Nginx下Let's Encrypt通配符证书配置

先上官网地址

Let's Encrypt >>
Certbot >>
如何安装Certbot >>
Nginx >>
阿里云 - 云解析DNS >>


使用wgetchmod命令安装好Certbot

wget https://dl.eff.org/certbot-auto
chmod 711 ./certbot-auto

certbot-auto下载受HTTPS保护
这很好
但如果您想仔细检查certbot-auto脚本的完整性
你可以运行如下命令

wget -N https://dl.eff.org/certbot-auto.asc
gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto

随后执行以下命令

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory certonly --manual
#如果想定义4096位RSA密钥则使用如下命令
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory certonly --manual --rsa-key-size 4096

如果你之前没有使用过Certbot并在系统中留有账户
则第一步Certbot会要求你输入账户
直接输入邮箱地址即可
第二步将询问你是否同意使用协议
输入A同意即可
第三步将询问你是否参加体验计划
输入Y参加,输入N不参加,随意
账户注册部分结束

开始创建证书

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
这是询问你的域名地址
输入你的泛域名,如*.yourdomain.yoursuffix
然后Certbot会询问是否愿意被记录IP地址,此处必须选是,否则无法创建证书

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o:

输入Y并按回车选择同意记录IP地址

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.你的域名.你的后缀 with the following value:

***这一行是记录值***

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

此时,进入你的域名DNS管理页面
如:阿里云 - 云解析DNS >>
添加TXT解析记录

记录类型:TXT
主机记录:_acme-challenge
解析线路:默认
记录值:***这一行是记录值***

然后回到SSH按回车继续
申请完毕

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/你的域名.你的后缀/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/你的域名.你的后缀/privkey.pem
   Your cert will expire on 你的到期时间. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

打开Nginx配置文件并修改ssl_certificatessl_certificate_key

ssl_certificate        /etc/letsencrypt/live/你的域名.你的后缀/fullchain.pem;
ssl_certificate_key    /etc/letsencrypt/live/你的域名.你的后缀/privkey.pem;

打开你的网站,享受通配符证书带来的易维护性吧!

关于更新证书

先提供命令结束后的Certbot域名配置文件
一般存在于/etc/letsencrypt/renewal/你的域名.你的后缀.conf

# renew_before_expiry = 30 days
version = %YOUR_CERTBOT_VERSION[must>0.22.0,may=0.22.2]%
archive_dir = /etc/letsencrypt/archive/你的域名.你的后缀
cert = /etc/letsencrypt/live/你的域名.你的后缀/cert.pem
privkey = /etc/letsencrypt/live/你的域名.你的后缀/privkey.pem
chain = /etc/letsencrypt/live/你的域名.你的后缀/chain.pem
fullchain = /etc/letsencrypt/live/你的域名.你的后缀/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = %YOUR_ACCOUNT_HASH%
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 4096

这里要说明的是
因为authenticator = manual
使用./certbot-auto renew将无法更新证书
请再次执行
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory certonly --manual

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory certonly --manual --rsa-key-size 4096
Certbot将提示证书已存在并且未(或已)到期,选择覆盖即可

为什么不用acme.sh

1.官方文档ACME Client Implementations中写道

Recommended: Certbot
We recommend that most people start with the Certbot client. It can simply get a cert for you or also help you install, depending on what you prefer. It’s easy to use, works on many operating systems, and has great documentation.
If certbot does not meet your needs, or you’d simply like to try something else, there are many more clients to choose from below, grouped by the language or environment they run in.
The ACME clients below are offered by third parties. Let’s Encrypt does not control or review third party clients and cannot make any guarantees about their safety or reliability.

这表明Certbot是官方首推ACME客户端
2.因为Certbot的操作最简单,文档最详细,适用人群更广泛