ssl - 使用certbot 申请ssl wildcard证书
访问量: 633
refer to: https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal
1 打开这个页面后,先选择你的web server 和 操作系统:
2. 选择 wild card:
3. 查看你的域名DNS提供商是否支持(可以看到, cloudflare, digitalocean, google, linode 都是可以被直接支持的,安装对应的plugin就好了)
接下来我们以cloudflare为例子
4. 安装snapd
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo apt-get remove certbot
5. 开始安装 certbot:
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
6. 安装plugin
sudo snap install certbot-dns-cloudflare
7. 设置credentials : 参考: https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins
我的DNS提供商是cloudflare, 所以就选择了 https://certbot-dns-cloudflare.readthedocs.io/en/stable/
7.1 创建一个文件 ~/cloudflare.ini , 内容如下:
dns_cloudflare_api_token=O4c???????????????????????????????????
然后 chmod 700 ~/cloudflare.ini
7.2 创建证书 (假设你的域名是 lueluelue.com )
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/cloudflare.ini -d lueluelue.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): shensiwei@sina.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Requesting a certificate for lueluelue.com Unsafe permissions on credentials configuration file: /home/ubuntu/cloudflare.ini Waiting 10 seconds for DNS changes to propagate Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/lueluelue.com/fullchain.pem (重要) Key is saved at: /etc/letsencrypt/live/lueluelue.com/privkey.pem (重要) This certificate expires on 2022-06-24. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
在上面产生的文件中,
Certificate is saved .... fullchain.pem , 这个就是阿里云上的.pem文件
Key is saved at : . ...... privkey.pem 这个就是 阿里云上的.key 文件
(上面2句是我乱猜的, 因为官方文档到这里就没有了)
实际上我们去购买SSL证书的时候,最后获得的也就是这两个文件