【摘要】1.获取certbot-auto wget https://dl.eff.org/certbot-auto 2.生成证书 这里有个坑要注意,一定要加上 “-d 你的域名.cn” ,因为通配符证书 “*.你的域名.cn”并不支持基础域名“你的域名.cn”,用基础域名访问会报非安全的链接!这点很多其他文章并没有提及。 ./certbot-auto certonly -d *.你的域名….
1.获取certbot-auto
wget https://dl.eff.org/certbot-auto2.生成证书
这里有个坑要注意,一定要加上 “-d 你的域名.cn” ,因为通配符证书 “*.你的域名.cn”并不支持基础域名“你的域名.cn”,用基础域名访问会报非安全的链接!这点很多其他文章并没有提及。
./certbot-auto certonly -d *.你的域名.cn -d 你的域名.cn --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory执行命令后输出如下:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 这里填写你的邮箱地址
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y之后这步很关键,certbot需要校验你的域名:
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.你的域名.cn with the following value:
jXH8nYZ2unEViIbW52LhIqxkg6i9mcwsRvhQ
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue上面输出要求给 _acme-challenge.你的域名.cn 配置一条 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。
配置好域名的TXT记录等待生效后,按回车,通配符证书就生成了!
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/你的域名.cn/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/你的域名.cn/privkey.pem Your cert will expire on 2020-01-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
域名证书实际上是在/etc/letsencrypt/archive/你的域名.cn/目录下,live目录下是证书软连接。apache httpd-ssl.conf的配置:
SSLCertificateFile "/etc/letsencrypt/archive/你的域名.cn/cert1.pem"
SSLCertificateKeyFile "/etc/letsencrypt/archive/你的域名.cn/privkey1.pem"tomcat的配置:
先生成证书容器:
openssl pkcs12 -export -inkey privkey1.pem -in fullchain1.pem -name tomcat -out tomcat.p12
keytool -importkeystore -srckeystore ./tomcat.p12 -srcstoretype pkcs12 -destkeystore ./tomcat.jks配置server.xml
配置完重启即生效。
关于续期通配符证书,可以参考:https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au