zoukankan      html  css  js  c++  java
  • CentOS 7配置Let’s Encrypt支持免费泛域名证书

    Let’s Encrypt从2018年开始支持泛域名证书,有效期3个月,目前仅支持acme方式申请,暂不支持certbot。

    1、安装acme.sh

    curl https://get.acme.sh | sh

    2、请求证书(泛域名以*.s-b.me为例)

    cd /.acme.sh
    ./acme.sh --issue -d *.s-b.me  -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

    输出:

    [Sat Mar 24 13:10:07 UTC 2018] Registering account
    [Sat Mar 24 13:10:08 UTC 2018] Registered
    [Sat Mar 24 13:10:08 UTC 2018] ACCOUNT_THUMBPRINT='hS_gwvXaqMtxJh2Bz0asmWK3r7iMYIknkOWDqO1a76U'
    [Sat Mar 24 13:10:08 UTC 2018] Creating domain key
    [Sat Mar 24 13:10:09 UTC 2018] The domain key is here: /root/.acme.sh/*.s-b.me/*.s-b.me.key
    [Sat Mar 24 13:10:09 UTC 2018] Multi domain='DNS:*.s-b.me,DNS:s-b.me'
    [Sat Mar 24 13:10:09 UTC 2018] Getting domain auth token for each domain
    [Sat Mar 24 13:10:10 UTC 2018] Getting webroot for domain='*.s-b.me'
    [Sat Mar 24 13:10:10 UTC 2018] Getting webroot for domain='s-b.me'
    [Sat Mar 24 13:10:10 UTC 2018] Add the following TXT record:
    [Sat Mar 24 13:10:10 UTC 2018] Domain: '_acme-challenge.s-b.me'
    [Sat Mar 24 13:10:10 UTC 2018] TXT value: '6sf1Iuh7r****************bHPs8QriJf8ibpszRk'
    [Sat Mar 24 13:10:10 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
    [Sat Mar 24 13:10:10 UTC 2018] so the resulting subdomain will be: _acme-challenge.s-b.me
    [Sat Mar 24 13:10:10 UTC 2018] Add the following TXT record:
    [Sat Mar 24 13:10:10 UTC 2018] Domain: '_acme-challenge.s-b.me'
    [Sat Mar 24 13:10:10 UTC 2018] TXT value: 'iA68V9A14****************mlrsZx24raM-S0gmpI'
    [Sat Mar 24 13:10:10 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
    [Sat Mar 24 13:10:10 UTC 2018] so the resulting subdomain will be: _acme-challenge.s-b.me
    [Sat Mar 24 13:10:10 UTC 2018] Please add the TXT records to the domains, and re-run with --renew.
    [Sat Mar 24 13:10:10 UTC 2018] Please add '--debug' or '--log' to check more details.
    [Sat Mar 24 13:10:10 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

    3、参考输出,添加域名txt记录,以验证域名所有权

    _acme-challenge.s-b.me    txt    iA68V9A14****************mlrsZx24raM-S0gmpI
    _acme-challenge.s-b.me    txt    6sf1Iuh7r****************bHPs8QriJf8ibpszRk

    4、申请泛解析证书

    ./acme.sh --renew -d *.s-b.me  -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

    如果顺利,会在当前目录下生成以泛域名为名字的证书目录

    /root/.acme.sh
    *.s-b.me/
    ├── ca.cer
    ├── fullchain.cer
    ├── *.s-b.me.cer
    ├── *.s-b.me.conf
    ├── *.s-b.me.csr
    ├── *.s-b.me.csr.conf
    └── *.s-b.me.key

    5、配置nginx或其他web server以支持SSL访问

    .cer            是证书文件
    .key            是私钥文件
    fullchain.cer 是证书链证书

    6、证书续期

    通过crontab或者其他定时任务系统执行

    ./acme.sh --renew -d *.s-b.me  -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

    【参考】

    https://github.com/Neilpang/acme.sh

    https://keelii.github.io/2016/06/12/free-https-cert-lets-encrypt-apply-install/

  • 相关阅读:
    pgloader-pg迁移神器
    PostgreSQL备份工具-pg_probackup
    5、pgpool-II高可用性(一)数据库的高可用性
    4、pgpool-II 流复制模式
    3、pgpool-II 内置复制模式
    pgpool-II 的配置
    pgpool-II安装
    PG时间相减
    PostgreSQL 流复制解惑
    PostgreSQL改造非分区表为分区表
  • 原文地址:https://www.cnblogs.com/imzye/p/8641524.html
Copyright © 2011-2022 走看看