使用 Let’s Encrypt Wildcard SSL 证书

0 Share

使用 Let’s Encrypt Wildcard SSL 证书

Let's Encrypt 终于宣布正式支持 Wildcard 证书了。使用官方一直推荐的 Certbot 申请 Wildcard 证书,可以了解一下。 申请证书 在 VPS 上执行以下命令: ~/certbot-auto certonly \ -d dallaslu.com \ -d *.ngrok.dallaslu.com \ -d *. ...

Let's Encrypt 终于宣布正式支持 Wildcard 证书了。使用官方一直推荐的 Certbot 申请 Wildcard 证书,可以了解一下。

申请证书

在 VPS 上执行以下命令:

~/certbot-auto certonly \
-d dallaslu.com \
-d *.ngrok.dallaslu.com \
-d *.dallaslu.com \
-d other.com \
-d *.other.com \
--manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

第一个 -d 参数后面的域名,会被当作证书名称。

IP 记录提示

执行之后会提示IP会被记录。不过请放心,尽管申请 IP 会被记录在案,但暂时还没有公开的计划。这一点对于有多个 IP 的 VPS 来说,有可能会造成出口 IP 泄露,如果你很在意的话,建议通过修改 /etc/sysconfig/network-scripts 中的配置文件并重启网络服务,来临时切换一个出口 IP。此处可输入 Y 按回车继续。

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

DNS 验证

接下来是 DNS 验证的时间了,需要为域名增加一条 txt 记录。

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.dallaslu.com with the following value:

QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

友情提示一下,如果你打算把 root.com 和 *.root.com 签在同一张证书里,不仅要在命令使用 -d dallaslu.com -d *.dallaslu.com 来声明,而且还需要创建多个 txt 记录来验证。同名 txt 记录是允许存在多条的哦,每当提示 `Please deploy a DNS TXT` 时,就按照提示去创建一条 txt 记录。创建完成后,在使用 nslookup 命令来验证一下:

nslookup
> set type=txt
> _acme-challenge.dallaslu.com
Server:		8.8.8.8
Address:	8.8.8.8#53
 
Non-authoritative answer:
_acme-challenge.dallaslu.com text = "I6Tys5RebMhWaBxN1e4fBaBj2OF7jUPl92tdDtfKjao"
_acme-challenge.dallaslu.com text = "QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU"

证书签发

当你验证完全部域名后,顺利的话:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dallaslu.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dallaslu.com/privkey.pem
Your cert will expire on 2018-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

SSL 证书的配置就不缀述了。如果提示某域名未通过验证,重新执行命令之后,再按提示检查 DNS 设置即可。已经验证成功的域名,其 txt 记录的 value 是不用再修改的哦。

Leave a reply

Your email address will not be published.