Certbot 是一个开源免费的工具,主要功能是为网站自动安装基于 Let’s Encrypt服务的SSL证书。
Let's Encrypt是一个数字证书认证机构,旨在以自动化方式完成创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的SSL/TLS证书。
下面以Ubuntu 18.04 为例,说明一下 Certbot 的安装和使用。
1. 添加Certbot PPA 到apt repository
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
2. 安装 Certbot
sudo apt-get install certbot python-certbot-nginx
3. 使用 Certbot
3.1 申请及安装证书
sudo certbot certonly
这是最简单的证书申请方法,输入命令后,根据提示输入相应的信息后,即可完成证书的申请和安装。
该方式有两个前提条件:
- 需要在申请域名映射到的服务器上执行。
- 申请证书时需要绑定80端口进行验证,需要先停止服务器上绑定80端口的服务(比如nginx 或者apache 等),另外防火墙要放开80端口。
3.2 申请通配符证书
假设你想为域名domain.com 申请通配符证书,则可以输入下面命令
$ sudo certbot -d domain.com -d "*.domain.com" --manual --preferred-challenges dns certonly
系统显示下面的信息
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Performing the following challenges:
dns-01 challenge for domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
输入Yes同意将本机对的IP地址记录下来,接着系统显示下面的信息
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
在你的域名的DNS中加入一条TXT记录,记录名 _acme-challenge 值为上面的XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, 然后按回车
验证你的DNS记录成功后,将为你颁发证书,证书会生成到/etc/letsencrypt/live/domain.com/ 目录下。 domain.com 是你申请的域名。
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2020-06-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le