首页 > 科技资讯 } > 在Ubuntu使用Certbot生成Let's Encrypt的泛域名证书

在Ubuntu使用Certbot生成Let's Encrypt的泛域名证书

来源: | 2024-04-07 21:35:28

1. 安装Snapd

Ubuntu 16.04及以上版本通常自带Snapd，如果你的系统还没有安装，可以通过以下命令安装：
sudo apt update sudo apt install snapd

2. 安装Certbot

使用Snap安装Certbot，确保你获得的是最新版本：

sudo snap install --classic certbot

`3.`准备Certbot命令

确保Certbot命令可以通过创建一个符号链接到/usr/bin目录中的命令来运行：

sudo ln -s /snap/bin/certbot /usr/bin/certbot

4. 运行Certbot并获取证书

我们这里是只获取证书（不自动配置Web服务器）:

这是标准： sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual --preferred-challenges=dns -d *.example.com

这是我自己的实例： sudo certbot certonly --manual --preferred-challenges dns -d "*.lookclouds.com"

接着，系统会有如下信息：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lookclouds.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lookclouds.com with the following value:

B5b2BJzIJ9QyGjizvTIS2w-qzcwAsDsELw9jvSjC97A

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

根据界面的问题，答复Y或者N. 这里我们选择Y

接着做DNS验证，到域名商那边，加一条TXT记录，如上所示，把这个唯一码设置到TXT记录中，等大概10分钟，就可以按“Enter"键继续。接着，就会生成域名证书了。

看到如下所示，表示域名证书创建成功：

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/lookclouds.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/lookclouds.com/privkey.pem
Your cert will expire on 2024-07-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

建议这证书的位置和目录不要移动，大家把fullchain.pem和privkey.pem复制走就可以了。如果是希望直接部署到nginx或者apache并且自动更新的，请在网络上搜索一下，我这里是单纯生成证书的演示。

在nginx的配置中，配置如下：

listen 443;
ssl on;
ssl_certificate /xxx/fullchain.pem;
ssl_certificate_key /xxxx/privkey.pem;

5. 如何解决泛域名在浏览器被标识为不安全的问题

除了Chrome浏览器，其他的浏览器可能会把我们的泛域名证书标识为不安全。

以nginx为例，需要在conf中，加入：

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /xxxx/fullchain.pem;
resolver 223.5.5.5 8.8.8.8 8.8.4.4 valid=60s; /*这个dns配置，第一个是国内的，后面两个是国外的，可以按照我这里的配置使用*/
resolver_timeout 2s;

确保nginx配置没错后，重启服务即可。