71:6F:AD:3A:C7:35:3E:01:27:A6:7A:61:A9:56:14:29:D2:EE:56
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:*.d0o0bz.cn
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Nov 21 08:23:30.934 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:23:63:FA:31:1F:64:C0:43:AC:EC:FC:29:
                                AB:14:93:BB:6A:2E:0C:D1:B1:05:8B:6D:3B:99:B7:22:
                                1A:96:6E:32:02:21:00:EB:65:41:D8:24:AB:49:64:12:
                                55:81:1F:AF:7A:F5:3B:F1:E9:9A:FF:06:01:82:5D:3D:
                                E2:47:C8:F9:36:3D:9D
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Nov 21 08:23:30.834 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:F4:5F:56:58:3D:CB:7C:B3:51:0B:3B:
                                ED:47:F7:DF:64:61:03:C6:B5:22:3A:F5:E3:E3:1F:EF:
                                67:DD:D0:12:25:02:20:6C:05:73:7D:44:A2:5A:A2:D1:
                                B0:BB:08:3F:76:95:E4:F0:D2:17:0F:E4:CD:D8:30:38:
                                D6:A3:BD:7F:D1:D1:AF
    Signature Algorithm: sha256WithRSAEncryption
         04:26:17:f2:a3:4b:73:25:e1:13:1b:5f:a8:be:54:4a:68:bd:
         fe:57:8f:7b:a6:27:72:e4:00:c4:77:e4:93:e0:eb:af:50:a2:
         97:17:a8:b1:95:f7:e4:d0:0b:1f:a1:a5:dc:a1:c0:8f:c5:ff:
         43:34:e5:68:df:7e:eb:e2:e2:61:72:1f:64:bc:a3:38:b9:5f:
         e4:09:cf:29:e5:d8:ef:6c:37:60:01:1d:d4:a1:11:4b:de:7d:
         ff:5c:5f:8a:4d:a7:06:f1:25:e9:c3:4b:d1:af:04:fb:06:43:
         e9:8f:5a:a5:19:ee:17:d5:9f:2a:3f:fa:10:10:1f:55:20:63:
         b0:81:ce:46:7d:d4:ad:51:49:31:f6:f6:49:44:7f:60:a1:13:
         9a:81:eb:58:8a:b9:0b:da:0c:0a:28:3b:b9:56:50:4a:76:5d:
         5f:a2:2c:24:6b:01:1e:13:a9:e2:58:88:0b:39:c6:2c:93:04:
         31:1e:48:fa:d9:00:9a:6b:ac:75:2b:ab:97:d5:a7:2a:cb:d4:
         9d:f0:65:bd:9a:6b:75:87:3b:f3:bf:30:dc:8a:7e:17:ca:9a:
         01:5c:a1:f2:a5:af:a7:19:cb:00:92:87:11:9c:fa:4a:f1:56:
         f8:f9:2a:c6:ae:54:4d:6f:26:44:91:30:06:de:09:50:1c:7e:
         53:fd:6e:bc

5.更新证书

##
#  每月的首周一03:00更新证书
#  0 3 1-7 * 1 /usr/bin/certbot-auto renew --quiet
##
# certbot-auto renew 报错
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

certbot-auto renew 必须搭配自动修改新的dns的脚本,这个脚本是要你自己根据自己域名解析商提供的接口来自己实现的。用 --manual-auth-hook 命令来执行脚本。也可以手动来解决续约问题。

All Done,Enjoy!

6.Tip

certbot-auto --help all

参考资料:
https://certbot.eff.org/docs/intro.html#installation