使用 Certbot 申请 Let's Encrypt SSL 证书,并定时续期

2022-01-26 19:35

 

网站有个 SSL 证书,可以提高安全性、及提高搜索引擎的排名。

Let’s Encrypt SSL 证书是免费的,可以用命令行申请,也可以用命令行续期。

Let’s Encrypt 网站推荐用 cerbot 工具。这个工具软件在不同的年份,有不同的用法(可能是不同软件版本的命令行,参数与之前版本改动较大),网上查到的往往行不通。这篇文章介绍当前版本可用的命令行参数使用方法。

 

 

参考网站:

https://letsencrypt.org/zh-cn/

https://certbot.eff.org/instructions

 

a. 申请有通配符的域名 SSL 证书:

certbot certonly -d *.somedomain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

 

根据提示,输入对应的信息。生成证书后,可更改 nginx/apache 对应的配置文件。

 

b. 定时运行命令,续期 SSL 证书:

certbot certonly -d *.somedomain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

 

命令与前一步一样。得到的提示不同,如下:

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

选择 2,进行 SSL 证书续期。续期后的证书,是覆盖原有的。

 

有时候,这一步骤,会需要在 DNS 服务端配置一个 text record,如下:


C:\apps\Certbot\bin>certbot certonly -d *.xxx.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to C:\Certbot\log\letsencrypt.log
Renewing an existing certificate for *.xxx.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.xxx.com.

with the following value:

Yl4WJ-5yPdC5srxxxxxxxx

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.xxx.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
		

遇到这种情况,先登录 DNS 服务端, 比如 https://dcc.godaddy.com/manage/xxx.com/dns , 添加/更改对应的 DNS TXT record。等待半小时、或1小时,切换到上述 DOS 窗口,按回车。继续下面的操作。

 

 

欢迎转载,转载请注明出处: https://www.zheguisoft.com/staff_blogs/jacklondon_chen/2022, 及 https://my.oschina.net/jacklondon/blog/5417036 , http://www.cnblogs.com/jacklondon