免费泛域名申请以及无限续期

本文涉及的产品
实时计算 Flink 版,5000CU*H 3个月
检索分析服务 Elasticsearch 版,2核4GB开发者规格 1个月
实时数仓Hologres,5000CU*H 100GB 3个月
简介: 在Ubuntu 20.04上,使用certbot和snapd安装Let's Encrypt证书以实现免费泛域名(如`*.example.com`)的无限续期。首先安装snapd,然后卸载并安装certbot,创建certbot软连接。设置trust-plugin-with-root,安装certbot-dns-cloudflare插件,配置Cloudflare API token。通过certbot certonly命令获取证书,包括子域名,并设置自动续期。将证书导入nginx并验证。最后,创建post-renewal hook以在续期后自动重启nginx。

背景介绍

我的需求是创建一个免费的泛域名,然后无限续期,可以满足子域名的随机使用。

环境介绍以及依赖版本介绍

服务器系统:Ubuntu 20.04
web服务器:nginx version: nginx/1.18.0 (Ubuntu)
使用的主要工具:certbot , 官方网站 帮助文档
颁发证书机构:Let's Encrypt 官方网站 帮助文档
我的域名管理者是:cloudflare 官方网站

实践步骤

假设我有域名:example.com,现在需要创建一个免费的泛域名:*.example.com,然后无限续期。

1.安装snapd

参考官方文档,安装snapd,其他系统安装方法可以参考官方文档。installing-snap-on-ubuntu
```bash

sudo apt update

sudo apt install snapd

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
zenity | kdialog
The following packages will be upgraded:
snapd
1 upgraded, 0 newly installed, 0 to remove and 354 not upgraded.
Need to get 37.9 MB of archives.

snap --version

snap 2.61.2
snapd 2.61.2
series 16
ubuntu 20.04
kernel 5.4.0-48-generic


### 2.卸载原有的certbot

```bash
# sudo apt-get remove certbot

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'certbot' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 354 not upgraded.

3.安装certbot

# sudo snap install --classic certbot

certbot 2.9.0 from Certbot Project (certbot-eff✓) installed

4.创建certbot软连接

注意:如果是root用户,可以省略这一步

sudo ln -s /snap/bin/certbot /usr/bin/certbot

# certbot --version

certbot 2.9.0

# certbot -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)
    reconfigure     Update a certificate's configuration (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
    show_account    Display account details
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5.安装插件控制级别

在机器的命令行上运行此命令,以确认安装的插件将具有与 Certbot snap 相同的经典容器。

sudo snap set certbot trust-plugin-with-root=ok

6.安装DNS插件

所有支持的DNS插件:dns-plugins

certbot-dns-cloudflare 插件说明 certbot-dns-cloudflare

sudo snap install certbot-dns-cloudflare

7.配置插件访问token

mkdir ~/.certbot

vim ~/.certbot/cloudflare.ini

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

8.获取证书

# certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.certbot/cloudflare.ini \
  -d "example.com" \
  -d "*.example.com" \
  --agree-tos \
  --email admin@example.com \
  --server https://acme-v02.api.letsencrypt.org/directory 


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for `example.com` and `*.example.com`
Unsafe permissions on credentials configuration file: ~/.certbot/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/`example.com`/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/`example.com`/privkey.pem
This certificate expires on 2024-06-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9.强制重新更新证书

# sudo certbot renew --force-renew

# sudo certbot renew --force-renew --dry-run

10.测试自动续期

sudo certbot renew --dry-run

The command to renew certbot is installed in one of the following locations:

/etc/crontab/
/etc/cron.*/*
systemctl list-timers

11.安装证书到nginx

您可以修改配置文件,将证书安装到nginx中

cat README 
This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates


###########
# 需要用到  fullchain.pem  和  privkey.pem

nginx -t

nginx -s reload

12.验证

  • 访问您的域名查看证书是否可用
  • 访问您的子域名查看证书是否可用
  • OpenSSL 命令行工具验证
    ```sh
    cd /etc/letsencrypt/live/[example.com]

