1、准备工作
1.1 切换 CentOS 7.6 使用阿里云的 yum 源
# 备份原来的yum源 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup # 下载阿里云的yum源 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo # 清理缓存 yum clean all # 生成新的缓存 yum makecache
1.2 修改 CentOS 7.6 使用阿里云的 pip 源
为避免安装 Python 包失败,在 Installing Python packages 时卡住,设置 pip 为国内阿里云 pip 源即可。
永久性设置,是在用户根目录(~,而非系统根目录 / )下添加配置 ~/.pip/pip.conf 目录添加可信源,如果目录文件不存在,可直接创建。
[root@localhost ~]# cd [root@localhost ~]# mkdir .pip [root@localhost ~]# cd .pip [root@localhost .pip]# vi pip.conf # 写入如下内容 [global] index-url = http://mirrors.aliyun.com/pypi/simple/ [install] trusted-host=mirrors.aliyun.com
1.3 安装 dig
dig 命令主要用于在安装步骤中查询域名 DNS 是否生效
yum install -y bind-utils
2、开始操作
2.1 下载 Certbot
Let’s Encrypt 是属于介绍性质的,而真正使用到的工具是 Certbot,使用前需要去官网下载。
wget https://dl.eff.org/certbot-auto
2.2 设置为可执行权限
chmod u+x certbot-auto
2.3 安装软件依赖包并查询 Certbot 版本是否支持最新协议
为了实现通配符证书,Let’s Encrypt 对 ACME 协议的实现进行了升级,只有 v2 协议才能支持通配符证书。
命令执行后会处理依赖关系,需要安装或升级依赖软件包后继续操作……
./certbot-auto --version certbot 0.37.2 # 安装成功后会显示版本号
依赖包安装成功后,将显示当前 Certobt 版本,版本高于 0.22.0 即可
3、申请证书
3.1 执行命令
./certbot-auto certonly -d *.yunkui.top --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
这里请将域名 yunkui.top 替换成您自己的域名。
3.2 验证邮箱
Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): yourName@qq.com
在 yourName@qq.com 位置输入自己的邮箱,用于紧急更新和安全通知。回车后会向您邮箱发送验证邮件,点击邮件中的验证链接完成邮箱验证。
3.3 同意各种协议和授权
总共三个步骤,按照提示输入 a , y , y 即可。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Obtaining a new certificate Performing the following challenges: dns-01 challenge for yunkui.top - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y
上述有三个交互式的提示:
是否同意 Let’s Encrypt 协议要求
询问是否对域名和机器(IP)进行绑定
确认同意才能继续。
第三个交互步骤完成后,请特别留意,这步非常关键。
出现以下内容时就不要按回车了,仔细查看命令行的输出,非常关键:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.yunkui.top with the following value: g7O6yEd9xp-t7dJSD9Qujb70OVaRpUq1ux-rnLPXNxk Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
3.4 验证域名的所有权
此时需要切换到域名管理后台加入一条 DNS 解析记录,以证明你拥有该域名的所有权,也就是判断证书申请者是否有域名的所有权。
上面输出要求给 _acme-challenge.yunkui.top 配置一条 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。
登录域名管理后台,按照提示要求为您的域名 yunkui.top 添加一条 TXT 记录:
主机记录为:_acme-challenge
记录值为:g7O6yEd9xp-t7dJSD9Qujb70OVaRpUq1ux-rnLPXNxk
添加以后会有最多 10 分钟的生效时间,这里先要确认解析已经生效,才能在配置Let’s Encrypt的终端按回车。
3.4 检查 TXT 记录是否生效
dig _acme-challenge.yunkui.top txt
此命令需要在其它 CentOS 主机上运行,如果正确输出记录值,则说明 TXT 记录已生效。
;; QUESTION SECTION: ;_acme-challenge.yunkui.top. IN TXT ;; ANSWER SECTION: _acme-challenge.yunkui.top. 600 IN TXT "g7O6yEd9xp-t7dJSD9Qujb70OVaRpUq1ux-rnLPXNxk"
3.5 生成证书
DNS解析生效后,在原终端中按回车执行,输出如下:
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yunkui.top/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yunkui.top/privkey.pem Your cert will expire on 2019-11-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
恭喜您,证书申请成功,证书和密钥保存在下列目录:
tree /etc/letsencrypt/archive/yunkui.top . ├── cert1.pem ├── chain1.pem ├── fullchain1.pem └── privkey1.pem
然后校验证书信息,输入如下命令:
openssl x509 -in /etc/letsencrypt/archive/yunkui.top/cert1.pem -noout -text
关键输出如下:
X509v3 Subject Alternative Name:
DNS:*.yunkui.top
完美,证书包含了 SAN 扩展,该扩展的值就是 *.yunkui.top
3.6 证书有效期
证书有效期90天,需要使用 certbot-auto renew 刷新。
4、Nginx配置
server {
server_name www.my_custom_domain.xyz; #输入自己的域名
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/yunkui.top/fullchain.pem; #输入自己的路径
ssl_certificate_key /etc/letsencrypt/live/yunkui.top/privkey.pem; #输入自己的路径
location / {
}
}
重启nginx,完成配置。
关于申请或者续期通配符证书,如果想自动化执行,可以参考此工具:
https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au