本文介绍https通配符证书的一种获取方式。需要:能对域名添加TXT记录、一台linux主机安装letsencrypt
通过域名提供商一般可以免费获取一些单域名证书,但是对喜欢自定义多个域名使用就不太友好。目前已知唯一方法就是使用DNS-01方式获取通配符证书。通过Nginx Proxy Manager 容器对域名证书可以一键获取,但是对于当时图几块钱优惠选择HW的我,不支持api一键获取,只能自己动手解决了。
自行安装:sudo apt install letsencrypt 然后开始设置:
由于我的主机中安装了Nginx Proxy Manager容器,已经安装过了letsencrypt,直接运行命令:
(把邮箱和自己的域名进行更换、其余复制粘贴即可)
root@larun:~# docker exec -it npm /bin/bash
[root@docker-02fd753acfdc:/app]# certbot certonly \
--manual \
--preferred-challenges=dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
-m hi_itboy@126.com \
-d *.srun.top
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.srun.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.srun.top.
with the following value:
YcMSxr6NDss_eviWI-9un14x_ci9-vWcWtcA0pa5lSM
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.srun.top.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
去域名控制台,手动添加 *.自己域名 的TXT记录值为上边蓝色位置的那一行,等生效后回车进行确认。
查看生成证书的目录:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/srun.top/fullchain.pem
Key is saved at: /etc/letsencrypt/live/srun.top/privkey.pem
This certificate expires on 2024-05-28.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
把证书通过ssh 或者别的方式提取出来,就可以直接使用了。
由于我的是容器,先查看目录:
[root@docker-02fd753acfdc:/app]# ls -al /etc/letsencrypt/live/srun.top/
total 12
drwxr-xr-x 2 root root 4096 Feb 28 23:17 .
drwx------ 5 root root 4096 Feb 28 23:17 ..
-rw-r--r-- 1 root root 692 Feb 28 23:17 README
lrwxrwxrwx 1 root root 33 Feb 28 23:17 cert.pem -> ../../archive/srun.top/cert1.pem
lrwxrwxrwx 1 root root 34 Feb 28 23:17 chain.pem -> ../../archive/srun.top/chain1.pem
lrwxrwxrwx 1 root root 38 Feb 28 23:17 fullchain.pem -> ../../archive/srun.top/fullchain1.pem
lrwxrwxrwx 1 root root 36 Feb 28 23:17 privkey.pem -> ../../archive/srun.top/privkey1.pem
发现目录下是链接的形式,找到源文件位置,docker cp 复制到宿主机目录,自行导出开始使用。
[root@docker-02fd753acfdc:/app]# ls /etc/letsencrypt/archive/srun.top/
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
[root@docker-02fd753acfdc:/app]# exit
exit
root@larun:~# docker cp mng:/etc/letsencrypt/archive/srun.top /tmp/
Successfully copied 11.3kB to /tmp/
root@larun:~# ls /tmp/srun.top/
cert1.pem chain1.pem fullchain1.pem privkey1.pem总之,这种方式获取通配符证书还挺方便的,只需要一行命令,以及手动设置一次域名的TXT解析。