当前是在mac下操作
安装certbot
# mac下brew安装即可
brew install certbot
- centos 安装
centos安装文档
申请泛解析证书
sudo certbot certonly --manual --preferred-challenges=dns -d '*.yourdomain.com'## 输出
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.yourdomain.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:_asdfase.yourdomain.com.with the following value:
## TXT解析值
有朋自远发来 不亦乐乎## 此处提示注意验证是否已经在域名服务商配置了TXT解析
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/txt.yourdomain.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Press Enter to Continue## 如果多次验证失败 可能有技能冷却时间 文档说是1小时An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/youdomain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2024-04-22.
These files will be updated when the certificate renews.NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
验证证书是否有效
查看证书
sudo certbot certificates## 输出Saving debug log to /var/log/letsencrypt/letsencrypt.log- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:Certificate Name: yourdomain.comoSerial Number: asdfasfasfasdfasKey Type: ECDSADomains: *.yourdomain.comExpiry Date: 2024-04-22 09:45:32+00:00 (VALID: 89 days)Certificate Path: /etc/letsencrypt/live/yourdomain.com/fullchain.pemPrivate Key Path: /etc/letsencrypt/live/yourdomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
默认3个月有效期
设置自动续期脚本
echo "0 0,12 * * * root $(command -v python3) -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo $(command -v certbot) renew - q”| sudo tee -a /etc/crontab > /dev/null
-
命令比较简单 用chatgpt做下命令拆解注释
这是一个shell命令,用于在Linux系统中将Certbot自动续订证书的命令添加到crontab中。具体分析如下:echo命令用于输出内容到标准输出。0 0,12 * * *部分是cron时间格式,指定了脚本运行的频率。这里表示在每天的0点和12点运行。root表示以root用户身份运行脚本。$(command -v python3)是用于获取Python3可执行文件的路径,并将其插入命令中。-c 'import random; import time; time.sleep(random.random() * 3600)'是通过Python代码实现延迟执行。这段代码会通过import random导入random模块,然后使用import time; time.sleep(random.random() * 3600)来随机延时一定时间,以避免多个服务器同时请求续订证书。sudo $(command -v certbot) renew -q是用于以root用户身份运行certbot的续订命令。-q参数表示以静默模式运行,输出更少的信息。sudo tee -a /etc/crontab > /dev/null用于将前面的命令的输出追加到/etc/crontab文件中,并将标准输出重定向到/dev/null来忽略输出。这样,命令的输出信息将不会显示在终端上。整个命令使用管道符(|)将输出传递给sudo tee命令,并将其添加到/etc/crontab文件中。通过执行这个命令,会将自动续订Certbot证书的任务添加到cron作业中,以在每天的0点和12点执行。这样就能够自动续订证书,确保证书在到期前得到更新。
-
参考博客
https://ganzhixiong.com/p/95b00866/
letsencrypt官网