本教程介绍了如何在Ubuntu 18.04上使用acme-dns-certbot工具通过DNS验证获取Let's Encrypt证书,适用于负载均衡网站和需要通配符证书的情况。首先安装Certbot,然后下载并安装acme-dns-certbot脚本,接着设置DNS记录并完成证书的颁发。最后,设置自动续订以管理证书。
acme.sh 更换dns
The author selected the COVID-19 Relief Fund to receive a donation as part of the Write for DOnations program.
作者选择了COVID-19救济基金来接受捐赠,这是Write for DOnations计划的一部分。
介绍 (Introduction)
The majority of Let’s Encrypt certificates are issued using HTTP validation, which allows for the easy installation of certificates on a single server. However, HTTP validation is not always suitable for issuing certificates for use on load-balanced websites, nor can it be used to issue wildcard certificates.
大部分的“加密”证书都是使用HTTP验证发布的,从而可以轻松地在单个服务器上安装证书。 但是,HTTP验证并不总是适合颁发用于负载平衡网站的证书,也不能用于颁发通配符证书 。
DNS validation allows for certificate issuance requests to be verified using DNS records, rather than by serving content over HTTP. This means that certificates can be issued simultaneously for a cluster of web servers running behind a load balancer, or for a system that isn’t directly accessible over the internet. Wildcard certificates are also supported using DNS validation.
DNS验证允许使用DNS记录而不是通过HTTP提供内容来验证证书颁发请求。 这意味着可以为在负载均衡器后面运行的Web服务器群集或无法通过Internet直接访问的系统同时颁发证书。 使用DNS验证也支持通配符证书。
The acme-dns-certbot tool is used to connect Certbot to a third-party DNS server where the certificate validation records can be set automatically via an API when you request a certificate. The advantage of this is that you don’t need to integrate Certbot directly with your DNS provider account, nor do you need to grant it unrestricted access to your full DNS configuration, which is beneficial to security.
acme-dns-certbot工具用于将Certbot连接到第三方DNS服务器,当您请求证书时,可以通过API自动设置证书验证记录。 这样做的好处是您无需将Certbot直接与您的DNS提供程序帐户集成,也不需要授予它对您完整DNS配置的无限制访问权限,这对安全性很有帮助。
Delegated DNS zones are used in order to redirect lookups for the certificate verification records to the third-party DNS service, so once the initial setup has been completed, you can request as many certificates as you want without having to perform any manual validation.
委派的DNS区域用于将证书验证记录的查找重定向到第三方DNS服务,因此,初始设置完成后,您可以根据需要请求任意数量的证书,而无需执行任何手动验证。
Another key benefit of acme-dns-certbot is that it can be used to issue certificates for individual servers that may be running behind a load balancer, or are otherwise not directly accessible over HTTP. Traditional HTTP certificate validation cannot be used in these cases, unless you set the validation files on each and every server. The acme-dns-certbot tool is also useful if you want to issue a certificate for a server that isn’t accessible over the internet, such as an internal system or staging environment.
acme-dns-certbot的另一个主要优点是,它可以用于为可能在负载平衡器后面运行的其他服务器颁发证书,或者通过HTTP无法直接访问这些服务器。 在这些情况下,不能使用传统的HTTP证书验证,除非您在每台服务器上都设置了验证文件。 如果要为无法通过Internet访问的服务器(例如内部系统或登台环境)颁发证书,则acme-dns-certbot工具也很有用。
In this tutorial, you will use the acme-dns-certbot hook for Certbot to issue a Let’s Encrypt certificate using DNS validation.
在本教程中,您将使用acme-dns-certbot钩子连接Certbot,以使用DNS验证颁发Let's Encrypt证书。
先决条件 (Prerequisites)
To complete this tutorial, you will need:
要完成本教程,您将需要:
An Ubuntu 18.04 server set up by following the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user.
通过对Ubuntu 18.04进行初始服务器设置来设置Ubuntu 18.04服务器 ,包括sudo非root用户。
A domain name for which you can acquire a TLS certificate, including the ability to add DNS records. In this particular example, we will use
your-domainandsubdomain.your-domain, as well as*.your-domainfor a wildcard certificate. However this can be adjusted for other domain, subdomains, or wildcards if required.您可以为其获取TLS证书的域名,包括添加DNS记录的功能。 在此特定示例中,我们将使用
your-domain和subdomain.your-domain以及*. your-domain*. your-domain以获取通配符证书。 但是,可以根据需要针对其他域,子域或通配符进行调整。
Once you have these ready, log in to your server as your non-root user to begin.
准备就绪后,以非root用户身份登录到服务器以开始。
第1步-安装Certbot (Step 1 — Installing Certbot)
In this step, you will install Certbot, which is a program used to issue and manage Let’s Encrypt certificates.
在此步骤中,您将安装Certbot,这是一个用于发行和管理Let's Encrypt证书的程序。
Certbot is available within the official Ubuntu Apt repositories, however, it is instead recommended to use the repository maintained by the Certbot developers, as this always has the most up-to-date version of the software.
Certbot在官方的Ubuntu Apt存储库中可用,但是,建议使用Certbot开发人员维护的存储库,因为它始终具有软件的最新版本。
Begin by adding the Certbot repository:
首先添加Certbot存储库:
- sudo apt-add-repository ppa:certbot/certbot sudo apt-add-repository ppa:certbot / certbot
You’ll need to press ENTER to accept the prompt and add the new repository to your system.
您需要按ENTER接受提示,然后将新的存储库添加到系统中。
Next, install the Certbot package:
接下来,安装Certbot软件包:
- sudo apt install certbot sudo apt安装certbot
Once the installation has completed, you can check that Certbot has been successfully installed:
安装完成后,您可以检查Certbot是否已成功安装:
- certbot --version certbot-版本
This will output something similar to the following:
这将输出类似于以下内容:
Output
certbot 0.31.0
In this step you installed Certbot. Next, you will download and install the acme-dns-certbot hook.
在此步骤中,您安装了Certbot。 接下来,您将下载并安装acme-dns-certbot挂钩。
第2步-安装acme-dns-certbot (Step 2 — Installing acme-dns-certbot)
Now that the base Certbot program has been installed, you can download and install acme-dns-certbot, which will allow Certbot to operate in DNS validation mode.
现在已经安装了基本的Certbot程序,您可以下载并安装acme-dns-certbot,这将允许Certbot在DNS验证模式下运行。
Begin by downloading a copy of the script:
首先下载脚本副本:
- wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
Once the download has completed, mark the script as executable:
下载完成后,将脚本标记为可执行文件:
- chmod +x acme-dns-auth.py chmod + x acme-dns-auth.py
Then, edit the file using your favorite text editor and adjust the first line in order to force it to use Python 3:
然后,使用您喜欢的文本编辑器编辑文件并调整第一行,以强制其使用Python 3:
- nano acme-dns-auth.py 纳米acme-dns-auth.py
Add a 3 to the end of the first line:
在第一行的末尾添加3 :
#!/usr/bin/env python3
. . .This is required in order to ensure that the script uses the latest supported version of Python 3, rather than the legacy Python version 2.
为了确保脚本使用最新的受支持的Python 3版本,而不是旧的Python版本2,这是必需的。
Once complete, save and close the file.
完成后,保存并关闭文件。
Finally, move the script into the Certbot Let’s Encrypt directory so that Certbot can load it:
最后,将脚本移到Certbot的“让我们加密”目录中,以便Certbot可以加载它:
- sudo mv acme-dns-auth.py /etc/letsencrypt/ sudo mv acme-dns-auth.py / etc / letsencrypt /
In this step, you downloaded and installed the acme-dns-certbot hook. Next, you can begin the setup process and work toward issuing your first certificate.
在此步骤中,您下载并安装了acme-dns-certbot挂钩。 接下来,您可以开始设置过程,并努力发行第一个证书。
步骤3 —设置acme-dns-certbot (Step 3 — Setting Up acme-dns-certbot)
In order to begin using acme-dns-certbot, you’ll need to complete an initial setup process and issue at least one certificate.
