通过certbot申请泛域名证书Let's Encrypt免费证书
首先下运行环境:centos7.x以上系统环境:
1.yum安装方式:
yum -y install epel-release
yum -y install certbot
2.官网https://certbot.eff.org/
在centos7以上系统安装好ertbot服务后,采用以下代码:
certbot certonly --preferred-challenges dns --manual -d yisoftai.cn -d *.yisoftai.cn --server https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email
certbot命令参数含义:
--manual:手动模式获取/安装证书。
--agree-tos:同意使用Let's Encrypt服务条款
--server:用于指定证书签发机构的ACME协议服务器的URL
--register-unsafely-without-email:用于在不提供电子邮件地址的情况下向 Let's Encrypt 注册新的账户
--preferred-challenges:用于指定ACME挑战的优先级顺序。
-d :包括了一级和二级泛域名证书。
3.执行上面命令后,出现txt域名解析验证,验证方式采用txt验证:
Please deploy a DNS TXT record under the name
_acme-challenge.yisoftai.cn with the following value:
bYhu8dbUkMqVF6To8l_v-kUMiAxgoCf_d_MINRsKS7s
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4.域名设置验证后,可采用以下命令进行验证:
dig TXT _acme-challenge.yisoftai.cn
;; ANSWER SECTION:
_acme-challenge.yisoftai.cn. 600 IN TXT "bYhu8dbUkMqVF6To8l_v-kUMiAxgoCf_d_MINRsKS7s"
说明验证成功。
5.按任意键继续(.Press Enter to Continue),生成域名安全证书。
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yisoftai.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yisoftai.cn/privkey.pem
Your certificate will expire on 2025-04-13. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书保存位置:/etc/letsencrypt/live/yisoftai.cn/fullchain.pem
私有证书:/etc/letsencrypt/live/yisoftai.cn/privkey.pem
6.部署生成的安全证书到nginx 应用中,就可以了,时间是90天。