HTTPS – 免费SSL证书(letsencrypt)

letsencrypt.org 是一个由互联网安全研究小组(ISRG)运作的免费、自动化和开放的证书颁发机构。来自letsencrypt.org的免费DV证书有效期为90天,经设置后可以自动更新、永久有效,可被所有主流浏览器(如Firefox、Chrome和Internet Explorer)识别。

获取letsencrypt证书

我们将以下面环境为例,展示获取证书的步骤

  • 系统:centos 7
  • 域名:qikegu.com, *.qikegu.com

按以下步骤获取证书

  1. 安装letsencrypt证书管理Certbot
  2. 生成证书

1. 安装letsencrypt证书管理工具Certbot

certbot是管理letsencrypt的开源工具:

安装:

# yum install certbot

2. 生成证书

执行命令:

 certbot certonly --preferred-challenges dns --manual -d "*.qikegu.com" -d "qikegu.com"  --server https://acme-v02.api.letsencrypt.org/directory

注意:这里指定了2个域名:*.qikegu.comqikegu.com,前者通配域名并不包含后者,不包含后者访问qikegu.com会产生无效证书错误。

  • certonly – 表示安装模式,certbot可以有安装模式和验证模式
  • -d – 指定域名
  • --manual 手动安装
  • --preferred-challenges dns 使用dns方式证明域名所有权
  • -server – Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定

过程很简单:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for qikegu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qikegu.com with the following value:

kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qikegu.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qikegu.com/privkey.pem
   Your cert will expire on 2019-07-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

上面操作中,中间有个步骤要求为你的域名添加txt解析,这个步骤就是证明域名是你的。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.qikegu.com with the following value:

kgiq5A2DST6YdBhf31OKIDq_WbvzoVxx6x-KuFlWFSU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

在域名商(阿里云,腾讯云)域名解析里,添加一条txt记录:

image

然后在命令行中,按回车键继续,验证通过生成证书。

利用 sslforfree.com 获取letsencrypt证书

除了上述方法生成证书,你也可以通过网站sslforfree.com获取letsencrypt证书。

该网站使用域验证加密ACME服务器生成一个免费证书。从sslforfree.com获得免费证书是100%安全的。可以访问该网站按步骤操作,本文不再赘述。



浙ICP备17015664号 浙公网安备 33011002012336号 联系我们 网站地图  
@2019 qikegu.com 版权所有,禁止转载