背景介绍
我的需求是创建一个免费的泛域名,然后无限续期,可以满足子域名的随机使用。
环境介绍以及依赖版本介绍
服务器系统:Ubuntu 20.04
web服务器:nginx version: nginx/1.18.0 (Ubuntu)
使用的主要工具:certbot , 官方网站 帮助文档
颁发证书机构:Let's Encrypt 官方网站 帮助文档
我的域名管理者是:cloudflare 官方网站
实践步骤
假设我有域名:
example.com
,现在需要创建一个免费的泛域名:*.example.com
,然后无限续期。
1.安装snapd
参考官方文档,安装snapd,其他系统安装方法可以参考官方文档。installing-snap-on-ubuntu
```bashsudo apt update
sudo apt install snapd
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
zenity | kdialog
The following packages will be upgraded:
snapd
1 upgraded, 0 newly installed, 0 to remove and 354 not upgraded.
Need to get 37.9 MB of archives.
snap --version
snap 2.61.2
snapd 2.61.2
series 16
ubuntu 20.04
kernel 5.4.0-48-generic
### 2.卸载原有的certbot
```bash
# sudo apt-get remove certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'certbot' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 354 not upgraded.
3.安装certbot
# sudo snap install --classic certbot
certbot 2.9.0 from Certbot Project (certbot-eff✓) installed
4.创建certbot软连接
注意:如果是root用户,可以省略这一步
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# certbot --version
certbot 2.9.0
# certbot -h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-name or --cert-path)
delete Delete a certificate (supply --cert-name)
reconfigure Update a certificate's configuration (supply --cert-name)
manage your account:
register Create an ACME account
unregister Deactivate an ACME account
update_account Update an ACME account
show_account Display account details
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
-h all print a detailed help page including all topics
--version print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5.安装插件控制级别
在机器的命令行上运行此命令,以确认安装的插件将具有与 Certbot snap 相同的经典容器。
sudo snap set certbot trust-plugin-with-root=ok
6.安装DNS插件
所有支持的DNS插件:dns-plugins
certbot-dns-cloudflare 插件说明 certbot-dns-cloudflare
sudo snap install certbot-dns-cloudflare
7.配置插件访问token
mkdir ~/.certbot
vim ~/.certbot/cloudflare.ini
# Cloudflare API token used by Certbot dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
8.获取证书
# certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.certbot/cloudflare.ini \
-d "example.com" \
-d "*.example.com" \
--agree-tos \
--email admin@example.com \
--server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for `example.com` and `*.example.com`
Unsafe permissions on credentials configuration file: ~/.certbot/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/`example.com`/fullchain.pem
Key is saved at: /etc/letsencrypt/live/`example.com`/privkey.pem
This certificate expires on 2024-06-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9.强制重新更新证书
# sudo certbot renew --force-renew
# sudo certbot renew --force-renew --dry-run
10.测试自动续期
sudo certbot renew --dry-run
The command to renew certbot is installed in one of the following locations:
/etc/crontab/
/etc/cron.*/*
systemctl list-timers
11.安装证书到nginx
您可以修改配置文件,将证书安装到nginx中
cat README
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates
###########
# 需要用到 fullchain.pem 和 privkey.pem
nginx -t
nginx -s reload
12.验证
- 访问您的域名查看证书是否可用
- 访问您的子域名查看证书是否可用
- OpenSSL 命令行工具验证
```sh
cd /etc/letsencrypt/live/[example.com]
openssl x509 -in cert.pem -noout -dates
notBefore=May 19 08:45:49 2024 GMT
notAfter=Aug 17 08:45:48 2024 GMT
## 13.自动续期后重启nginx
> 参见文档 [pre-and-post-validation-hooks](https://eff-certbot.readthedocs.io/en/latest/using.html#pre-and-post-validation-hooks)
```bash
sudo sh -c 'printf "#!/bin/sh\nnginx -s reload\n" > /etc/letsencrypt/renewal-hooks/post/nginx.sh'
sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/nginx.sh
- 疑难问题
实践过程中遇到失败情况,可以多试几次
仍旧失败考虑增加 dns-cloudflare-propagation-seconds = 60 参数