====== Let's Encrypt wildcard ======
FIXME
====== Установка ======
apt-get update
apt-get install git
cd /opt
git clone https://github.com/certbot/certbot
====== Получение ======
Пример получения сертификата для ''*.domain.ru''
Выполняем:
/opt/certbot/letsencrypt-auto certonly -d *.domain.ru -m webmaster@domain.ru --server https://acme-v02.api.letsencrypt.org/directory --manual
Ответ:
Upgrading certbot-auto 0.22.2 to 0.25.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.ru
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Отвечаем: ''Y''
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.domain.ru with the following value:
RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Вводим проверочные данные в [[#DNS]], далее нужно [[#DNSCHECK|проверить]] и убедится, что изменения произведены и нажать Enter
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.ru/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.ru/privkey.pem
Your cert will expire on 2018-09-07. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
===== DNS =====
Проверочные данные нужно ввести в поле: ''_acme-challenge.domain.ru.'' тип поля: ''TXT''
_acme-challenge.domain.ru. IN TXT "RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1"
{{anchor:DNSCHECK}}
Проверка:
dig @8.8.8.8 -t txt _acme-challenge.domain.ru
Результат:
; <<>> DiG 9.10.3-P4-Debian <<>> -t txt _acme-challenge.domain.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65104
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;_acme-challenge.domain.ru. IN TXT
;; ANSWER SECTION:
_acme-challenge.domain.ru. 3600 IN TXT "RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1"
====== Файлы ======
Готовые файла находятся в паке ''/etc/letsencrypt/live/domain.ru''
|cert.pem|сертификат сервера|[[apache:apache|Apache]] в ''SSLCertificateFile''|
|chain.pem|сертификат цепочки|[[apache:apache|Apache]] в ''SSLCertificateChainFile''|
|fullchain.pem|соединение chain.pem и cert.pem|[[apache:apache|Apache]] в ''SSLCertificateFile'' \\ [[nginx:nginx|Nginx]] в ''ssl_certificate''|
|privkey.pem|приватный ключ для сертификата|[[apache:apache|Apache]] в ''SSLCertificateKeyFile'' \\ [[nginx:nginx|Nginx]] в ''ssl_certificate_key''|
====== Ссылки ======
[[http://www.voip-lab.ru/подключаем-wildcard-certificate-на-домен-с-помощью-letsencrypt|Подключаем wildcard certificate на домен с помощью letsencrypt]]
[[https://itc-life.ru/poluchaem-letsencrypt-wildcard-sertifikat/|Получаем lets’encrypt wildcard сертификат]]
[[https://habr.com/post/270273/|Let's Encrypt: получение сертификата по шагам]]
{{tag> Encryption}}