Certbot 配置泛域名通用证书
为了方便创建/更新通配证书我写了个脚本工具 certbot_tool
安装
# 下载 Certbot 客户端
$ wget -c https://dl.eff.org/certbot-auto -P /usr/local/bin/
# 设为可执行权限
$ chmod a+x /usr/local/bin/certbot-auto
$ certbot-auto --version
certbot 0.34.2
创建证书
certbot-auto certonly -d *.example.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
需要在域名极解析中加入 TEXT 记录
Nginx配置
server {
listen 443 ssl;
server_name jiexintest.net;
ssl_certificate /etc/letsencrypt/live/jiexintest.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jiexintest.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location ~ /* {
proxy_pass http://0.0.0.0:2020;
}
}
server {
listen 80;
server_name jiexintest.net www.jiexintest.net;
return 301 https://jiexintest.net$request_uri;
}
自动续约
crontab -e
30 2 * */2 * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx
注意: 通配域名证书的申请和更新,都是通过
DNS-01方式来验证域名的所有者。每次 renew 都需要重新验证新的 TXT 记录值,certbot-auto 无法修改运营商的域名解析配置,所以会失败。 为了解决这个问题 certbot 提供了用户配置脚本更新的钩子--manual-auth-hook和--manual-cleanup-hook。我的脚本地址 :certbot_tool