喜大普奔,今天Let’s Encrypt开始支持通配符域名证书了(Wildcard,俗称野卡),第一时间升级了一下。
首先,获取acme.sh
|
1 |
root@local:~# curl https://get.acme.sh | sh |
或升级acme.sh最新版
|
1 |
root@local:~# acme.sh --upgrade |
然后申请新的证书
|
1 2 |
root@local:~# acme.sh --issue --dns -d mydomain.com -d *.mydomain.com\ --yes-I-know-dns-manual-mode-enough-go-ahead-please |
之后会出来,提示你设置TXT解析记录,比如我的是
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[Wed Mar 14 09:22:39 CST 2018] Multi domain='DNS:mr21.cc,DNS:*.mr21.cc' [Wed Mar 14 09:22:39 CST 2018] Getting domain auth token for each domain [Wed Mar 14 09:22:40 CST 2018] Getting webroot for domain='mr21.cc' [Wed Mar 14 09:22:40 CST 2018] Getting webroot for domain='*.mr21.cc' [Wed Mar 14 09:22:40 CST 2018] Add the following TXT record: [Wed Mar 14 09:22:40 CST 2018] Domain: '_acme-challenge.mr21.cc' [Wed Mar 14 09:22:40 CST 2018] TXT value: 'qL-gleL2aMAhBewfQKkv5FyaM4gfiaIuIqozXDhst54' [Wed Mar 14 09:22:40 CST 2018] Please be aware that you prepend _acme-challenge. before your domain [Wed Mar 14 09:22:40 CST 2018] so the resulting subdomain will be: _acme-challenge.mr21.cc [Wed Mar 14 09:22:40 CST 2018] Add the following TXT record: [Wed Mar 14 09:22:40 CST 2018] Domain: '_acme-challenge.mr21.cc' [Wed Mar 14 09:22:40 CST 2018] TXT value: 'YWFQ6mAe-wAQPP30G5R25KC29MC8iIFXD9N1b-svfbg' [Wed Mar 14 09:22:40 CST 2018] Please be aware that you prepend _acme-challenge. before your domain [Wed Mar 14 09:22:40 CST 2018] so the resulting subdomain will be: _acme-challenge.mr21.cc [Wed Mar 14 09:22:40 CST 2018] Please add the TXT records to the domains, and retry again. [Wed Mar 14 09:22:40 CST 2018] Please add '--debug' or '--log' to check more details. [Wed Mar 14 09:22:40 CST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh |
那么根据提示,去DNS服务商那边,设置两个TXT记录,之后再运行
|
1 |
root@local:~# acme.sh --renew -d mydomain.com -d *.mydomain.com |
会有如下提示
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[Wed Mar 14 09:24:53 CST 2018] Renew: 'mr21.cc' [Wed Mar 14 09:24:54 CST 2018] Multi domain='DNS:mr21.cc,DNS:*.mr21.cc' [Wed Mar 14 09:24:54 CST 2018] Getting domain auth token for each domain [Wed Mar 14 09:24:54 CST 2018] Verifying:mr21.cc [Wed Mar 14 09:24:56 CST 2018] Success [Wed Mar 14 09:24:56 CST 2018] Verifying:*.mr21.cc [Wed Mar 14 09:24:59 CST 2018] Success [Wed Mar 14 09:24:59 CST 2018] Verify finished, start to sign. [Wed Mar 14 09:25:00 CST 2018] Cert success. -----BEGIN CERTIFICATE----- 我是一大堆证书字符 -----END CERTIFICATE----- [Wed Mar 14 09:25:00 CST 2018] Your cert is in /root/.acme.sh/mr21.cc/mr21.cc.cer [Wed Mar 14 09:25:00 CST 2018] Your cert key is in /root/.acme.sh/mr21.cc/mr21.cc.key [Wed Mar 14 09:25:00 CST 2018] The intermediate CA cert is in /root/.acme.sh/mr21.cc/ca.cer [Wed Mar 14 09:25:00 CST 2018] And the full chain certs is there: /root/.acme.sh/mr21.cc/fullchain.cer [Wed Mar 14 09:25:00 CST 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead. [Wed Mar 14 09:25:00 CST 2018] Call hook error. |
按照官方教程的建议,是通过以下方式复制证书到任意其它位置,但不要直接在webserver配置里面引用 /root/.acme.sh/ 路径下的文件
|
1 2 3 4 |
root@local:~# acme.sh --installcert -d <domain>.com \ --key-file /etc/nginx/ssl/<domain>.key \ --fullchain-file /etc/nginx/ssl/fullchain.cer \ --reloadcmd "service nginx force-reload" |
之后修改Nginx的站点配置,访问站点看看证书有没有就更新就好了。
下面是我的配置,仅供参考
|
1 2 3 4 5 6 7 8 9 10 |
ssl on; ssl_certificate /var/cert/21/fullchain.cer; ssl_certificate_key /var/cert/21/mr21.cc.key; ssl_dhparam /var/cert/dhparam2048.pem; ssl_session_timeout 1d; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-G$ ssl_session_cache builtin:1000 shared:SSL:10m; add_header Strict-Transport-Security max-age=15552000; |
-
——————–
- acme.sh: How to install, DNS manual mode
引用参考/Reference:
