首页 > 科技资讯 } > 在Ubuntu使用Certbot生成Let's Encrypt的泛域名证书
在Ubuntu使用Certbot生成Let's Encrypt的泛域名证书
来源: | 2024-04-07 21:35:28
1. 安装Snapd
Ubuntu 16.04及以上版本通常自带Snapd,如果你的系统还没有安装,可以通过以下命令安装:
sudo apt update sudo apt install snapd
2. 安装Certbot
使用Snap安装Certbot,确保你获得的是最新版本:
sudo snap install --classic certbot
3.
准备Certbot命令
确保Certbot命令可以通过创建一个符号链接到/usr/bin
目录中的命令来运行:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
4. 运行Certbot并获取证书
我们这里是只获取证书(不自动配置Web服务器):
这是标准:
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual --preferred-challenges=dns -d *.example.com
这是我自己的实例:
sudo certbot certonly --manual --preferred-challenges dns -d "*.lookclouds.com"
接着,系统会有如下信息:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lookclouds.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lookclouds.com with the following value:
B5b2BJzIJ9QyGjizvTIS2w-qzcwAsDsELw9jvSjC97A
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
根据界面的问题,答复Y或者N. 这里我们选择Y
接着做DNS验证,到域名商那边,加一条TXT记录,如上所示,把这个唯一码设置到TXT记录中,等大概10分钟,就可以按“Enter"键继续。接着,就会生成域名证书了。
看到如下所示,表示域名证书创建成功:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/lookclouds.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/lookclouds.com/privkey.pem
Your cert will expire on 2024-07-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
建议这证书的位置和目录不要移动,大家把fullchain.pem和privkey.pem复制走就可以了。如果是希望直接部署到nginx或者apache并且自动更新的,请在网络上搜索一下,我这里是单纯生成证书的演示。
在nginx的配置中,配置如下:
listen 443;
ssl on;
ssl_certificate /xxx/fullchain.pem;
ssl_certificate_key /xxxx/privkey.pem;
5. 如何解决泛域名在浏览器被标识为不安全的问题
除了Chrome浏览器,其他的浏览器可能会把我们的泛域名证书标识为不安全。
以nginx为例,需要在conf中,加入:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /xxxx/fullchain.pem;
resolver 223.5.5.5 8.8.8.8 8.8.4.4 valid=60s; /*这个dns配置,第一个是国内的,后面两个是国外的,可以按照我这里的配置使用*/
resolver_timeout 2s;
确保nginx配置没错后,重启服务即可。
随便打开一个浏览器,测试一下域名是否被标注安全,如果还是不安全,就请刷新几下,就应该可以显示“安全”了。