Let's Encrypt wildcard
Установка
apt-get update apt-get install git cd /opt git clone https://github.com/certbot/certbot
Получение
Пример получения сертификата для *.domain.ru
Выполняем:
/opt/certbot/letsencrypt-auto certonly -d *.domain.ru -m webmaster@domain.ru --server https://acme-v02.api.letsencrypt.org/directory --manual
Ответ:
Upgrading certbot-auto 0.22.2 to 0.25.0... Replacing certbot-auto... Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for domain.ru ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y
Отвечаем: Y
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.domain.ru with the following value: RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
Вводим проверочные данные в DNS, далее нужно проверить и убедится, что изменения произведены и нажать Enter
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.ru/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.ru/privkey.pem Your cert will expire on 2018-09-07. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
DNS
Проверочные данные нужно ввести в поле: _acme-challenge.domain.ru. тип поля: TXT
_acme-challenge.domain.ru. IN TXT "RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1"
dig @8.8.8.8 -t txt _acme-challenge.domain.ru
Результат:
; <<>> DiG 9.10.3-P4-Debian <<>> -t txt _acme-challenge.domain.ru ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65104 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;_acme-challenge.domain.ru. IN TXT ;; ANSWER SECTION: _acme-challenge.domain.ru. 3600 IN TXT "RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1"
Файлы
Готовые файла находятся в паке /etc/letsencrypt/live/domain.ru
| cert.pem | сертификат сервера | Apache в SSLCertificateFile |
| chain.pem | сертификат цепочки | Apache в SSLCertificateChainFile |
| fullchain.pem | соединение chain.pem и cert.pem | Apache в SSLCertificateFile Nginx в ssl_certificate |
| privkey.pem | приватный ключ для сертификата | Apache в SSLCertificateKeyFile Nginx в ssl_certificate_key |