安装certbot
sudo apt install certbot
申请证书
certbot certonly --manual -d "*.itvro.com" --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
其中--manual是表示手动方式验证,--perferred-challenges dns 则表示通过添加dns记录方式来验证域名所属真实,-d后用双引号圈出的部分则是泛域名。
申请成功后,证书保存在/etc/letsencrypt/live目录中
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/itvro.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/itvro.com/privkey.pem
Your cert will expire on 2021-09-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
后续只用在90天内用certbot renew 命令即可更新ssl证书。
certbot renew
增加域名
certbot --expand -d a.itvro.com
不能自动校验DNS的话,手动续期相当于重新生成证书,使用如下命令
certbot certonly --manual -d itvro.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
- -
root@raspberrypi:~# certbot certonly --manual -d file.itvro.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for file.itvro.com
- -
- -
Please deploy a DNS TXT record under the name:
- -
_acme-challenge.file.itvro.com.
with the following value:
8U2aClZsgFjMUCSO4hWdp9er_07UY-r4YJSeU5F4nxo
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.file.itvro.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- -
Press Enter to Continue
- -
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/file.itvro.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/file.itvro.com-0001/privkey.pem
This certificate expires on 2025-02-26.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
-
If you like Certbot, please consider supporting our work by:- Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
- Donating to EFF: https://eff.org/donate-le
- -