使用Let's Encrypt申请通配符域名证书
wget https://dl.eff.org/certbot-auto
chmod u+x certbot-auto
./certbot-auto certonly -d "*.redis.com.cn" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
- certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
- --manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
- -d 为那些主机申请证书
- --preferred-challenges dns,使用 DNS 方式校验域名所有权
- --server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
执行完这一步之后,会下载一些需要的依赖,稍等片刻之后,会提示输入邮箱,然后进行dns验证。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.redis.com.cn with the following value:
u-Q2i5-KGE47HXlCcINaddICUB7nkAtUy7oAzL4O1vk
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
这里不要继续往下了,根据提示设置域名的dns解析。
添加之后,不要心急着按回车,确认解析记录是否生效,生效之后再回去按回车确认
上面表示解析生效,按回车确认继续
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/redis.com.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/redis.com.cn/privkey.pem
Your cert will expire on 2019-03-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
出现以上界面说明配置成功,配置证书存放在/etc/letsencrypt/live/redis.com.cn/里面了
要续期的话,执行 certbot-auto renew 就可以了