CentOS7.X生成免费SSL通配符证书

  1. 云栖社区>
  2. 博客>
  3. 正文

CentOS7.X生成免费SSL通配符证书

qq2233466866 2018-06-11 15:58:39 浏览1303
展开阅读全文

安装前的准备

  1. 原文地址https://note.so1234.top
  2. 查看python版本(要求版本大于2.7.0)

    python -V
  3. 如果python版本低于2.7.0建议不要随意更新python,会影响yum的正常使用
  4. 安装库支持

    yum install yum-utils -y
    
    yum-config-manager \
    --enable \
    rhui-REGION-rhel-server-extras \
    rhui-REGION-rhel-server-optional \
  5. 安装certbot-nginx

    cd /root
    wget https://dl.eff.org/certbot-auto
    cp /root/certbot-auto /usr/local/bin/
    chmod -R 755 /usr/local/bin/certbot-auto
  6. 生成证书(*.xxx.com为通配符域名)

    certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" -d "xxx.com" --manual --preferred-challenges dns-01 certonly
    # 1.执行过程中输入邮箱
    # 2.执行过程中输入A同意
    # 3.执行过程中输入Y确认
    # 4.执行过程中输入Y确认
    # 5.执行过程中添加DNS的TXT解析记录,以阿里云DNS为例
        # 1.记录类型TXT
        # 1.主机记录_xxx-xxx.xxx.com
        # 1.解析线路默认
        # 1.记录值xxxxxx
        # 1.TTL 10分钟
    # 6.按下回车,提示成功!
  7. 按照成功后的提示,记下证书文件的路径,提示信息类似如下

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/xxx.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/xxx.com/privkey.pem
       Your cert will expire on 2xxx-xx-xx. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    # 生成的文件放在:
    /etc/letsencrypt/live/xxx.com/fullchain.pem
    /etc/letsencrypt/live/xxx.com/privkey.pem
    # 该证书到期的时间是
    2xxx-xx-xx
    # 所以要设置自动更新证书
  8. 自动更新

    # 测试是否支持自动更新
    certbot-auto renew --dry-run
    # 使用自动更新
    certbot-auto renew
    # 在crontab配置:每5天尝试自动更新(频率小于90天即可)
    crontab -e
    0 0 */5 * * root -c certbot-auto renew
    ESC
    :wq
  9. 配置nginx
  10. 完成
  11. 领支付宝红包支持作者

    扫码领支付宝红包

网友评论

登录后评论
0/500
评论
qq2233466866
+ 关注