1 引言
要使用HTTPS就必须得有SSL证书。理论上,证书是可以通过像OpenSSL这样得工具生成的。不过这种证书只能自己测试用,浏览器上面是不认的,会提示用户不安全。也就是说,浏览器只接受一些特定的证书颁发机构(CA)发布的证书。正规的商业应用上,这些证书是需要像这些机构购买的。不过好在还是有像Let’s Encrypt这样开放的证书颁发机构,可以免费向其申请SSL证书,不过缺点是证书有效期只能有90天。
2 详叙
2.1 安装
Certbot是一个免费、自动化、开源的工具,可以用于向Let’s Encrypt申请SSL证书。在Ubuntu下使用如下指令安装Certbot:如果提示不识别Certbot,那么可能需要添加Certbot的官方PPA源:- sudo apt install software-properties-common
- sudo add-apt-repository universe
- sudo add-apt-repository ppa:certbot/certbot
- sudo apt update
- sudo snap install --classic certbot
一般来说,我们申请到的域名都是主域名,例如笔者申请的charlee44.com。除此之外,泛域名:*.charlee44.com也很常用。比如使用charlee44.com建了一个网站,随着功能的扩充,你就有了建立子网站sub.charlee44.com的需求了。因此最好是让主域名和泛域名合用同一个证书,以避免重复申请。
2.3 步骤
在终端中执行如下指令:- certbot certonly -d charlee44.com -d *.charlee44.com --manual --preferred-challenges dns
- Saving debug log to /var/log/letsencrypt/letsencrypt.log
- Requesting a certificate for charlee44.com and *.charlee44.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Please deploy a DNS TXT record under the name:
- _acme-challenge.charlee44.com.
- with the following value:
- xxxxxxxxxxxxxxxxxxxxxxxxxxxx
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Press Enter to Continue
点击回车:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Please deploy a DNS TXT record under the name:
- _acme-challenge.charlee44.com.
- with the following value:
- xxxxxxxxxxxxxxxxxxxxxxxxxxxx
- (This must be set up in addition to the previous challenges; do not remove,
- replace, or undo the previous challenge tasks yet. Note that you might be
- asked to create multiple distinct TXT records with the same name. This is
- permitted by DNS standards.)
- Before continuing, verify the TXT record has been deployed. Depending on the DNS
- provider, this may take some time, from a few seconds to multiple minutes. You can
- check if it has finished deploying with aid of online tools, such as the Google
- Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.charlee44.com.
- Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
- value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Press Enter to Continue
点击回车:- Successfully received certificate.
- Certificate is saved at: /etc/letsencrypt/live/charlee44.com-0001/fullchain.pem
- Key is saved at: /etc/letsencrypt/live/charlee44.com-0001/privkey.pem
- This certificate expires on 2025-09-29.
- These files will be updated when the certificate renews.
- NEXT STEPS:
- - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- If you like Certbot, please consider supporting our work by:
- * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
- * Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- /etc/letsencrypt/live/charlee44.com-0001/fullchain.pem:服务器需要发送给客户端的完整证书链。
- /etc/letsencrypt/live/charlee44.com-0001/privkey.pem:证书私钥,与证书一起使用,以证明拥有该证书对应的公钥。
一般的HTTPS使用这两个证书文件即可。
3 参考
- 使用Certbot申请免费 HTTPS 证书及自动续期
- 解决certbot通配符及基础域名共用一个证书some challenges have failed问题
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
