阿里云搭建Let's encrypt通配符证书

这个是几个月前配置的，因为昨天证书到期导致HTTPS访问失效；这里记录一下配置过程以及证书续期的流程

xxxx.xxx代表你的域名 全文如此

1.将阿里云主机的TXT记录值添加到 域名管理->域名解析

2.将TXT记录值添加到主机80端口服务的根目录下 ；比如你使用的是nginx 或者Apache ，主目录在www下

    在根目录创建目录 .well-known/pki-validation

    在.well-known/pki-validation创建文件fileauth.txt；将TXT记录值写入文件即可

以上两步主要是处理阿里云相关配置(腾讯云也是一样的)

3.获取Cerbot

# 下载
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod u+x certbot-auto

4.申请证书

./certbot-auto certonly  -d *.xxx.xxx --email yourEmail@qq.com --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

参数说明：

-certonly，表示安装模式，Certbot 有安装模式和验证模式两种类型的插件。
-manual，表示手动安装插件，Certbot 有很多插件，不同的插件都可以申请证书，用户可以根据需要自行选择。
-d，为哪些主机申请证书，如果是通配符，输入 *.hubinqiang.com（替换为自己的域名）。
-preferred-challenges，使用 DNS 方式校验域名所有权。
-server，Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本，需要显示指定。

5.申请过程

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): yourEmail@qq.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxxxx.xxx

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------

6.证书域名验证服务器方需要我们添加的域名解析TXT值 这个需要我们添加到域名管理平台 域名解析中

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.xxxx.xxx with the following value:

GKgbvKriT-zZ8aRmWeQI_XGWFbouG4VBpWBq3WHlOV8

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

注意这里 Press Enter to Continue 需要我们先添加TXT记录值到域名解析中 才能去验证 不然域名验证方 访问_acme-challenge.xxxx.xxx访问不到就会失败

添加如下：

7.配置证书

在nginx配置文件中

8.证书续期

certbot-auto renew

但是我在这里一直报错；最开始是网络连接不上，修改服务器上DNS解析服务器以后，可以连接上，但是后面一直在说我的/etc/letsencrypt/renewal/xxxx.xxx.conf文件配置有问题 但是实际上没有修改过

解决方法：
4、5、6步骤重新执行一次即可