当前是在mac下操作
安装certbot
bash
# mac下brew安装即可
brew install certbot- centos 安装
centos安装文档
申请泛解析证书
bash
sudo certbot certonly --manual --preferred-challenges=dns -d '*.yourdomain.com'
## 输出
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_asdfase.yourdomain.com.
with the following value:
## TXT解析值
有朋自远发来 不亦乐乎
## 此处提示注意验证是否已经在域名服务商配置了TXT解析
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/txt.yourdomain.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
## 如果多次验证失败 可能有技能冷却时间 文档说是1小时
An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/youdomain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2024-04-22.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -验证证书是否有效
查看证书
bash
sudo certbot certificates
## 输出
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: yourdomain.como
Serial Number: asdfasfasfasdfas
Key Type: ECDSA
Domains: *.yourdomain.com
Expiry Date: 2024-04-22 09:45:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/yourdomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -默认3个月有效期
设置自动续期脚本
bash
echo "0 0,12 * * * root $(command -v python3) -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo $(command -v certbot) renew - q"| sudo tee -a /etc/crontab > /dev/null-
命令比较简单 用chatgpt做下命令拆解注释
这是一个shell命令,用于在Linux系统中将Certbot自动续订证书的命令添加到crontab中。 具体分析如下: echo命令用于输出内容到标准输出。 0 0,12 * * *部分是cron时间格式,指定了脚本运行的频率。这里表示在每天的0点和12点运行。 root表示以root用户身份运行脚本。 $(command -v python3)是用于获取Python3可执行文件的路径,并将其插入命令中。 -c 'import random; import time; time.sleep(random.random() * 3600)'是通过Python代码实现延迟执行。这段代码会通过import random导入random模块,然后使用import time; time.sleep(random.random() * 3600)来随机延时一定时间,以避免多个服务器同时请求续订证书。 sudo $(command -v certbot) renew -q是用于以root用户身份运行certbot的续订命令。-q参数表示以静默模式运行,输出更少的信息。 sudo tee -a /etc/crontab > /dev/null用于将前面的命令的输出追加到/etc/crontab文件中,并将标准输出重定向到/dev/null来忽略输出。这样,命令的输出信息将不会显示在终端上。 整个命令使用管道符(|)将输出传递给sudo tee命令,并将其添加到/etc/crontab文件中。 通过执行这个命令,会将自动续订Certbot证书的任务添加到cron作业中,以在每天的0点和12点执行。这样就能够自动续订证书,确保证书在到期前得到更新。 -
参考博客