CentOS 7 上使用Certbot申请通配符证书(ACMEv2 Wildcard Certificates)

通配符证书(泛域名证书)对于小博客来说,毫无用处,但是要赶个时髦。本文记录下申请RSA和ECDSA通配符证书的过程。

1 安装Certbot

签署通配符证书需要Certbot 0.22以上。如果以前安装过certbot,一般是直接yum update即可。如果是全新安装,则如下:
先升级:

yum update -y

查看系统版本:

cat  /etc/centos-release CentOS Linux release 7.4.1708 (Core)

安装epel源:

yum install epel-release -y

安装certbot:

yum install certbot -y

查看certbot版本:

certbot --version certbot 0.22.0

2 申请RSA通配符证书的过程

2.1 用如下命令申请证书

co1dawn.com和*.co1dawn.com换成自己的域名;执行该命令时不依赖nginx。

certbot -d co1dawn.com -d *.co1dawn.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly --agree-tos

输入应急邮箱,证书到期前会有邮件提示:

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

如果想跳过输入邮箱的步骤,可在申请命令后面加上:

--register-unsafely-without-email

之后出现如下提示:要公开记录申请该证书的IP地址,是否同意?不同意就无法继续。

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

同意之后,出现如下提示,第一个“Press Enter to Continue”处直接回车,第二个“Press Enter to Continue”不要按回车:

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.co1dawn.com with the following value:

iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue             #此处直接回车

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.co1dawn.com with the following value:

f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue             #此处不要按回车
2.2 为DNS解析增加TXT记录

进入自己域名的DNS记录管理页面,增加两条TXT记录,多数情况下,仅需在域名(Name)处填入_acme-challenge,在内容(Target)处填入上一步Certbot生成的内容即可,不同DNS提供商处可能会略有不同,根据实际情况修改:

    Name                                     Target
_acme-challenge             iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM
_acme-challenge             f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

稍等片刻,等TXT记录解析生效。查看是否生效的命令和生效后的查询结果如下:

host -t txt _acme-challenge.co1dawn.com
_acme-challenge.co1dawn.com descriptive text "iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM" 
_acme-challenge.co1dawn.com descriptive text "f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0"
2.3 继续申请证书

当第2.2步查看TXT记录解析成功后,回到申请证书的第2.1步处,直接回车,等待:

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/co1dawn.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/co1dawn.com-0001/privkey.pem
   Your cert will expire on 2018-06-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

这表示已成功生成新的证书和密钥,修改nginx的配置文件定位新证书和密钥的位置后重启nginx即可。

3 申请ECDSA通配符证书

3.1 首先是生成支持通配符证书的请求文件

步骤请参考这篇文章:使用Let’s Encrypt的Certbot为ngxin生成ECDSA证书,以下内容中的文件名基本和这篇文章相同。
生成ECDSA私钥:

openssl ecparam -genkey -name secp384r1 > ec.key

生成通配符证书的请求文件的命令需要改为:

openssl req -new -sha384 -key ec.key -subj "/CN=co1dawn.com" -reqexts SAN -config <(cat /usr/local/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:co1dawn.com,DNS:*.co1dawn.com")) -outform der -out ec-der.csr

ec.key 是自己生成的私钥
co1dawn.com 改成自己的域名
ec-der.csr 支持通配符证书的请求文件,假设放到/usr/local/src下,下面会用到

3.2 申请通配符证书

步骤和申请默认的RSA通配符证书基本一致,而且TXT记录相同,无需再次添加了。

certbot -d co1dawn.com -d *.co1dawn.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly --csr "/usr/local/src/ec-der.csr"

之后一路回车即可。

发表评论

电子邮件地址不会被公开。 必填项已用*标注