使用 Certbot 申请 Let's Encrypt SSL 证书，并定时续期

网站有个 SSL 证书，可以提高安全性、及提高搜索引擎的排名。

Let’s Encrypt SSL 证书是免费的，可以用命令行申请，也可以用命令行续期。

Let’s Encrypt 网站推荐用 cerbot 工具。这个工具软件在不同的年份，有不同的用法(可能是不同软件版本的命令行，参数与之前版本改动较大)，网上查到的往往行不通。这篇文章介绍当前版本可用的命令行参数使用方法。

参考网站:

https://letsencrypt.org/zh-cn/

https://certbot.eff.org/instructions

a. 申请有通配符的域名 SSL 证书:

certbot certonly -d *.somedomain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

根据提示，输入对应的信息。生成证书后，可更改 nginx/apache 对应的配置文件。

b. 定时运行命令，续期 SSL 证书:

certbot certonly -d *.somedomain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

命令与前一步一样。得到的提示不同，如下:

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

选择 2，进行 SSL 证书续期。续期后的证书，是覆盖原有的。

有时候，这一步骤，会需要在 DNS 服务端配置一个 text record，如下:

C:\apps\Certbot\bin>certbot certonly -d *.xxx.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to C:\Certbot\log\letsencrypt.log
Renewing an existing certificate for *.xxx.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.xxx.com.

with the following value:

Yl4WJ-5yPdC5srxxxxxxxx

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.xxx.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
		

遇到这种情况，先登录 DNS 服务端, 比如 https://dcc.godaddy.com/manage/xxx.com/dns , 添加/更改对应的 DNS TXT record。等待半小时、或1小时，切换到上述 DOS 窗口，按回车。继续下面的操作。

欢迎转载，转载请注明出处: https://www.zheguisoft.com/staff_blogs/jacklondon_chen/2022, 及 https://my.oschina.net/jacklondon/blog/5417036 , http://www.cnblogs.com/jacklondon