使用certbot申请域名证书

安装certbot

安装命令

1
sudo apt update && sudo apt install certbot

检查是否安装成功

1
certbot --version

一些简单的certbot命令

1
2
3
4
5
6
7
8
9
10
11
# 申请证书
sudo certbot certonly --manual --preferred-challenges dns -d domain.com

# 查看证书详情
sudo certbot certificates

# 续期证书
sudo certbot renew

# 查看证书到期时间
sudo certbot certificates

使用certbot申请域名证书

Tip: 申请之前最好关闭nginx

使用certbot申请指定子域名证书

1
sudo certbot certonly --standalone -d domain.com -d www.domain.com

每个子域名使用-d参数添加,这条命令就是为 domain.comwww.domain.com这两个域名申请证书,申请证书完成之后证书会默认存在在/etc/letsencrypt/live/目录。

使用certbot申请通配证书

Tip: 确保你要申请证书的域名已经指向你的服务器。你可以在 DNS 设置中添加 A 记录或 CNAME 记录来将域名指向你的服务器。

执行命令

1
certbot certonly --manual

它会让你输入需要申请的域名,示例输入*.domain.com:

1
2
3
4
5
6
7
8
root@www:~# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): *.domain.com
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com

接着会有一个询问你是否同意记录你的IP,输入:Y

1
2
3
4
5
6
7
8
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

同意之后会给你一个域名的DNS记录,需要你添加到你的域名的DNS记录中

1
2
3
4
5
6
7
8
9
10
11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-verify.domain.com with the following value:

ObcPAGKjw7BUdyEz1d7cOTbogLRILWFKhk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

这里需要你添加的DNS记录为:

  • 类型:TXT
  • 名称:_acme-verify
  • 内容:ObcPAGKjw7BUdyEz1d7cOTbogLRILWFKhk

在你的域名托管服务商(例如:cloudflare)添加完成DNS记录之后,再回到服务器终端按下Enter确认继续,它会验证你是否已经按照要求添加DNS记录了,不出意外的话,你将看到以下信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.com/privkey.pem
   Your cert will expire on 2024-08-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

表示你的证书已经申请成功了, 证书文件路径:/etc/letsencrypt/live/domain.com/