Free SSL certificates are provided by domestic cloud service providers such as Alibaba and Tencent, but their certificates are only free for one year, and do not support free wildcard certificates. The charged certificates are at least 1K / year, which is certainly unbearable for individual users. Fortunately, we still have themLet’s Encrypt。 adopt
Let's EncryptAlthough the validity period of the applied certificate is only 90 days, we can automatically renew it through the tool, and it supports free wildcard certificates, that is, we only need to apply for one certificate and it can be applied to multiple web applications.
Let's EncryptIt was launched in the third quarter of 2015Digital certificate authorityIt aims to eliminate the complex process of manually creating and installing certificates with an automated process and promotewebThe encrypted connection of the server is ubiquitous, providing free access to secure websitesTransport layer security protocol(TLS) certificate.
Let's EncryptWith the support of many companies and institutions such as Mozilla, Cisco, Akamai, Electronic Frontier Foundation and chrome, it has developed rapidly.
There are many online users based on
Let's EncryptScript to create certificate articles, but most of them have a certain history. This article is configured step by step according to the steps of the official website. It can be said that it is the latest in the whole network.
- DNS provider: alicloud
- Server: CentOS Linux release 8.4.2105
- Certificate type: DV SSL certificate, wildcard certificate
For knowledge of certificate types, refer to:cloud.tencent.com/developer/articl…
snapJust like the application market on your mobile phone, you can easily install and manage applications on the system for Linux. We’ll use it later
$ sudo dnf install epel-release $ sudo dnf upgrade
yum install snapd
Enable SYSTEMd unit to manage snap communication sockets
$ sudo systemctl enable --now snapd.socket
Enable classic snap support
$ sudo ln -s /var/lib/snapd/snap /snap
Certbot is a free and open source tool that can help us apply and update
Let's EncryptCertificate for.
snapdUpdate to the latest version
$ sudo snap install core; sudo snap refresh core
Remove the old certbot / certbot auto installation package
$ sudo dnf remove certbot
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Verify that the plug-in installed will have the same classic inclusion as certbot snap. I really don’t know what it means)
$ sudo snap set certbot trust-plugin-with-root=ok
Enter the following command to generate
*.xxx.comCertificate for this pan domain name:
$ certbot certonly -d "*.xxx.com" --manual --preferred-challenges dns-01
Obtain or update a certificate, but do not install it.
The domain name you want to obtain the certificate. Multiple domain names are separated by commas.
*Indicates that this is a wildcard domain name. Note that the wildcard domain name certificate can only protect one domain name and all the next level domain names of the domain name. If you want to protect
a.b.xxx.comSuch a secondary domain name needs to apply for another one
*.b.xxx.comWildcard domain name certificate.
Obtain the certificate interactively or using the shell script hook
certbotWhat method is used to verify that the domain name belongs to you? Wildcard domain names can only be used
dns-01That is, add a specific TXT domain name resolution record to your DNS provider.
For more command parameters, refer to:
Click enter to enter the interactive mode. Here you need to enter the email and confirm the agreement. The general flow is shown in the following figure (picture)source）：
In the last step of generating the certificate, the command line will prompt you to add a DNS TXT record. At this time, do not press enter, and add a TXT resolution record for your domain name in your DNS provider, such as Alibaba cloud:
After the addition is completed, wait for about 10 seconds and it will generally take effect. At this time, return to the command line interface and press enter to check whether the certificate is successfully generated.
certbotGenerally, certificates are generated in
/etc/letsencrypt/live/xxx.com/Under such a directory.
After obtaining the certificate successfully, you can use the following command to try to update the certificate:
$ sudo certbot renew --dry-run
--dry-runIt means that you only run the command and do not really execute the update operation. If there is no accident, you will see the following error message:
Don’t panic. This is a normal phenomenon. Recall the steps of generating the certificate. In the final verification, we need to add one in the DNS provider
certbotThe specified TXT record, but
certbotWe don’t know the account information of our DNS provider. Naturally, it’s impossible to add it for us automatically. There is a key message in the error message:
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)
It reminds us that in non interactive mode, we can use
--manual-auth-hookThis option specifies a tick script, in which the operation of adding TXT records is completed. Generally, DNS providers have APIs for us. We can write our own script to call the API to add TXT records, or we can use this on GitHubWarehouse
Briefly summarize the steps to update certificates using this repository
$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
Configure root domain name
domain.iniIs there your root domain name in it? If not, you need to add it yourself.
Configure DNS API keys
Go to your DNS provider to get the key and key required to call the API, and fill in
auth.shIn the file
$certbot renew -- manual auth hook "script directory / au.sh Python aly add" -- manual cleanup hook "script directory / au.sh Python aly clean" -- dry run
--manual-cleanup-hookThis option specifies the script to clean up data. Here, the script is used to clear TXT records used for verification. Note that this is added
--dry-runOption, which means that you only test whether the update process is correct, not really update the certificate.
Update certificate regularly
After successfully updating the certificate using the script, we can
crontabAdd a scheduled task to automatically update the certificate, so that you can do it once and for all without worrying about the invalidation of the certificate. edit
crontab, add the following tasks:
#The certificate is valid for less than 30 days before renewal, so crontab can be configured as 1 day or 1 week 1 1 * / 1 * * certbot renew -- manual auth hook "script directory / au.sh Python aly add" -- manual cleanup hook "script directory / au.sh Python aly clean"
This work adoptsCC agreement, reprint must indicate the author and the link to this article