| 使用certbot 生成 Let‘s Encrypt 泛域名ssl证书 | 您所在的位置:网站首页 › ssl证书要钱吗 › 使用certbot 生成 Let‘s Encrypt 泛域名ssl证书 |
|
文章目录
一、更新证书报错二、Let's Encrypt 泛域名ssl证书申请
一、更新证书报错
问题描述 更新SSL证书时报 too many failed authorizations 错误 原因分析 当前要更新的域名一个小时触发失败次数过多,需要过段时间在验证。 注:官方提示:https://letsencrypt.org/docs/rate-limits/ 其实最主要还是我们使用certbot申请的免费证书太多了,建议申请泛域名证书 二、Let’s Encrypt 泛域名ssl证书申请我们这里依然使用的是Certbot来签发。 官网文档:https://certbot.eff.org/docs/using.html 直接使用官网首页的安装方法是无法使用最新的Let’s Encrypt的v2 API,这里加参数 --server https://acme-v02.api.letsencrypt.org/directory 现在的命令是: certbot certonly --standalone -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory 结果提示: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS. 原因是没有DNS验证,需要添加参数: --preferred-challenges dns 扒官方文档后,发现泛域名需要dns-01验证。文档说明了改验证方法可自动验证,但需要安装插件,且DNS服务商为下列服务商: cloudflare cloudxns digitalocean dnsimple dnsmadeeasy google luadns nsone rfc2136 route53 我用的免费解析,没有API来自动验证,故添加参数: --manual 总结一下,最后的命令为: certbot certonly --preferred-challenges dns --manual -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory签发证书时提示添加TXT记录 Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Requesting a certificate for *.aattec.com Performing the following challenges: dns-01 challenge for aattec.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.aattec.com with the following value: 1q3iA_qE3i7ytfNU-xSs0x4mhfij4TXuoXXlxbrQDMQ Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue在域名管理界面解析一下TXT记录,大概等待五分钟生效后,回车即可 这样等待签发完成即可 Waiting for verification... Resetting dropped connection: acme-v02.api.letsencrypt.org Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/aattec.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/aattec.com-0001/privkey.pem Your certificate will expire on 2023-06-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
| CopyRight 2018-2019 实验室设备网 版权所有 |