下载Let’s Encrypt
[root@izbp137bl51fh6ev4ei4z0z ras]# git clone https://github.com/letsencrypt/letsencrypt
或者到这里下载 http://pan.bbbzi.top/#/s/vKFZ
获取证书 获取通配符证书
[root@izbp137bl51fh6ev4ei4z0z letsencrypt]# ./letsencrypt-auto certonly -d *.你的域名.你的域名 --manual --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 你的域名.你的域名
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.你的域名.你的域名 with the following value:
Tc3f89zW41bHBVfx9GAsI9Z3FNdfNPdIW1DfQzpG7v0 ####写入TXT 域名解析,重要,我用的是阿里云自带的解析
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/*.你的域名.你的域名/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/*.你的域名.你的域名/privkey.pem
Your cert will expire on 2020-07-20. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@izbp137bl51fh6ev4ei4z0z letsencrypt]#
证书有效期九十天,可以设置计划任务自动获取新证书
因为我们是通配符域名所以申请证书比较麻烦 所以下载ywdblog的证书自动续期工具 ~赞美
(地址 https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au)
git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
mv certbot-letencrypt-wildcardcertificates-alydns-au/ update-ssl/ && cd update-ssl
查看domino.ini 有没有你的根域名,没有则添加
获取accesskeys
vim au.sh #修改对应的*_KEY 和 *_TOKEN
重新续期
[root@izbp137bl51fh6ev4ei4z0z letsencrypt]# ./letsencrypt-auto renew --force-renew --manual --preferred-challenges dns --manual-auth-hook /root/ras/upgrade-ssl/au.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/你的域名.你的域名.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/你的域名.你的域名/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/你的域名.你的域名/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
接下来编入计划任务
[root@izbp137bl51fh6ev4ei4z0z letsencrypt]# crontab -l
0 0 3 */2 * /root/ras/letsencrypt-auto renew --force-renew --manual --preferred-challenges dns --manual-auth-hook /root/ras/upgrade-ssl/au.sh