openssl x509 -in cert.pem -noout -dates

notBefore=May 19 08:45:49 2024 GMT
notAfter=Aug 17 08:45:48 2024 GMT




## 13.自动续期后重启nginx

> 参见文档  [pre-and-post-validation-hooks](https://eff-certbot.readthedocs.io/en/latest/using.html#pre-and-post-validation-hooks)

```bash

sudo sh -c 'printf "#!/bin/sh\nnginx -s reload\n" > /etc/letsencrypt/renewal-hooks/post/nginx.sh'

sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/nginx.sh

- 疑难问题

实践过程中遇到失败情况,可以多试几次
仍旧失败考虑增加 dns-cloudflare-propagation-seconds = 60 参数

目录
相关文章
|
存储 安全 算法
KeyManager - 免费申请证书-支持泛域名
KeyManager - 免费申请证书-支持泛域名
1001 0
KeyManager - 免费申请证书-支持泛域名
|
数据安全/隐私保护
如何将其他注册商处的域名申请转出并转入阿里云(图文教程)
随着越来越多的用户使用阿里云产品搭建自己的网站或者部署APP等项目,将其他注册商处注册的域名转入阿里云就成了很多用户的需求,毕竟将域名和云服务器等产品都放在阿里云既方便自己管理,同时又更加放心,避免出现其他小服务商“跑路”导致自己无法管理、续费域名的情况出现。下面就以图文教程的方式给大家介绍下如何将其他注册商处的域名申请转出并转入阿里云。
如何将其他注册商处的域名申请转出并转入阿里云(图文教程)
|
5月前
公安部备案域名证书怎么获得?阿里云域名证书申请下载方法
在阿里云获取域名证书,需登录域名管理控制台,点击“域名列表”,选择域名后点击“管理”,再点击左侧的“域名证书下载”。过程免费且快速。
694 3
|
6月前
|
前端开发 小程序 应用服务中间件
在服务器上正确配置域名https证书(ssl)及为什么不推荐使用宝塔申请免费ssl证书
在服务器上正确配置域名https证书(ssl)及为什么不推荐使用宝塔申请免费ssl证书
290 4
|
7月前
|
弹性计算 安全 Java
阿里云服务器配置、(xshell)远程连接、搭建环境、设置安全组、域名备案、申请ssl证书
以下是内容的摘要: 在阿里云购买服务器并进行基本配置的步骤如下: 1. **准备工作**: - 注册阿里云账号:访问阿里云官网并注册新账号,输入用户名、手机号和验证码。 - 实名认证:在个人中心进行实名认证,建议选择企业实名,因为个人实名可能无法索取企业发票。
|
7月前
|
网络协议 Serverless 网络安全
阿里云函数计算自定义域名的SSL证书免费全自动申请及部署
阿里云函数计算简化了开发部署,让用户专注业务逻辑,降低了运维复杂性。然而,SSL证书支持需额外付费:免费证书有效期缩短至3个月,1年证书及自动化部署均收费。为节省成本,小微企业和个人开发者可以采用一套全自动、全免费的SSL证书申请、续签和部署方案。该方案包括自动向Let's Encrypt申请证书、使用阿里云OpenAPI更新证书以及在证书到期前提前申请。通过Win-Acme(Windows)实现,详细步骤包括设置win-acme、自动DNS验证和更新函数计算证书。
678 5
|
数据建模 网络安全 数据安全/隐私保护
阿里云域名证书申请流程
阿里云域名证书是验证网站域名所有权的权威证明,由阿里云发行并受到广泛认可。它主要用于证明一个网站或网络服务的域名是由某个组织或个人所有,以及该域名是合法的。阿里云域名证书具有权威性、唯一性和可验证性等特点,它不仅可以提高网站的可信度,还可以防止他人冒用或盗用域名,有效保护域名的安全性和完整性。
|
域名解析 安全 网络协议
阿里云SSL证书免费版申请教程,可申请20张DV单域名证书
SSL证书能够为网站和移动应用(APP)及小程序提供数据HTTPS加密协议访问,保障数据的安全。阿里云提供一次性申请20张免费证书额度的服务,满足您的业务需求。
1619 0
阿里云SSL证书免费版申请教程,可申请20张DV单域名证书
|
域名解析 存储 网络协议
七牛云创建存储空间并绑定自定义域名-https协议(申请ssl证书)
七牛云创建存储空间并绑定自定义域名-https协议(申请ssl证书)
399 0
如何注册和申请阿里云域名?
在阿里云万网注册域名之前,你需要有阿里云账号,如果有账号可以忽略本步骤继续往下看
704 0