免费泛域名申请以及无限续期

2024-06-06 226

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

本文涉及的产品

智能开放搜索 OpenSearch行业算法版，1GB 20LCU 1个月

实时计算 Flink 版，5000CU*H 3个月

检索分析服务 Elasticsearch 版，2核4GB开发者规格 1个月

简介： 在Ubuntu 20.04上，使用certbot和snapd安装Let's Encrypt证书以实现免费泛域名（如`*.example.com`）的无限续期。首先安装snapd，然后卸载并安装certbot，创建certbot软连接。设置trust-plugin-with-root，安装certbot-dns-cloudflare插件，配置Cloudflare API token。通过certbot certonly命令获取证书，包括子域名，并设置自动续期。将证书导入nginx并验证。最后，创建post-renewal hook以在续期后自动重启nginx。

背景介绍

我的需求是创建一个免费的泛域名，然后无限续期，可以满足子域名的随机使用。

环境介绍以及依赖版本介绍

服务器系统：Ubuntu 20.04
web服务器：nginx version: nginx/1.18.0 (Ubuntu)
使用的主要工具：certbot , 官方网站帮助文档
颁发证书机构：Let's Encrypt 官方网站帮助文档
我的域名管理者是：cloudflare 官方网站

实践步骤

假设我有域名：example.com，现在需要创建一个免费的泛域名：*.example.com，然后无限续期。

1.安装snapd

参考官方文档，安装snapd，其他系统安装方法可以参考官方文档。installing-snap-on-ubuntu
```bash

sudo apt update

sudo apt install snapd

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
zenity | kdialog
The following packages will be upgraded:
snapd
1 upgraded, 0 newly installed, 0 to remove and 354 not upgraded.
Need to get 37.9 MB of archives.

snap --version

snap 2.61.2
snapd 2.61.2
series 16
ubuntu 20.04
kernel 5.4.0-48-generic


### 2.卸载原有的certbot

```bash
# sudo apt-get remove certbot

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'certbot' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 354 not upgraded.

3.安装certbot

# sudo snap install --classic certbot

certbot 2.9.0 from Certbot Project (certbot-eff✓) installed

4.创建certbot软连接

注意：如果是root用户，可以省略这一步

sudo ln -s /snap/bin/certbot /usr/bin/certbot

# certbot --version

certbot 2.9.0

# certbot -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)
    reconfigure     Update a certificate's configuration (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
    show_account    Display account details
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5.安装插件控制级别

在机器的命令行上运行此命令，以确认安装的插件将具有与 Certbot snap 相同的经典容器。

sudo snap set certbot trust-plugin-with-root=ok

6.安装DNS插件

所有支持的DNS插件：dns-plugins

certbot-dns-cloudflare 插件说明 certbot-dns-cloudflare

sudo snap install certbot-dns-cloudflare

7.配置插件访问token

mkdir ~/.certbot

vim ~/.certbot/cloudflare.ini

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

8.获取证书

# certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.certbot/cloudflare.ini \
  -d "example.com" \
  -d "*.example.com" \
  --agree-tos \
  --email admin@example.com \
  --server https://acme-v02.api.letsencrypt.org/directory 


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for `example.com` and `*.example.com`
Unsafe permissions on credentials configuration file: ~/.certbot/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/`example.com`/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/`example.com`/privkey.pem
This certificate expires on 2024-06-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9.强制重新更新证书

# sudo certbot renew --force-renew

# sudo certbot renew --force-renew --dry-run

10.测试自动续期

sudo certbot renew --dry-run

The command to renew certbot is installed in one of the following locations:

/etc/crontab/
/etc/cron.*/*
systemctl list-timers

11.安装证书到nginx

您可以修改配置文件，将证书安装到nginx中

cat README 
This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates


###########
# 需要用到  fullchain.pem  和  privkey.pem

nginx -t

nginx -s reload

12.验证

访问您的域名查看证书是否可用
访问您的子域名查看证书是否可用
OpenSSL 命令行工具验证
```sh
cd /etc/letsencrypt/live/[example.com]

openssl x509 -in cert.pem -noout -dates

notBefore=May 19 08:45:49 2024 GMT
notAfter=Aug 17 08:45:48 2024 GMT




## 13.自动续期后重启nginx

> 参见文档  [pre-and-post-validation-hooks](https://eff-certbot.readthedocs.io/en/latest/using.html#pre-and-post-validation-hooks)

```bash

sudo sh -c 'printf "#!/bin/sh\nnginx -s reload\n" > /etc/letsencrypt/renewal-hooks/post/nginx.sh'

sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/nginx.sh

- 疑难问题

实践过程中遇到失败情况，可以多试几次
仍旧失败考虑增加 dns-cloudflare-propagation-seconds = 60 参数