也许颓废也是 ... 另一种美
一个学习了N年还是小白的网络爱好者 ...

转:获取免费的 Let’s Encrypt 泛域名 SSL 证书

acme.sh现在支持签发Let’s Encrypt的泛域名证书

但是很多教程都是基于dnspod,这里找到一篇采用cloudflare的,记录一下。

博主的排版也精美,推荐大家多去转转。


一、前言

本教程使用 acme.sh 来获取,暂只支持 DNS 记录的方式来获取,不支持 Standalone,有任何问题欢迎讨论哦!

常见 SSL 证书分类

普通 DV 证书:一般颁发给单个域名或者多个单域名。
泛域名证书:支持 *.abc.com 旗下所有的域名,仅需这一张证书。

二、准备

需要申请证书的域名需在以下解析商解析(至支持 API 的):

  • CloudFlare
  • DNSPod
  • CloudXNS
  • GoDaddy
  • PowerDNS
  • 更多请参考 How to use DNS API
  • 一台 Linux VPS 主机

三、申请

本教程以在 CloudFlare 解析的 owen.ml 域名为例,其他解析商可参考 这里 。(PS:不同解析商参数略有不同,注意不要直接照抄)

① 获取 API

在 CloudFlare 个人资料页面 找到并记下自己的 API KEY – Global API KEY:

 

 

② 申请证书

SSH 连接到主机(CentOS)上,首先安装 curl :

[root@vs-hk ~]# yum update -y
[root@vs-hk ~]# yum install curl socat -y

然后安装 acme.sh:

[root@vs-hk ~]# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   705  100   705    0     0     39      0  0:00:18  0:00:17  0:00:01   152
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  162k  100  162k    0     0   150k      0  0:00:01  0:00:01 --:--:--  150k
[Sat Mar 17 15:47:54 CST 2018] Installing from online archive.
[Sat Mar 17 15:47:54 CST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar 17 15:50:46 CST 2018] Extracting master.tar.gz
[Sat Mar 17 15:50:46 CST 2018] Installing to /root/.acme.sh
[Sat Mar 17 15:50:46 CST 2018] Installed to /root/.acme.sh/acme.sh
[Sat Mar 17 15:50:46 CST 2018] Installing alias to '/root/.bashrc'
[Sat Mar 17 15:50:46 CST 2018] OK, Close and reopen your terminal to start using acme.sh
[Sat Mar 17 15:50:46 CST 2018] Installing alias to '/root/.cshrc'
[Sat Mar 17 15:50:46 CST 2018] Installing alias to '/root/.tcshrc'
[Sat Mar 17 15:50:46 CST 2018] Installing cron job
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat Mar 17 15:50:46 CST 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar 17 15:50:46 CST 2018] OK
[Sat Mar 17 15:50:46 CST 2018] Install success!

将 CloudFlare Global API KEY 加入临时系统变量:

[root@vs-hk ~]# export CF_Key="****"   #填写 CloudFlare 的 Global API Key
[root@vs-hk ~]# export CF_Email="xxxxx@xx.com" #填写 CloudFlare 注册邮箱

接下来就可以开始获取证书了:

[root@vs-hk ~]# ~/.acme.sh/acme.sh --issue -d owen.ml -d *.owen.ml --dns dns_cf --log
[Sat Mar 17 16:08:18 CST 2018] Registering account
[Sat Mar 17 16:08:20 CST 2018] Registered
[Sat Mar 17 16:08:20 CST 2018] ACCOUNT_THUMBPRINT='***'
[Sat Mar 17 16:08:20 CST 2018] Creating domain key
[Sat Mar 17 16:08:20 CST 2018] The domain key is here: /root/.acme.sh/owen.ml/owen.ml.key
[Sat Mar 17 16:08:20 CST 2018] Multi domain='DNS:owen.ml,DNS:*.owen.ml'
[Sat Mar 17 16:08:20 CST 2018] Getting domain auth token for each domain
[Sat Mar 17 16:08:22 CST 2018] Getting webroot for domain='owen.ml'
[Sat Mar 17 16:08:22 CST 2018] Getting webroot for domain='*.owen.ml'
[Sat Mar 17 16:08:23 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Sat Mar 17 16:08:26 CST 2018] Adding record
[Sat Mar 17 16:08:28 CST 2018] Added, OK
[Sat Mar 17 16:08:28 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Sat Mar 17 16:08:32 CST 2018] Adding record
[Sat Mar 17 16:08:33 CST 2018] Added, OK
[Sat Mar 17 16:08:33 CST 2018] Sleep 120 seconds for the txt records to take effect
[Sat Mar 17 16:10:35 CST 2018] Verifying:owen.ml
[Sat Mar 17 16:10:38 CST 2018] Success
[Sat Mar 17 16:10:38 CST 2018] Verifying:*.owen.ml
[Sat Mar 17 16:10:41 CST 2018] Success
[Sat Mar 17 16:10:41 CST 2018] Removing DNS records.
[Sat Mar 17 16:10:52 CST 2018] Verify finished, start to sign.
[Sat Mar 17 16:10:54 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
[Sat Mar 17 16:10:54 CST 2018] Your cert is in  /root/.acme.sh/owen.ml/owen.ml.cer 
[Sat Mar 17 16:10:54 CST 2018] Your cert key is in  /root/.acme.sh/owen.ml/owen.ml.key 
[Sat Mar 17 16:10:54 CST 2018] The intermediate CA cert is in  /root/.acme.sh/owen.ml/ca.cer 
[Sat Mar 17 16:10:54 CST 2018] And the full chain certs is there:  /root/.acme.sh/owen.ml/fullchain.cer 

可以看到已经成功签发,如果签发失败可以查看日志具体分析:

[root@vs-hk ~]# cat .acme.sh/acme.sh.log 
......
[Sat Mar 17 16:10:54 CST 2018] _on_issue_success
......

注意事项:第一个 -d 后面不可以直接写 *.xx.com ,一定要写个普通单域名,第二个 -d 后面可以写泛域名。

签发成功后,请求文件 csr、密钥 key 以及证书 cert 和完整证书链均保存在 /root/.acme.sh/owen.ml/ 下。

acme.sh 其他用法可以参见 GitHub WIKI

四、使用

① 配置

假设网站是 www.owen.ml,以 Nginx 为例:

server
{
......#监听 HTTPS 443 端口
        listen 443 ssl http2;
......#强制重写 HTTP 为 HTTPS
        if ($server_port !~ 443){
            rewrite ^(/.*)$ https://$host$1 permanent;
        }
......# SSL 证书及协商相关配置,避免浏览器报错,使用完整证书链
        ssl_certificate            /etc/letsencrypt/live/www.owen.ml/fullchain.cer;
        ssl_certificate_key    /etc/letsencrypt/live/www.owen.ml/owen.ml.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
......#强制将 server_name 里所有域名都重写为 HTTPS(可选)
    error_page 497  https://$host$request_uri;
......
}

② 验证

打开浏览器访问看一下:

 

可以看到浏览器已正确识别并验证成功

[root@vs-hk ~]# curl -I www.owen.ml
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 17 Mar 2018 08:53:20 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.owen.ml/
[root@vs-hk ~]# curl -I https://www.owen.ml
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Mar 2018 08:53:31 GMT
Content-Type: text/html
Content-Length: 985
Last-Modified: Sat, 17 Mar 2018 08:32:51 GMT
Connection: keep-alive
ETag: "5aacd2b3-3d9"
Accept-Ranges: bytes

访问跳转也正常,说明配置成功,证书也可以正常使用。

最后补充一句,跟 Let’s Encrypt 普通证书一样,泛域名证书有效期也是 90 天,到期自动续签(.acme.sh 及任务没删的话,每天凌晨 58 分自动执行。。。)


参考文章:
1、《#教程# 获取免费的Let’s Encrypt泛域名野卡证书(有删改)》

 

转自:vircloud’s blog :获取免费的 Let’s Encrypt 泛域名 SSL 证书

未经允许不得转载:颓废的美 » 转:获取免费的 Let’s Encrypt 泛域名 SSL 证书
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址