为了开始使用acme-dns-certbot,您需要完成初始设置过程并颁发至少一个证书。
Start by running Certbot to force it to issue a certificate using DNS validation. This will run the acme-dns-certbot script and trigger the initial setup process:
首先运行Certbot强制其使用DNS验证来颁发证书。 这将运行acme-dns-certbot脚本并触发初始设置过程:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.your-domain -d your-domain
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \ * 。your -domain -d your-domain
You use the --manual argument to disable all of the automated integration features of Certbot. In this case you’re just issuing a raw certificate, rather than automatically installing it on a service as well.
您使用--manual参数禁用--manual所有自动集成功能。 在这种情况下,您只是签发原始证书,而不是自动将其安装在服务上。
You configure Certbot to use the acme-dns-certbot hook via the --manual-auth-hook argument. You run the --preferred-challenges argument so that Certbot will give preference to DNS validation.
您可以通过--manual-auth-hook参数将--manual-auth-hook配置为使用acme-dns-certbot挂钩。 您运行--preferred-challenges参数,以便Certbot将优先选择DNS验证。
You must also tell Certbot to pause before attempting to validate the certificate, which you do with the --debug-challenges argument. This is to allow you to set the DNS CNAME record(s) required by acme-dns-certbot, which is covered later in this step. Without the --debug-challenges argument, Certbot wouldn’t pause, so you wouldn’t have time to make the required DNS change.
您还必须告诉Certbot在尝试验证证书之前暂停使用–debug --debug-challenges参数。 这是为了允许您设置acme-dns-certbot所需的DNS CNAME记录 ,此步骤稍后将介绍。 没有--debug-challenges参数,Certbot将不会暂停,因此您将没有时间进行所需的DNS更改。
Remember to substitute each of the domain names that you wish to use using -d arguments. If you want to issue a wildcard certificate, make sure to escape the asterisk (*) with a backslash (\).
请记住,使用-d参数替换要使用的每个域名。 如果要颁发通配符证书,请确保使用反斜杠( \ )代替星号( * )。
After following the standard Certbot steps, you’ll eventually be prompted with a message similar to the following:
遵循标准的Certbot步骤之后,最终将收到类似以下消息的提示:
Output
...
Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.your-domain CNAME a15ce5b2-f170-4c91-97bf-09a5764a88f6.auth.acme-dns.io.
Waiting for verification...
...
You’ll need to add the required DNS CNAME record to the DNS configuration for your domain. This will delegate control of the _acme-challenge subdomain to the ACME DNS service, which will allow acme-dns-certbot to set the required DNS records to validate the certificate request.
您需要将所需的DNS CNAME记录添加到您域的DNS配置中。 这会将_acme-challenge子域的控制权委派给ACME DNS服务,这将允许acme-dns-certbot设置所需的DNS记录以验证证书请求。
If you’re using DigitalOcean as your DNS provider, you can set the DNS record within your control panel:
如果您将DigitalOcean用作DNS提供商,则可以在控制面板中设置DNS记录:
It is recommended to set the TTL (time-to-live) to around 300 seconds in order to help ensure that any changes to the record are propagated quickly.
建议将TTL(生存时间)设置为300秒左右,以帮助确保快速传播对记录的任何更改。
Once you have configured the DNS record, return to Certbot and press ENTER to validate the certificate request and complete the issuance process.
一旦配置了DNS记录,请返回Certbot并按ENTER以验证证书请求并完成颁发过程。
This will take a few seconds, and you’ll then see a message confirming that the certificate has been issued:
这将花费几秒钟,然后您将看到一条消息,确认已颁发证书:
Output
...
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain/privkey.pem
...
You’ve run acme-dns-certbot for the first time, set up the required DNS records, and successfully issued a certificate. Next you’ll set up automatic renewals of your certificate.
您是第一次运行acme-dns-certbot,设置了必需的DNS记录,并成功颁发了证书。 接下来,您将设置证书的自动续订。
第4步-使用acme-dns-certbot (Step 4 — Using acme-dns-certbot)
In this final step, you will use acme-dns-certbot to issue more certificates and renew existing ones.
在最后一步中,您将使用acme-dns-certbot发行更多证书并更新现有证书。
Firstly, now that you’ve successfully issued at least one certificate using acme-dns-certbot, you can continue to issue certificates for the same DNS names without having to add another DNS CNAME record. However, if you wish to acquire a certificate for a different subdomain or entirely new domain name, you will be prompted to add another CNAME record.
