安装certbot

sudo apt install certbot

申请证书

certbot certonly --manual -d "*.itvro.com" --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

其中--manual是表示手动方式验证,--perferred-challenges dns 则表示通过添加dns记录方式来验证域名所属真实,-d后用双引号圈出的部分则是泛域名。
申请成功后,证书保存在/etc/letsencrypt/live目录中

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/itvro.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/itvro.com/privkey.pem
   Your cert will expire on 2021-09-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

后续只用在90天内用certbot renew 命令即可更新ssl证书。

certbot renew

增加域名

certbot --expand -d a.itvro.com

不能自动校验DNS的话,手动续期相当于重新生成证书,使用如下命令
certbot certonly --manual -d itvro.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

                                                                              • -
                                                                                root@raspberrypi:~# certbot certonly --manual -d file.itvro.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
                                                                                Saving debug log to /var/log/letsencrypt/letsencrypt.log
                                                                                Requesting a certificate for file.itvro.com
                                                                              • -
                                                                                Please deploy a DNS TXT record under the name:

_acme-challenge.file.itvro.com.

with the following value:

8U2aClZsgFjMUCSO4hWdp9er_07UY-r4YJSeU5F4nxo

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.file.itvro.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

                                                                              • -
                                                                                Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/file.itvro.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/file.itvro.com-0001/privkey.pem
This certificate expires on 2025-02-26.
These files will be updated when the certificate renews.

NEXT STEPS:

  • This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
                                                                              • -
最后修改:2024 年 11 月 28 日
如果觉得我的文章对你有用,请随意赞赏