转:获取免费的 Let’s Encrypt 泛域名 SSL 证书
acme.sh现在支持签发Let's Encrypt的泛域名证书
但是很多教程都是基于dnspod,这里找到一篇采用cloudflare的,记录一下。
博主的排版也精美,推荐大家多去转转。
一、前言
本教程使用 acme.sh 来获取,暂只支持 DNS 记录的方式来获取,不支持 Standalone,有任何问题欢迎讨论哦!
常见 SSL 证书分类
普通 DV 证书:一般颁发给单个域名或者多个单域名。
泛域名证书:支持 *.abc.com 旗下所有的域名,仅需这一张证书。
二、准备
需要申请证书的域名需在以下解析商解析(至支持 API 的):
- CloudFlare
- DNSPod
- CloudXNS
- GoDaddy
- PowerDNS
- 更多请参考 How to use DNS API
- 一台 Linux VPS 主机
三、申请
本教程以在 CloudFlare 解析的 owen.ml 域名为例,其他解析商可参考 这里 。(PS:不同解析商参数略有不同,注意不要直接照抄)
① 获取 API
在 CloudFlare 个人资料页面 找到并记下自己的 API KEY - Global API KEY:
② 申请证书
SSH 连接到主机(CentOS)上,首先安装 curl :
[root@vs-hk ~]# yum update -y
[root@vs-hk ~]# yum install curl socat -y
然后安装 acme.sh:
[root@vs-hk ~]# curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 705 100 705 0 0 39 0 0:00:18 0:00:17 0:00:01 152
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 162k 100 162k 0 0 150k 0 0:00:01 0:00:01 --:--:-- 150k
[Sat Mar 17 15:47:54 CST 2018] Installing from online archive.
[Sat Mar 17 15:47:54 CST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar 17 15:50:46 CST 2018] Extracting master.tar.gz
[Sat Mar 17 15:50:46 CST 2018] Installing to /root/.acme.sh
[Sat Mar 17 15:50:46 CST 2018] Installed to /root/.acme.sh/acme.sh
[Sat Mar 17 15:50:46 CST 2018] Installing alias to '/root/.bashrc'
[Sat Mar 17 15:50:46 CST 2018] OK, Close and reopen your terminal to start using acme.sh
[Sat Mar 17 15:50:46 CST 2018] Installing alias to '/root/.cshrc'
[Sat Mar 17 15:50:46 CST 2018] Installing alias to '/root/.tcshrc'
[Sat Mar 17 15:50:46 CST 2018] Installing cron job
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat Mar 17 15:50:46 CST 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar 17 15:50:46 CST 2018] OK
[Sat Mar 17 15:50:46 CST 2018] Install success!
将 CloudFlare Global API KEY 加入临时系统变量:
[root@vs-hk ~]# export CF_Key="****" #填写 CloudFlare 的 Global API Key
[root@vs-hk ~]# export CF_Email="[email protected]" #填写 CloudFlare 注册邮箱
接下来就可以开始获取证书了:
[root@vs-hk ~]# ~/.acme.sh/acme.sh --issue -d owen.ml -d *.owen.ml --dns dns_cf --log
[Sat Mar 17 16:08:18 CST 2018] Registering account
[Sat Mar 17 16:08:20 CST 2018] Registered
[Sat Mar 17 16:08:20 CST 2018] ACCOUNT_THUMBPRINT='***'
[Sat Mar 17 16:08:20 CST 2018] Creating domain key
[Sat Mar 17 16:08:20 CST 2018] The domain key is here: /root/.acme.sh/owen.ml/owen.ml.key
[Sat Mar 17 16:08:20 CST 2018] Multi domain='DNS:owen.ml,DNS:*.owen.ml'
[Sat Mar 17 16:08:20 CST 2018] Getting domain auth token for each domain
[Sat Mar 17 16:08:22 CST 2018] Getting webroot for domain='owen.ml'
[Sat Mar 17 16:08:22 CST 2018] Getting webroot for domain='*.owen.ml'
[Sat Mar 17 16:08:23 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Sat Mar 17 16:08:26 CST 2018] Adding record
[Sat Mar 17 16:08:28 CST 2018] Added, OK
[Sat Mar 17 16:08:28 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Sat Mar 17 16:08:32 CST 2018] Adding record
[Sat Mar 17 16:08:33 CST 2018] Added, OK
[Sat Mar 17 16:08:33 CST 2018] Sleep 120 seconds for the txt records to take effect
[Sat Mar 17 16:10:35 CST 2018] Verifying:owen.ml
[Sat Mar 17 16:10:38 CST 2018] Success
[Sat Mar 17 16:10:38 CST 2018] Verifying:*.owen.ml
[Sat Mar 17 16:10:41 CST 2018] Success
[Sat Mar 17 16:10:41 CST 2018] Removing DNS records.