首先,既然您已经成功使用acme-dns-certbot颁发了至少一个证书,则可以继续为相同的DNS名称颁发证书,而无需添加另一个DNS CNAME记录。 但是,如果您希望获得其他子域或全新域名的证书,则会提示您添加另一个CNAME记录。
For example, you could issue another standalone wildcard certificate without having to perform the verification again:
例如,您可以颁发另一个独立的通配符证书,而不必再次执行验证:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.your-domain
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \ *。您的域
However, if you were to attempt to issue a certificate for a subdomain, you would be prompted to add a CNAME record for the subdomain:
但是,如果您要尝试为子域颁发证书,则会提示您为该子域添加CNAME记录:
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.your-domain
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.your-domain
This will show an output similar to the initial setup that you carried out in Step 3:
这将显示与您在步骤3中执行的初始设置类似的输出:
Output
...
Please add the following CNAME record to your main DNS zone:
_acme-challenge.subdomain.your-domain CNAME 8450fb54-8e01-4bfe-961a-424befd05088.auth.acme-dns.io.
Waiting for verification...
...
Now that you’re able to use acme-dns-certbot to issue certificates, it’s worth considering the renewal process as well.
既然您已经能够使用acme-dns-certbot颁发证书,那么也值得考虑续订过程。
Once your certificates are nearing expiry, Certbot can automatically renew them for you:
证书即将到期后,Certbot可以自动为您续订它们:
- sudo certbot renew sudo certbot续订
The renewal process can run start-to-finish without user interaction, and will remember all of the configuration options that you specified during the initial setup.
续订过程可以从头到尾运行,而无需用户干预,并且会记住您在初始设置期间指定的所有配置选项。
To test that this is working without having to wait until nearer the expiry date, you can trigger a dry run. This will simulate the renewal process without making any actual changes to your configuration.
要测试此方法是否有效而不必等到临近到期日,可以触发空运行。 这将模拟续订过程,而无需对配置进行任何实际更改。
You can trigger a dry run using the standard renew command, but with the --dry-run argument:
您可以使用标准的renew命令,但使用--dry-run参数来触发--dry-run :
- sudo certbot renew --dry-run sudo certbot更新-干运行
This will output something similar to the following, which will provide assurance that the renewal process is functioning correctly:
这将输出类似于以下内容的内容,这将确保续订过程正常运行:
Output
...
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for your-domain
dns-01 challenge for your-domain
Waiting for verification...
Cleaning up challenges
...
In this final step, you issued another certificate and then tested the automatic renewal process within Certbot.
在最后一步,您颁发了另一个证书,然后在Certbot中测试了自动续订过程。
结论 (Conclusion)
In this article you set up Certbot with acme-dns-certbot in order to issue certificates using DNS validation. This unlocks the possibility of using wildcard certificates as well as managing a large estate of distinct web servers that may be sitting behind a load balancer.
在本文中,您将acme-dns-certbot设置为Certbot,以便使用DNS验证颁发证书。 这释放了使用通配符证书以及管理可能位于负载均衡器后面的大量不同Web服务器的可能性。
Make sure to keep an eye on the acme-dns-certbot repository for any updates to the script, as it’s always recommended to run the latest supported version.
请务必注意acme-dns-certbot信息库 ,以获取对该脚本的任何更新,因为始终建议运行最新的受支持版本。
If you’re interested in learning more about acme-dns-certbot, you may wish to review the documentation for the acme-dns project, which is the server-side element of acme-dns-certbot:
如果您想了解有关acme-dns-certbot的更多信息,则不妨查看acme-dns项目的文档,它是acme-dns-certbot的服务器端元素:
The acme-dns software can also be self-hosted, which may be beneficial if you’re operating in high-security or complex environments.
acme-dns软件也可以是自托管的,如果您在高安全性或复杂的环境中运行,这可能会很有用。
Alternatively, you could dig into the technical details of ACME DNS validation by reviewing the relevant section of the official RFC document which outlines how the process works:
另外,您可以通过查看RFC官方文档的相关部分来概述ACME DNS验证的技术细节,该文档概述了该过程的工作方式:
acme.sh 更换dns
扫一扫
1397
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
