在<使用 let’s encrypt 为网站开启 https>一问中,讲述了,如何用 let’s encrypt 为网站开启 https 协议,这篇内容讲一下如何申请 let’s encrypt 通配符证书
什么是通配符证书
通配符 SSL 可以保护网站的 URL 及其所有子域(数量不限)。例如,一个单独的通配符证书就可以保护 www.artacode.com、blog.artacode.com 和 store.artacode.com。
通配符证书可以保护通用域名和您在提交申请时指定的级别下的所有子域。只需在通用域名左侧的子域区域添加星号 (*) 即可。
举例
如果为 *.artacode.com 申请证书,则可以保护:
artacode.com
www.artacode.com
photos.artacode.com
blog.artacode.com
如果为 *.www.artacode.com 申请证书,则可以保护:
www.artacode.com
mail.www.artacode.com
photos.www.artacode.com
blog.www.artacode.com
通配符证书可以像常规 SSL 证书一样为网站提供保护,并且申请是使用同一种验证方法进行处理的。不过,一些 Web 服务器可能要求使用通配符证书的每个子域都有唯一的 IP 地址。
如何申请 let’s encrypt 通配符证书
安装 Certbot
1
2
3
4
|
$ wget https://dl.eff.org/certbot-auto
$ sudo mv certbot-auto /usr/local/bin/certbot-auto
$ sudo chown root /usr/local/bin/certbot-auto
$ sudo chmod 0755 /usr/local/bin/certbot-auto
|
申请证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.artacode.com" -d "artacode.com" --manual --preferred-challenges dns-01 certonly
//这里多加了一个 `-d "artacode.com"` 是因为 `-d "*.artacode.com"` 不包含 artacode.com
1. 填写接受通知的邮箱
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): test@test.com
2. 同意协议
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: (A)gree/(C)ancel: a
3. 同意证书服务器记录本机IP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4. 设置域名解析
Please deploy a DNS TXT record under the name
_acme-challenge.artacode.cn with the following value:
xxxxxxxxxxxxxx
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 回车继续
5. 生成证书成功
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/artacode.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/artacode.com/privkey.pem
Your cert will expire on 2019-11-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
|
配置 Nginx
1
2
3
4
5
6
7
|
server {
server_name xx.artacode.com;
listen 443 http2 ssl;
ssl_certificate /path/.acme.sh/domain/fullchain.cer;
ssl_certificate_key /path/.acme.sh/domain/domain.key;
ssl_trusted_certificate /path/.acme.sh/domain/ca.cer;
}
|
总结
除了上述方法之外也有一些自动生成的脚本比如acme,就是在 github start 挺多的一个项目,除了手动申请之外也可以借助脚本快速申请 ssl 通配符证书.
参考连接
certbot instructions