[Sat Mar 17 16:10:52 CST 2018] Verify finished, start to sign.
[Sat Mar 17 16:10:54 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
[Sat Mar 17 16:10:54 CST 2018] Your cert is in /root/.acme.sh/owen.ml/owen.ml.cer
[Sat Mar 17 16:10:54 CST 2018] Your cert key is in /root/.acme.sh/owen.ml/owen.ml.key
[Sat Mar 17 16:10:54 CST 2018] The intermediate CA cert is in /root/.acme.sh/owen.ml/ca.cer
[Sat Mar 17 16:10:54 CST 2018] And the full chain certs is there: /root/.acme.sh/owen.ml/fullchain.cer
可以看到已经成功签发,如果签发失败可以查看日志具体分析:
[root@vs-hk ~]# cat .acme.sh/acme.sh.log
......
[Sat Mar 17 16:10:54 CST 2018] _on_issue_success
......
注意事项:第一个 -d 后面不可以直接写 *.xx.com ,一定要写个普通单域名,第二个 -d 后面可以写泛域名。
签发成功后,请求文件 csr、密钥 key 以及证书 cert 和完整证书链均保存在 /root/.acme.sh/owen.ml/ 下。
acme.sh 其他用法可以参见 GitHub WIKI
四、使用
① 配置
假设网站是 www.owen.ml,以 Nginx 为例:
server
{
......#监听 HTTPS 443 端口
listen 443 ssl http2;
......#强制重写 HTTP 为 HTTPS
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
......# SSL 证书及协商相关配置,避免浏览器报错,使用完整证书链
ssl_certificate /etc/letsencrypt/live/www.owen.ml/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/live/www.owen.ml/owen.ml.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
......#强制将 server_name 里所有域名都重写为 HTTPS(可选)
error_page 497 https://$host$request_uri;
......
}
② 验证
打开浏览器访问看一下:
可以看到浏览器已正确识别并验证成功
[root@vs-hk ~]# curl -I www.owen.ml
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 17 Mar 2018 08:53:20 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.owen.ml/
[root@vs-hk ~]# curl -I https://www.owen.ml
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Mar 2018 08:53:31 GMT
Content-Type: text/html
Content-Length: 985
Last-Modified: Sat, 17 Mar 2018 08:32:51 GMT
Connection: keep-alive
ETag: "5aacd2b3-3d9"
Accept-Ranges: bytes
访问跳转也正常,说明配置成功,证书也可以正常使用。
最后补充一句,跟 Let's Encrypt 普通证书一样,泛域名证书有效期也是 90 天,到期自动续签(.acme.sh 及任务没删的话,每天凌晨 58 分自动执行。。。)
参考文章:
1、《#教程# 获取免费的Let’s Encrypt泛域名野卡证书(有删改)》
版权声明:
作者:Jays
链接:https://ijays.com/2018/04/free-wildcard-ssl-let-is-ecnrypt-cloudflare.html
来源:颓废的美
文章版权归作者所有,未经允许请勿转载。
共有 0 条评论