这个是几个月前配置的,因为昨天证书到期导致HTTPS访问失效;这里记录一下配置过程以及证书续期的流程
xxxx.xxx代表你的域名 全文如此
1.将阿里云主机的TXT记录值添加到 域名管理->域名解析
2.将TXT记录值添加到主机80端口服务的根目录下 ;比如你使用的是nginx 或者Apache ,主目录在www下
在根目录创建目录 .well-known/pki-validation
在.well-known/pki-validation创建文件fileauth.txt;将TXT记录值写入文件即可
以上两步主要是处理阿里云相关配置(腾讯云也是一样的)
3.获取Cerbot
# 下载
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod u+x certbot-auto
4.申请证书
./certbot-auto certonly -d *.xxx.xxx --email yourEmail@qq.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
参数说明:
-certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
-manual,表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。
-d,为哪些主机申请证书,如果是通配符,输入 *.hubinqiang.com(替换为自己的域名)。
-preferred-challenges,使用 DNS 方式校验域名所有权。
-server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
5.申请过程
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): yourEmail@qq.com
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xxxxx.xxx
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
6.证书域名验证服务器方需要我们添加的域名解析TXT值 这个需要我们添加到域名管理平台 域名解析中
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.xxxx.xxx with the following value:
GKgbvKriT-zZ8aRmWeQI_XGWFbouG4VBpWBq3WHlOV8
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
注意这里 Press Enter to Continue 需要我们先添加TXT记录值到域名解析中 才能去验证 不然域名验证方 访问_acme-challenge.xxxx.xxx访问不到就会失败
添加如下:
7.配置证书
在nginx配置文件中
8.证书续期
certbot-auto renew
但是我在这里一直报错;最开始是网络连接不上,修改服务器上DNS解析服务器以后,可以连接上,但是后面一直在说我的/etc/letsencrypt/renewal/xxxx.xxx.conf文件配置有问题 但是实际上没有修改过
解决方法:
4、5、6步骤重新执行一次即可