certbot免费证书-1：centos7部署并申请免费证书certbot

网络拓扑：

公网流量 -> zenlayer -> aws-lb -> apisix

我们需要在zenlayer，aws-lb上配置certbot证书，因为是免费的，便宜。

目录：

(1).centos7上部署certbot

(2).申请certbot免费证书

(3).查看证书

(4).证书更新

(5).配置证书到zenlayer

(6).配置证书到aws-lb

(7).相关命令

(8).参考资料

(1).centos7上部署certbot

找一台centos7的机器并验证os版本：

cat /proc/version

安装 certbot

sudo yum install certbot

查看 certbot 版本，因为 ACME v2 要在 certbot 0.20.0 以后的版本支持。

完成后可以看到安装的组件和依赖：

certbot --version

如果yum源没有certbot，先安装 EPEL 仓库：

$ sudo yum install epel-release

(2).申请certbot免费证书

申请通配符证书命令：

sudo certbot certonly -d test.cc -d *.test.cc --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

主要参数说明：

a1.certonly 是 certbot 众多插件之一，可以选择其他插件。

a2.-d 为那些主机申请证书，如果是通配符，输入 *.yourdomain.com。

a3.还要申请yourdomain.com 这是为了避免通配符证书不匹配。

a4.–preferred-challenges dns，使用 DNS 方式校验域名所有权。

a5.通配符证书只能使用 dns-01 这种方式申请。

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices)

(Enter 'c' to cancel): test@outlook.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.

You must agree in order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot?

We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: y

Account registered.

Requesting a certificate for test.cc and *.test.cc

Performing the following challenges:

dns-01 challenge for test.cc

dns-01 challenge for test.cc

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.test.cc with the following value:

snZDWRDuIo4mOHXXYYZZZZZZZZZZZZZZZZZZZZlOsk_GCX6Y

Before continuing, verify the record is deployed.

(在这里，要把这个DNS TXT配置到godaddy解析，需要验证，否则会失败)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

先不要继续！！

交互提示：

a1.输入邮箱地址，以备紧急更新或者安全提醒的通知。

a2.同意许可协议。

a3.同意域名和 IP 绑定。

a4.绑定 DNS 的 TXT 记录值，校验域名的所有权。

此时去 DNS 服务商那里，配置 _acme-challenge.yourdomain.com 类型为 TXT 的记录。在没有确认 TXT 记录生效之前不要回车执行。

新打开一个 ssh 窗口，输入下列命令确认 TXT 记录是否生效：

dig -t txt _acme-challenge.test.cc @8.8.8.8

可以看到配置已经生效。

回到原来的 ssh 窗口，按下回车。

Waiting for verification...

Cleaning up challenges

Subscribe to the EFF mailing list (email: test@outlook.com).

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/test.cc/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/test.cc/privkey.pem

Your certificate will expire on 2022-08-18. To obtain a new or

tweaked version of this certificate in the future, simply run

certbot again. To non-interactively renew *all* of your

certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

(3).查看证书

证书申请成功后，默认存放在 /etc/letsencrypt 目录下

$ cd /etc/letsencrypt/

$ ls

accounts archive csr keys live renewal renewal-hooks

可以校验一下证书信息

$ sudo openssl x509 -in /etc/letsencrypt/live/yourdomain.com/cert.pem -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

...

...

Authority Information Access:

OCSP - URI:http://ocsp.int-x3.letsencrypt.org

CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name:

DNS:*.yourdomain.com, DNS:yourdomain.com

X509v3 Certificate Policies:

...

...

可以看到证书的 SAN 扩展里包含了 *.yourdomain.com， 说明申请的证书的匹配范围。

举例；

/etc/letsencrypt/live/test.cc

(4).证书更新

certbot 默认离过期 30 天内可以 renew。普通的证书可以使用 certbot 自带命令，配合 corn 表达式，定时执行作业。另行开文。

(5).配置证书到zenlayer

证书内容：填fullchain.pem内容

私钥内容：填privkey.pem内容

(6).配置证书到aws-lb

证书私有密钥：填privkey.pem内容

证书正文：填cert.pem内容

证书链：填fullchain.pem内容

(7).相关命令

创建certbot证书：

sudo certbot certonly -d tests.cc -d *.tests.cc --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

验证证书是否在DNS生效：

dig -t txt _acme-challenge.tests.cc @8.8.8.8

(8).参考资料

1.CentOS 7 下 安装 Let's Encrypt 的通配符证书

https://qizhanming.com/blog/2019/04/23/how-to-install-let-s-encrypt-wildcards-certificate-on-centos-7