使用Let’s Encrypt获取免费的SSL证书
客户在申请 Let’s Encrypt 证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:
dns-01:给域名添加一个 DNS TXT 记录。
http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。
申请通配符证书,只能使用 dns-01 的方式。
certbot certonly --standalone --preferred-challenges http --agree-tos --email clay_chen@qq.com -d www.btiwork.com
certbot certonly --manual --preferred-challenges dns --agree-tos --email clay_chen@qq.com -d *.btiwork.com --server https://acme-v02.api.letsencrypt.org/directory
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name # 先添加txt记录后,验证解析生效后再回车验证
_acme-achalldenge.btiwork.com with the following value:
31VLFwdoxeBvqRMrCYLRNaj0-sAaxn1rMdNR4edf1zMyU
验证方法:
dig -t txt _acme-achalldenge.btiwork.com @8.8.8.8 ─╯
; <<>> DiG 9.10.6 <<>> -t txt _acme-achalldenge.btiwork.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.btiwork.com. IN TXT
;; ANSWER SECTION:
_acme-achalldenge.btiwork.com. 3600 IN TXT "31VLFwdoxeBvqRMrCYLRNaj0-sAaxn1rMdNR4edf1zMyU"
;; Query time: 95 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 12 13:51:18 CST 2022
;; MSG SIZE rcvd: 112
参数解释:
certonly 表示插件,Certbot 有很多插件。不同的插件都可以申请证书,用户可以根据需要自行选择。
-d 为哪些主机申请证书。如果是通配符,输入 *.xxx.com (根据实际情况替换为你自己的域名)。
--preferred-challenges dns-01,使用 DNS 方式校验域名所有权。
--server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
- nginx主配置文件添加证书文件,nginx.conf:
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_certificate_key /etc/letsencrypt/live/btiwork.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/btiwork.com/fullchain.pem;
- 单个webserver直接引用主配置文件ssl证书:
server {
listen 80;
server_name btiwork.com www.btiwork.com;
return 301 https://www.btiwork.com$1;
}
server {
listen 443 ssl;
server_name www.btiwork.com;
#charset koi8-r;
access_log logs/blog.access.log main;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
location / {
#rewrite /ui/(.*)$ /$1 break;
root /opt/minio/data/blog/public;
index index.html index.htm;
}
}
证书销毁
certbot delete --cert-name www.btiwork.com
证书续签
// 普通证书
certbot renew # 建议放计划任务里面,每隔24小时执行一次
// 基于dns txt记录的泛域名证书更新
- 按照上面流程重新申请
- 按照上面流程重新修改dns txt记录值