centos7通配ssl域名使用snap的certbot版本的lets-encrypt记录

星期日, 2021-07-25 | Author: Lee | computer, linux | 8,620 views

之前直接使用脚本的形式现在已经不支持了,需要使用snap的模式

1.安装snap

sudo yum install epel-release -y
 
sudo yum install snapd
 
sudo systemctl enable --now snapd.socket
 
sudo ln -s /var/lib/snapd/snap /snap
 
sudo snap install core
 
sudo snap refresh core

2.移除历史的版本certbot

 
sudo yum remove certbot

3.Install Certbot

 
sudo snap install --classic certbot
 
sudo ln -s /snap/bin/certbot /usr/bin/certbot

4.生成指定域名的证书信息

 
 sudo certbot  certonly --email xxx@xxx.com --manual -d *.xxx.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

会显示要配置下 DNS的TXT配置下即可(到域名服务商那边配置)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.xxx.com
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
 
_acme-challenge.xxx.com.
 
with the following value:
 
ndQEiaMxxxxxxxxxxLat9pMGFAI9odZrc
 
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.xxx.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xxx.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxx.com/privkey.pem
This certificate expires on 2021-10-23.
These files will be updated when the certificate renews.
 
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5.配置NGINX下的证书信息再重新reload即可

 
 ssl_certificate     /etc/letsencrypt/live/xxx.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;

6.后续续期执行certbot renew

certbot renew

Tags: , , ,

文章作者: Lee

本文地址: https://www.pomelolee.com/2168.html

除非注明,Pomelo Lee文章均为原创,转载请以链接形式标明本文地址

No comments yet.

Leave a comment

Search

文章分类

Links

Meta