一:手动创建证书
## 下载脚本
shell > wget https://dl.eff.org/certbot-auto
shell > sudo mv certbot-auto /usr/local/bin/certbot-auto
shell > sudo chown root /usr/local/bin/certbot-auto
shell > chmod 0755 /usr/local/bin/certbot-auto
shell > /usr/local/bin/certbot-auto --help
## 创建一个通配符的证书
shell > certbot-auto certonly -d *.qq.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
## 提示填写邮箱,同意协议,同意当前主机为公网IP,且与域名绑定。
## 根据提示记录TXT解析值, 登录自己域名服务商网站解析该域名 , 等待几分钟回车即可生成证书
## 证书有效期为90天,设置计划任务续签(不确定有没有效果,因为没到期提示跳过了!)
shell > echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot-auto renew renew" | sudo tee -a /etc/crontab > /dev/null二:自动创建(前提是自己的服务器软件非源码安装,这里样例是NGINX,以及DNS解析商为cloudflare)
shell > yum -y install yum-utils
shell > yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
shell > sudo yum install certbot python2-certbot-nginx
shell > sudo yum install python2-certbot-dns-cloudflare
## 目前支持以下DNS解析商
## certbot-dns-cloudflare
## certbot-dns-cloudxns
## certbot-dns-digitalocean
## certbot-dns-dnsimple
## certbot-dns-dnsmadeeasy
## certbot-dns-google
## certbot-dns-linode
## certbot-dns-luadns
## certbot-dns-nsone
## certbot-dns-ovh
## certbot-dns-rfc2136
## certbot-dns-route53
## 以下举例生成 qq.com证书
shell > certbot certonly --dns-cloudflare --dns-cloudflare-credentials cloudflare.ini(API凭证文件) -d qq.com
## cloudflare.ini 格式如下:
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
## 证书有效期只有90天,我们可以设置成自动续签
shell > echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null三:一个有效的腾讯云DNS插件
# 插件地址:https://github.com/akgnah/certbot-wildcard-qcloud-hook
shell > certbot certonly -d *.test.com --manual --preferred-challenges dns --manual-auth-hook "~/certbot-wildcard-qcloud-hook/qcloud-dns.py add" --manual-cleanup-hook "~/certbot-wildcard-qcloud-hook/qcloud-dns.py del"
shell > certbot renew --manual --preferred-challenges dns --manual-auth-hook "~/certbot-wildcard-qcloud-hook/qcloud-dns.py add" --manual-cleanup-hook "~/certbot-wildcard-qcloud-hook/qcloud-dns.py del"
# NGINX 增加SSL配置
ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
