博主之前写过 Ubuntu 18.04 使用 Certbot 为网站申请并配置 Let's Encrypt 单域名证书 的文章,介绍了 Ubuntu 18.04 下如何手动安装 Certbot 并申请 Let's Encrypt 单域名证书,这次博主以域名 lattecloud.cc 为例,再分享一下如何使用 Certbot 申请并安装 Let's Encrypt 泛域名证书,以下是具体步骤。

安装 Certbot

添加软件源

终端中执行如下命令添加软件源:

apt install software-properties-common -y && add-apt-repository ppa:certbot/certbot -y

安装 Certbot

使用如下命令安装 certbot:

apt update && apt install python-certbot-nginx -y

签发泛域名证书

终端中执行如下命令签发泛域名证书:

certbot certonly \
--email i@timelate.com \
--agree-tos \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual \
-d lattecloud.cc \
-d *.lattecloud.cc

注意,以上命令需要全部复制,在终端中一起执行。解释一下相关参数:

certonly ,获取或更新证书,但是不安装到本机
--email ,接收有关账户的重要通知的邮箱地址,非必要,建议最好带上
--agree-tos ,同意 ACME 服务器的订阅协议
--preferred-challenges dns ,以 DNS Plugins 的方式进行验证
--server https://acme-v02.api.letsencrypt.org/directory ,指定验证服务器地址为 acme-v02 的,因为默认的服务器地址是 acme-v01 的,不支持通配符验证
--manual ,采用手动交互式的方式验证
--d lattecloud.cc ,指定要验证的域名。注意,不带 www 的一级域名 lattecloud.cc和通配符二级域名 *.lattecloud.cc 都要写,如果只写 *.lattecloud.cc ,生成的证书是无法识别 lattecloud.cc

命令执行后终端返回信息如下,询问是否同意记录申请证书服务器的 IP ,输入 Y ,回车:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lattecloud.cc
dns-01 challenge for lattecloud.cc

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

回车后终端中返回信息如下,要求创建一条 TXT 记录,以验证域名归属。在域名服务商处添加相应的 TXT 记录,并验证是否解析成功。可以在另一个 SSH 窗口中执行 dig -t txt _acme-challenge.lattecloud.cc @8.8.8.8 命令查看域名解析情况,如果 ANSWER SECTION 中有 _acme-challenge.lattecloud.cc. 299 IN TXT "73kvVAMvFGenzJE_spiVbDV2Ivpz3tGnDJT8UObQxdE" ,说明解析生效。解析生效后回车,进行下一步:

Please deploy a DNS TXT record under the name
_acme-challenge.lattecloud.cc with the following value:

73kvVAMvFGenzJE_spiVbDV2Ivpz3tGnDJT8UObQxdE

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

回车后终端返回信息如下,要求再添加一条 TXT 记录。因为我们实际要为 lattecloud.cc*.lattecloud.cc 两个域名签发证书,因此需要添加两条 TXT 记录。添加完记录后验证是否生效,生效后回车进行域名验证和证书签发。注意,添加此条 TXT 记录时不要修改、删除之前的 TXT 记录,两条记录都要保持生效状态:

Please deploy a DNS TXT record under the name
_acme-challenge.lattecloud.cc with the following value:

my08-oqD9WV7Z2Mpgac1-CV_eP2ZwIBbmN7t2Cdk7xs

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

回车后开始验证域名,验证成功后签发泛域名证书,签发成功后终端返回信息如下:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lattecloud.cc/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lattecloud.cc/privkey.pem
   Your cert will expire on 2020-05-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

签发的泛域名证书有效期为三个月,证书到期前需要续签证书。证书路径如下:

certificate: /etc/letsencrypt/live/lattecloud.cc/fullchain.pem
key:         /etc/letsencrypt/live/lattecloud.cc/privkey.pem

校验证书信息

终端中执行以下命令校验证书信息:

openssl x509 -in /etc/letsencrypt/live/lattecloud.cc/cert.pem  -noout -text

输出的关键信息如下,可以看到证书适用的域名为 *.lattecloud.cclattecloud.cc

   X509v3 Subject Alternative Name: 
        DNS:*.lattecloud.cc, DNS:lattecloud.cc

安装泛域名证书

安装方法很简单,只需要在 nginxserver 段中添加证书并启用 ssl 即可。注意,如果你的网站所在服务器和申请证书的服务器不是一个服务器,那就需要将申请到的证书转移到网站所在服务器。为了简单易操作,只需将 /etc/letsencrypt 目录整体拷贝到目标服务器即可,可使用 scp 命令传输相关目录:

scp -r -P 22 /etc/letsencrypt root@1.1.1.1:/etc/letsencrypt

其中,-P 22 为目标服务器的 ssh 端口,1.1.1.1 为目标服务器的 ip 地址,相关参数按实际修改。下面给出一个 ssl 的配置样例供参考:

server {
    listen 443 ssl;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /etc/letsencrypt/live/lattecloud.cc/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lattecloud.cc/privkey.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_timeout 5m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    index index.php;   
    server_name    www.lattecloud.cc;
    root  /var/www/www.lattecloud.cc;
    ……
}

修改完配置文件后记得重载 nginx 生效,如果 nginx 没有报错,打开网站即可看到效果:

service nginx reload

通过以上方法便可在 Ubuntu 18.04 上使用 Certbot 申请并安装 Let’s Encrypt 泛域名证书,本文结束。

文章目录