在CentOS7上使用Certbot申请Wildcard证书
2019-05-07 本文已影响0人
勤奋的猫猫啊
- certbot需要python2的相关库,而系统自带的相关库会报错。所以先删除相关库。
# yum remove python-requests
# yum remove python-urllib3
# yum remove python2-requests
# yum remove python2-urllib3
# pip uninstall requests
# pip uninstall urllib3
- 更新repositories,安装certbot。
# yum update
# yum install certbot python2-certbot-nginx
- 申请wildcard类型的SSL证书。这种证书可以让子域名也使用上https。
# certbot -d maomao.run -d *.maomao.run --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly
- 点击上述命令后,会出现如下提示,是否要公开记录申请该证书的IP地址。这里必须要选择同意。
----------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this certificate.
If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged?
----------------------------------------------------------------------
(Y)es/(N)o: y
- 同意之后,出现如下提示,需要在我的域名供应商处添加一个DNS TXT Record。此处直接回车。
---------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.maomao.run with the following value:
iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM
Before continuing, verify the record is deployed.
---------------------------------------------------------------------
Press Enter to Continue #此处直接回车
- 此时出现第二次需要添加DNS TXT Record的需求。此时不要回车,将上下两提示中随机码部分记录,准备添加到域名商的DNS解析处。
---------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.maomao.run with the following value:
f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0
Before continuing, verify the record is deployed.
---------------------------------------------------------------------
Press Enter to Continue #此处直接回车
-
在自己域名的DNS记录管理页面中,增加两条TXT记录。(以name.com为例)
image
image - 在域名供应商处填入信息完成后,需要等待一段时间,等TXT记录生效后,再回到命令行界面回车,得到结果。
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/maomao.run/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/maomao.run/privkey.pem
Your cert will expire on 2018-06-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- 打开nginx配置文件。
# vim /etc/nginx/nginx.conf
- 将域名配置成https访问。注意红字部分的路径与生成证书的路径一致。
server {
listen 443 ssl http2;
listen [::]:443 ssl http2 ;
server_name maomao.run;
ssl on;
ssl_certificate /etc/letsencrypt/live/maomao.run/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/maomao.run/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8001;
}
}
- 将80端口重定向到443端口。用户无论如何输入域名,都将使用https访问。
server {
listen 80;
listen [::]:80;
server_name maomao.run;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
- 子域名的配置方式与主域名一样。