letsencrypt免费https泛域名(*.yourdomain.com)证书申请
安装环境CentOS
*.example.com形式的域名即为泛域名,不通的子域名共用一个证书,省去多次申请的烦恼
1. 工具安装
安装最新的certbot
sudo yum install -y certbot
已安装cerbot,需升级至高版本
sudo yum update -y certbot
2. 证书申请
将*.yourdomain.com 替换成你的泛域名
运行命令:
sudo certbot certonly --preferred-challenges dns --manual -d *.yourdomain.com --server https://acme-v02.api.letsencrypt.org/directory
出现以下内容后,请在阿里云云解析中添加一条TXT解析记录
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:
xxxxx
Before continuing, verify the record is deployed.
添加阿里云云解析TXT解析记录
3. 证书使用(nginx)
/etc/nginx/conf.d
中新增配置文件xx.conf: 添加server节点配置并设置获取到大证书地址
4. 证书自动更新(不适用于泛域名,泛域名只有每三个月手动更新一次)
letsencrypt的证书有效期是三个月,可设置crontab自动任务进行更新
30 1 10 * * /usr/bin/certbot renew && /usr/sbin/nginx -s reload # 每月10日1点30分执行一次
5.附上七牛域名ssl证书更新脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
update_sslcert
-----------------------------
七牛云 > SSL证书服务 > 更新自有证书
"""
import qiniu
from qiniu import DomainManager
import logging
logging.basicConfig(level=logging.INFO,
format='%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s',
datefmt='%Y/%m/%d %H:%M:%S',
filename='/var/log/qiniu/update_sslcert.log',
filemode='a')
console = logging.StreamHandler()
console.setLevel(logging.INFO)
logging.getLogger('').addHandler(console)
# 账户ak,sk
access_key = '*****************************'
secret_key = '*****************************'
auth = qiniu.Auth(access_key=access_key, secret_key=secret_key)
domain_manager = DomainManager(auth)
domain_name = 'yourdomain.com'
privatekey = "/etc/letsencrypt/live/%s/privkey.pem" % domain_name
ca = "/etc/letsencrypt/live/%s/fullchain.pem" % domain_name
with open(privatekey, 'r') as f:
privatekey_str = f.read()
with open(ca, 'r') as f:
ca_str = f.read()
ret, info = domain_manager.create_sslcert(
domain_name, domain_name, privatekey_str, ca_str)
logging.info('Post sslcert: %s' % ret['certID'])
logging.info(info)
ret, info = domain_manager.put_httpsconf('.' + domain_name, ret['certID'], False)
logging.info(info)