听同事说,Let's Encrypt支持免费的通配符证书了,这是个好东西.之前弄免费证书,一直用阿里云的,一年一次,只能一个域名.这个泛域名证书虽然90天,申请一次,但是好在可以自动申请,话不多说,开工

下载 certbot

mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto

申请泛域名证书

./certbot-auto certonly  \
-d "*.cnrainbird.com" \
--manual \
--preferred-challenges dns-01  \
--server https://acme-v02.api.letsencrypt.org/directory


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cnrainbird.com


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.


Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cnrainbird.com with the following value:


J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q


Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

注意,此处要去dns域名提供商添加txt记录

各家大同小异吧,我用的dnspod

添加完成后,记得验证一下

nslookup -type=txt _acme-challenge.cnrainbird.com
Server:         139.162.16.5
Address:        139.162.16.5#53


Non-authoritative answer:
_acme-challenge.cnrainbird.com  text = "J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q"


Authoritative answers can be found from:
cnrainbird.com  nameserver = f1g1ns1.dnspod.net.
cnrainbird.com  nameserver = f1g1ns2.dnspod.net.

一般新加记录,无需太长等待,一两分钟即可.如上面能得到text的返回说明添加成功. 可以去前面的窗口,Press Enter to Continue回车继续了

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnrainbird.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnrainbird.com/privkey.pem
   Your cert will expire on 2020-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

如上,成功申请通配符证书,过期时间是90天后

证书文件存放

/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com/privkey.pem

有一个地方是需要注意的,*.cnrainbird.com这个证书并不包含主域cnrainbird.com.所以,我们还需要单独申请一次cnrainbird.com的证书

申请主域名证书

申请泛域名证书,我们使用的是手动+dns的方式

申请主域证书, 我们使用自动认证的方式,此处要注意:/opt/certbot是,网站默认网站路径,即,直接输入ip,访问到的目录

./certbot-auto certonly \
--preferred-challenges http \
-d cnrainbird.com \
--webroot -w /opt/certbot


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cnrainbird.com
Using the webroot path /opt/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
   Your cert will expire on 2020-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

全程自动进行,无需参与,得到主域证书

/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem

生成 dhparams

使用 openssl 工具生成 dhparams

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

Nginx配置

blog.cnrainbird.com.conf配置:

server {
    server_name blog.cnrainbird.com;
    listen 443;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/cnrainbird.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cnrainbird.com/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparams.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}

然后重启 nginx 服务就可以了

/etc/init.d/nginx reload
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.

强制跳转 https

既然证书都有了,对于默认http的访问,我们进行一次301跳转

server {
    server_name blog.cnrainbird.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}

证书更新

这个比较简单

./certbot-auto renew

就可以更新全部域名

当然也可以更新指定域名

./certbot-auto renew -d cnrainbird.com

crontab添加计划任务

#每两个月更新一次
45 2 */2 * * cd /opt/certbot&& ./certbot-auto renew && /etc/init.d/nginx reload

Safair效果

that's all