Certbot为域名申请免费SSL证书

Certbot(Let's Encrypt)是一个非盈利性认证机构通过运行互联网安全研究小组（ISRG）提供X.509 证书的传输层安全性不收取任何费用（TLS）加密。证书有效期为90天，在此期间可以随时续订。提供一个自动化流程，旨在克服安全网站的手动创建，验证，签名，安装和续订证书。

Certbot Wiki

前言

因不想在部署环境安装Certbot -> 强迫症 哈哈哈，所以将在其他机子上申请SSL证书（使用手动模式DNS验证） 官方文档

材料

1. 属于自己的域名（可以修改解析的）。
2. 可联网的Linux系统（这里是CentOS7）。

安装环境

Certbot包在EPEL中，需要先安装epel-release，再安装certbot。

[root@localhost ~]: yum install epel-release -y

…………

[root@localhost ~]: yum install certbot -y

…………

另一种获取Certbot环境的方式（官方文档）：

[root@localhost ~]: wget https://dl.eff.org/certbot-auto

[root@localhost ~]: chmod a+x ./certbot-auto

申请SSL证书

certbot certonly --manual --preferred-challenges dns -d 域名

（多个域名就继续加参数-d 域名A -d 域名B）

添加域名解析TXT记录。

然后到/etc/letsencrypt/目录下找到对应域名的证书即可。

以下为详细操作步骤：

[root@localhost ~]: certbot certonly --manual --preferred-challenges dns -d www.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel):

这里输入一个邮箱（用于紧急更新或安全通知）。

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: a

这里输入a同意。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n

如果想接收一些新闻推广之类的邮件就输入y，否则n。

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for www.example.com

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

 

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: n

这里输入y（必须同意记录IP才会继续处理）。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.www.example.com with the following value:

 

EblBJHP……EUNACE

 

Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

打开域名解析，添加主机记录_acme-challenge.www，选择记录类型为TXT， 记录值为EblBJHP……EUNACE（给你提供的一段字符串）。

回到CentOS，最好等待几分钟，然后按Enter继续。等待验证。

Waiting for verification...

Cleaning up challenges

Resetting dropped connection: acme-v02.api.letsencrypt.org

 

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/www.example.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/www.example.com/privkey.pem

Your cert will expire on 2019-06-22. To obtain a new or tweaked

version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run

"certbot renew"

…………

这里提示证书、私钥保存的位置以及证书的有效期。

附

删除证书及配置信息

[root@localhost ~]: certbot delete

[root@localhost ~]: rm -rf /etc/letsencrypt/accounts/*

附2

本机站点根目录的验证方式

[root@localhost ~]: certbot certonly --webroot -w /opt/web -d www.example.com

更多Certbot命令选项

附3

7天之内每个域名地址最多只能成功申请5个哟。查看更多限制

附4

证书续期（这个不在限制范围内的哦）

[root@localhost ~]: certbot renew