通过certbot+nginx申请泛域名证书
之前博客一直都是都使用的http协议,主要是访问量一直都不大,最主要的还是懒得去折腾证书,最近趁着有点空闲搞一下。
1.准备环境
- cenotos 7
- certbot
- nginx
- certbot-letencrypt-wildcardcertificates-alydns-au
2.安装nginx
直接使用yum来安装
1
[root@c7-docker-1 opt]# yum install nginx
配置代理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19使用 vim 创建 demo.conf
[root@c7-docker-1 opt]# vim /etc/nginx/conf.d/demo.conf
创建以下内容
server {
listen 80;
server_name example.com; #你的域名
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:1000/; #你的服务地址,随便找个本地的服务,能够访问就行
}
}重启服并确认访问域名能到代理到你本地
1
2
3[root@c7-docker-1 opt]# systemctl start nginx.service
浏览器访问 example.com 确定能访问到本地对应的服务安装cerbot及其相关工具
1
[root@c7-docker-1 opt]# yum install vim certbot python2-certbot-nginx -y
下载
certbot-letencrypt-wildcardcertificates-alydns-au1
2
3
4
5
6
7[root@c7-docker-1 opt]# cd /opt/
git clone工具到本地
[root@c7-docker-1 opt]# git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
也可以直接从github下载整个项目解压到这个目录下就行配置
certbot-letencrypt-wildcardcertificates-alydns-au1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59为了方便使用改个名字
[root@c7-docker-1 opt]# mv certbot-letencrypt-wildcardcertificates-alydns-au certbot
[root@c7-docker-1 opt]# cd certbot
[root@c7-docker-1 opt]# vim domain.ini
检查默认域名信息,若没有自己的根域名需要自行添加
[root@c7-docker-1 opt]# vim au.sh --根据自己的平台去填写对应的信息
#填写阿里云的AccessKey ID及AccessKey Secret
#如何申请见https://help.aliyun.com/knowledge_detail/38738.html
ALY_KEY=""
ALY_TOKEN=""
#填写腾讯云的SecretId及SecretKey
#如何申请见https://console.cloud.tencent.com/cam/capi
TXY_KEY=""
TXY_TOKEN=""
#填写华为云的 Access Key Id 及 Secret Access Key
#如何申请见https://support.huaweicloud.com/devg-apisign/api-sign-provide.html
HWY_KEY=""
HWY_TOKEN=""
#GoDaddy的SecretId及SecretKey
#如何申请见https://developer.godaddy.com/getstarted
GODADDY_KEY=""
GODADDY_TOKEN=""
保存后给这个脚本赋权限
[root@c7-docker-1 opt]# chmod 0777 au.sh
7. 测试一下是否可以使用
```shell
[root@c7-docker-1 certbot]# certbot certonly \
-d *.test.com \
--manual --preferred-challenges dns \
--dry-run --manual-auth-hook "/opt/certbot/au.sh php aly add" \
--manual-cleanup-hook "/opt/certbot/au.sh php aly clean"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating a certificate request for *.test.com
Performing the following challenges:
dns-01 challenge for test.com
Running manual-auth-hook command: /opt/certbot/au.sh php aly add
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: /opt/certbot/au.sh php aly clean
IMPORTANT NOTES:
- The dry run was successful.
---根据提示输入邮箱地址,同意协议信息即可
正式申请
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51[root@c7-docker-1 certbot]# certbot certonly \
-d test.com \
-d *.test.com \ # 如果只申请泛域名 -d *.test.com 即可,如果还有别的,可继续 -d
--manual --preferred-challenges dns \
--manual-auth-hook "/opt/certbot/au.sh php aly add" \
--manual-cleanup-hook "/opt/certbot/au.sh php aly clean"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): halliday2023@163.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N --这个表示是否接受推广,可以拒绝
Account registered.
Requesting a certificate for *.test.com
Performing the following challenges:
dns-01 challenge for test.com
Running manual-auth-hook command: /opt/certbot/au.sh php aly add
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: /opt/certbot/au.sh php aly clean
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test.com/fullchain.pem ----这里就是证书的地址
Your key file has been saved at:
/etc/letsencrypt/live/test.com/privkey.pem ----这是私钥
Your certificate will expire on 2023-07-24. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le撤销证书
1
2
3
4
5
6
7
8
9[root@c7-docker-1 certbot]# certbot delete
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which certificate(s) would you like to delete?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: liuhaolin.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):延期
1
2
3
4
5
6
7
8
9
10
11
12
13对机器上所有证书 renew
[root@c7-docker-1 certbot]# certbot renew --manual \
--preferred-challenges dns \
--manual-auth-hook "/脚本目录/au.sh php aly add" \
--manual-cleanup-hook "/脚本目录/au.sh php aly clean"
注:证书有效期<30天才会renew
添加crontab
[root@c7-docker-1 certbot]# crontab -e
1 1 */1 * * root certbot renew --manual --preferred-challenges dns --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"
问题
/opt/certbot/au.sh: line 112: /usr/bin/php: No such file or directory
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28Error output from manual-auth-hook command au.sh:
/opt/certbot/au.sh: line 112: /usr/bin/php: No such file or directory
Waiting for verification...
Challenge failed for domain test.com
dns-01 challenge for test.com
Cleaning up challenges
Running manual-cleanup-hook command: /opt/certbot/au.sh php aly clean
Error output from manual-cleanup-hook command au.sh:
/opt/certbot/au.sh: line 112: /usr/bin/php: No such file or directory
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: test.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.test.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
原因:需要安装php
处理:
[root@c7-docker-1 certbot]# yum install php --版本>4以上均可感觉不需要nginx也能行,没有去验证这个猜想