Let's Encrypt 免费通配符证书申请

Sunday, April 22, 2018

Let’s Encrypt是一个于2015年三季度推出的数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的SSL/TLS证书。

任何支持ACME v2协议的客户端,都可以申请Let’s Encrypt通配符证书(申请通配符证书只支持dns验证)。推荐使用acme.sh申请,比Let’s Encrypt官方推荐的Certbot方便得多。

acme.sh最方便之处是可以调用域名解析运营商的API自动添加txt记录进行dns验证,一条命令搞定,无需过多繁琐的操作,非常友好。

# 设置API变量
export DP_Id="your_di"
export DP_Key="your_key"
# 执行命令自动申请证书,--dns 选择你的域名解析运营商,
# 比如我是dnspod,则选择dns_dp
# -d 指定你需要申请证书的域名,* 代表通配域名
# 顶级域名yuyicai.com是必须,不然证书只包含*.yuyicai.com,不包含yuyicai.com
acme.sh --issue --dns dns_dp -d yuyicai.com -d *.yuyicai.com
[Sun Apr 22 21:45:09 CST 2018] Registering account
[Sun Apr 22 21:45:18 CST 2018] Registered
[Sun Apr 22 21:45:18 CST 2018] ACCOUNT_THUMBPRINT='xxxxxxxxx'
[Sun Apr 22 21:45:18 CST 2018] Creating domain key
[Sun Apr 22 21:45:18 CST 2018] The domain key is here: /root/.acme.sh/yuyicai.com/yuyicai.com.key
[Sun Apr 22 21:45:18 CST 2018] Multi domain='DNS:yuyicai.com,DNS:*.yuyicai.com'
[Sun Apr 22 21:45:18 CST 2018] Getting domain auth token for each domain
[Sun Apr 22 21:45:25 CST 2018] Getting webroot for domain='yuyicai.com'
[Sun Apr 22 21:45:25 CST 2018] Getting webroot for domain='*.yuyicai.com'
[Sun Apr 22 21:45:25 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_dp.sh
[Sun Apr 22 21:45:25 CST 2018] Adding record
[Sun Apr 22 21:45:25 CST 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_dp.sh
[Sun Apr 22 21:45:26 CST 2018] Adding record
[Sun Apr 22 21:45:26 CST 2018] Sleep 120 seconds for the txt records to take effect
[Sun Apr 22 21:47:27 CST 2018] Verifying:yuyicai.com
[Sun Apr 22 21:47:34 CST 2018] Success
[Sun Apr 22 21:47:34 CST 2018] Verifying:*.yuyicai.com
[Sun Apr 22 21:47:42 CST 2018] Success
[Sun Apr 22 21:47:42 CST 2018] Removing DNS records.
[Sun Apr 22 21:47:44 CST 2018] Verify finished, start to sign.
[Sun Apr 22 21:47:51 CST 2018] Cert success.