|
Letsencrypt有推出ACME v2 API,功能之一是支持ACME v1中缺少的通配符证书。本文将向你展示生成用于Web应用程序的通配符Letsencrypt SSL证书的过程,该证书使用DNS手动验证,最终用户可以使用以下目录URL开始向与其ACME v2兼容的客户端颁发受信任的生产就绪证书: https://acme-v02.api.letsencrypt.org/directory 请注意,你必须使用兼容ACME v2的客户端才能访问此端点。
安装certbot-auto ACME v2客户端 运行以下命令以安装我们将用于获取通配符ssl证书的certbot-auto ACME v2客户端: # wget https://dl.eff.org/certbot-auto -P /usr/local/bin # chmod a+x /usr/local/bin/certbot-auto
生成通配符SSL证书 我将为*.computingforgeeks.com生成通配符证书,一个要求是通过添加生成的TXT记录来访问DNS管理器以验证域所有权。 运行以下命令以启动证书申请流程: certbot-auto certonly --manual -d *.example.com --agree-tos \ --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 \ -m your-email-address \ --server https://acme-v02.api.letsencrypt.org/directory 应该会看到类似于下面的输出信息: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for computingforgeeks.com ----------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.computingforgeeks.com with the following value: UGa2-db4b-gj9aWAmS8UCnctThIMgRTWAWSeCK_zLVPAfaz6lvQ Before continuing, verify the record is deployed. ----------------------------------------------- Press Enter to Continue 它为你提供了一条TXT记录添加到你的DNS,对我来说,记录是: Name: _acme-challenge.example.com TXT record: UGa2-db4b-gj9aWAmS8UCnctThIMgRTWAWSeCK_zLVPAfaz6lvQ 完成此操作并填充记录后,按enter键继续,成功生成后,应该获得如下输出信息: Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-07-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le 输出为你提供私钥和证书文件的完整路径,现在可以将证书用于你的应用程序了。
相关主题 |
