跳到主要内容

最简单的Certbot申请泛域名证书与续期

阅读需 2 分钟

最简单的Certbot申请泛域名证书与续期

已centos系统为例:

  1. 安装dig,snapd等前置工具
sudo yum install bind-utils -y


sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap

  1. 安装 Certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot


# 安装certbot-dns-dnspod插件
sudo snap install certbot-dns-dnspod
sudo snap set certbot trust-plugin-with-root=ok
sudo snap connect certbot:plugin certbot-dns-dnspod
  1. 申请证书
certbot certonly --manual --preferred-challenges dns -d *.peirenlei.cn -d peirenlei.cn

# 会提示添加一个txt记录,按提示添加,提示Enter继续

# 另一个窗口查看txt记录
dig +short TXT _acme-challenge.peirenlei.cn

## "n-abAQcNfJeGHuL81v41UHnIioftWZcyB-1jQSV5ipg"

如果显示的和提示中的一致,说明txt记录生效,第一个的命令按回车继续
  1. 查看申请到的证书
certbot  certificates

显示:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: peirenlei.cn-0001
    Serial Number: 50d0891f0bd3093848816ddcd7d8b2aeafb
    Key Type: RSA
    Domains: *.peirenlei.cn peirenlei.cn
    Expiry Date: 2025-08-19 10:58:49+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/peirenlei.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/peirenlei.cn-0001/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/peirenlei.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1. 也可以读取nginx配置的域名
certbot --nginx --nginx-server-root /www/server/nginx/conf
  1. 配置nginx站点:
listen 80;
listen 443 ssl http2 ;


#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    ssl_certificate /etc/letsencrypt/live/peirenlei.cn-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/peirenlei.cn-0001/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

#SSL-END
  1. 测试自动续订
sudo certbot renew --dry-run
Loading Comments...