本文共 4193 字，大约阅读时间需要 13 分钟。

1.简介

Let’s Encrypt已经支持申请免费的通配符证书，只需要对域名申请https证书，该域名下所有的子域名都可以使用。有一点需要说明，Let’s Encrypt的通配符证书只是针对二级域名，不针对主域名，例如blog.smile13.com和smile13.com则被认为是两个域名，申请证书的时候都需要申请。

2.配置环境

操作系统：centos7.4

配置域名：smile13.com，*.smile13.com

3.申请证书

3.1.下载Certbot并设置执行权限

1. wget https://dl.eff.org/certbot-auto2. chmod +x certbot-auto

3.2.生成证书

./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

相关参数说明：

-certonly：表示安装模式，Certbot 有安装模式和验证模式两种类型的插件。

-manual：表示手动安装插件，Certbot 有很多插件，不同的插件都可以申请证书，用户可以根据需要自行选择。

-d：为哪些主机申请证书，如果是通配符，输入 *.smile13.com（替换为自己的域名）。

-preferred-challenges：使用 DNS 方式校验域名所有权。

-server：Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本，需要显示指定。

下面是命令执行过程中的相关操作：

[root@eric201 software-package]# cd /etc/letsencrypt/live/-bash: cd: /etc/letsencrypt/live/: No such file or directory[root@eric201 software-package]# ./certbot-auto certonly -d "*.smile13.com" -d "smile13.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directorySaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneObtaining a new certificatePerforming the following challenges:dns-01 challenge for smile13.comdns-01 challenge for smile13.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that.Are you OK with your IP being logged?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: Y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please deploy a DNS TXT record under the name_acme-challenge.smile13.com with the following value:nQjdBo-5myb3mfnMJ1e0lDyfp6cAZap9FBR8AcM4FFEBefore continuing, verify the record is deployed.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Press Enter to Continue

注意：在这里需要去域名的管理台配置 DNS TXT 记录，校验域名的所有权，否则直接敲回车进入下一步，证书会生成失败的，具体怎样配置DNS TXT 记录，请往下看。

Please deploy a DNS TXT record under the name_acme-challenge.smile13.com with the following value:jc8GXEczmoV6hs1K5GXH3NKa-IB2okf7ZWzAVfx8tYYBefore continuing, verify the record is deployed.(This must be set up in addition to the previous challenges; do not remove,replace, or undo the previous challenge tasks yet. Note that you might beasked to create multiple distinct TXT records with the same name. This ispermitted by DNS standards.)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Press Enter to Continue

同理，在这里也需要去域名的管理台配置 DNS TXT 记录，校验域名的所有权。

Waiting for verification...Cleaning up challengesIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/smile13.com/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/smile13.com/privkey.pem   Your cert will expire on 2019-02-22. To obtain a new or tweaked   version of this certificate in the future, simply run certbot-auto   again. To non-interactively renew *all* of your certificates, run   "certbot-auto renew" - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

DNS TXT配置如下（如果申请多个域名，需要配置多条）

在 /etc/letsencrypt/live/smile13.com/下可以看到生成的文件：

3.3.更新证书

Let’s encrypt 的免费证书默认有效期为 90 天，到期后如果要续期可以执行,下面的命令可以配置定时任务自动执行

certbot-auto renew

4.配置证书

我使用的是nginx，所以这里只讲述在nginx中怎样配，apache类似，以后再补充。下面是ssl相关的配置，其他部分如location不变。

server {listen 443 ssl;server_name blog.smile13.com; #你的域名#ssl on;ssl_certificate /etc/letsencrypt/live/smile13.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/smile13.com/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/smile13.com/chain.pem;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;location / {......}}

配置好后重启nginx（systemctl restart nginx）就可以了。

版权声明：本文为博主原创文章，转载请注明出处！