跳至正文

Certbot使用DNS方式获取证书

安装

sudo apt install certbot

验证

执行下面命令

# 泛域名:
certbot certonly -d *.test.com --manual --preferred-challenges dns

# 主域名:
certbot certonly -d test.com --manual --preferred-challenges dns

之后 Certbot 会返回下面信息

dongdaming@nuc:/etc/nginx/sites-available$ sudo certbot certonly -d *.beekc.top --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.beekc.top

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.beekc.top.

with the following value:

A123456789

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.beekc.top.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

根据信息在配置 DNS 解析服务器。这里为 _acme-challenge.beekc.top 添加一条 TXT 记录,内容为 A123456789

配置完 DNS服务器后,返回终端按下回车,Certbot 会完成剩余的工作。证书生成在 /etc/letsencrypt/live/beekc.top/

自动续期

建立文件/etc/systemd/system/certbot.service,输入下面内容

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos

建立文件 /etc/systemd/system/certbot.timer,并输入如下内容

[Unit]
Description=Monthly renewal of Let's Encrypt's certificates at 4:00 AM

[Timer]
OnCalendar=*-*-01 04:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

onCalendar 为执行周期,这里配置为每月1号四点执行,RandomizedDelaySec 为随机延迟,防止大量服务整点执行,冲击服务器负载。

启用服务

systemctl enable certbot.timer
systemctl start certbot.timer

参考

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注