--
Wildcard 網域 DNS 自動化
- https://certbot.eff.org/docs/using.html#dns-plugins
- https://github.com/siilike/certbot-dns-standalone
--
參考
--
取得 certbot-auto 及執行
|
1 2 |
# wget https://dl.eff.org/certbot-auto # chmod a+x ./certbot-auto |
單一網站
|
1 |
# certbot certonly --webroot -w /WEBSite/www/WWW/ -d hoyo.idv.tw |
通配網址
|
1 |
# ./certbot-auto certonly --manual --preferred-challenges dns -d *.hoyo.idv.tw |
執行,記得產生一個通配網域一個只有網域名稱證書,如此單獨使用網域名稱時才不會 SSL_ERROR_BAD_CERT_DOMAIN 證書問題
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
[root@hoyoserver ~]# ./certbot-auto certonly --manual --preferred-challenges dns -d *.hoyo.idv.tw -d hoyo.idv.tw Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for hoyo.idv.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.hoyo.idv.tw with the following value: 2ezwTObsoUiEdGvpi9t3_UTTwXl3_02MkAzXNUl4MJg Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hoyo.idv.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hoyo.idv.tw/privkey.pem Your cert will expire on 2019-01-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
編輯 DNS
|
1 |
vi /etc/named/hoyo.idv.tw.db |
|
1 2 |
_acme-challenge.hoyo.idv.tw. 600 IN TXT "PR-w7263U8CSYKmH8gbydAWjVhXnS7QZdfHFysF7fCE" _acme-challenge.hoyo.idv.tw. 601 IN TXT "h_FU0vnvtDKAIRx-QCY0JPsQRUqyMp_Qu2iJQDtSEtY" |
重新啟動 DNS
|
1 |
# systemctl restart named |
驗證
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@hoyoserver ~]# dig _acme-challenge.hoyo.idv.tw txt ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> _acme-challenge.hoyo.idv.tw txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16167 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.hoyo.idv.tw. IN TXT ;; ANSWER SECTION: _acme-challenge.hoyo.idv.tw. 599 IN TXT "2ezwTObsoUiEdGvpi9t3_UTTwXl3_02MkAzXNUl4MJg" ;; Query time: 54 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: 日 10月 14 00:03:23 CST 2018 ;; MSG SIZE rcvd: 112 |
Enter 繼續執行,沒問題出現以下畫面就代表證書建立完成
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hoyo.idv.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hoyo.idv.tw/privkey.pem Your cert will expire on 2018-08-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
--
通配網域使用 DNS 認證
|
1 |
# ./certbot-auto certonly --manual --preferred-challenges dns -d *.hoyo.idv.tw -d hoyo.idv.tw |
--
網頁認證
不過認證之前必須注意要把網址 Rewrite 關閉,例如 http 轉 https,否則會失敗
--
Online dig
--
--
自動更新證書
- BIND9 DNS Challenge自动配置Letsencrypt通配符(Wildcard)HTTPS证书
- Let's Encrypt 证书生成,certbot-auto 生成 ssl 通用证书 配置 https 自动续期
- certbot
-目前手動更新中-
--
其他注意事項
- 失敗的指令也會算在 Rate Limits
- SSL_ERROR_BAD_CERT_DOMAIN : hoyo.idv.tw 不等於 *.hoyo.idv.tw ,必須使用 hoyo.idv.tw 證書或是將 hoyo.idv.tw 轉到 www.hoyo.idv.tw 才能套用通配網域證書
--
重新訂閱
萬一不小心取消訂閱,如果是 Gmail 可以在帳號後面 +1 來重新訂閱,其他 Mail Server 未測試
|
1 |
certbot update_account --email yourname+1@gmail.com |
--
5,975 total views, 3 views today