首页 > 科技资讯 } > 在Ubuntu使用Certbot生成Let's Encrypt的泛域名证书

在Ubuntu使用Certbot生成Let's Encrypt的泛域名证书

来源: | 2024-04-07 21:35:28

1. 安装Snapd

Ubuntu 16.04及以上版本通常自带Snapd,如果你的系统还没有安装,可以通过以下命令安装:
sudo apt update sudo apt install snapd

2. 安装Certbot

使用Snap安装Certbot,确保你获得的是最新版本:

sudo snap install --classic certbot

 

3.准备Certbot命令

确保Certbot命令可以通过创建一个符号链接到/usr/bin目录中的命令来运行:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

4. 运行Certbot并获取证书

我们这里是只获取证书(不自动配置Web服务器):

这是标准:
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual --preferred-challenges=dns -d *.example.com

这是我自己的实例:
sudo certbot certonly --manual --preferred-challenges dns -d "*.lookclouds.com"

接着,系统会有如下信息:
 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lookclouds.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lookclouds.com with the following value:

B5b2BJzIJ9QyGjizvTIS2w-qzcwAsDsELw9jvSjC97A

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
 

根据界面的问题,答复Y或者N. 这里我们选择Y

接着做DNS验证,到域名商那边,加一条TXT记录,如上所示,把这个唯一码设置到TXT记录中,等大概10分钟,就可以按“Enter"键继续。接着,就会生成域名证书了。

看到如下所示,表示域名证书创建成功:
 

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lookclouds.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lookclouds.com/privkey.pem
   Your cert will expire on 2024-07-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
 

建议这证书的位置和目录不要移动,大家把fullchain.pem和privkey.pem复制走就可以了。如果是希望直接部署到nginx或者apache并且自动更新的,请在网络上搜索一下,我这里是单纯生成证书的演示。

在nginx的配置中,配置如下:

listen 443;
ssl on;
ssl_certificate /xxx/fullchain.pem;
ssl_certificate_key /xxxx/privkey.pem;
 

5. 如何解决泛域名在浏览器被标识为不安全的问题

除了Chrome浏览器,其他的浏览器可能会把我们的泛域名证书标识为不安全。

以nginx为例,需要在conf中,加入:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /xxxx/fullchain.pem;
resolver 223.5.5.5 8.8.8.8 8.8.4.4 valid=60s;  /*这个dns配置,第一个是国内的,后面两个是国外的,可以按照我这里的配置使用*/
resolver_timeout 2s;

确保nginx配置没错后,重启服务即可。

随便打开一个浏览器,测试一下域名是否被标注安全,如果还是不安全,就请刷新几下,就应该可以显示“安全”了。