一���、下載并安裝軟件 在這個(gè)網(wǎng)站下載最新的軟件并安裝https://github.com/certbot/certbot/ ?
github下載certbot安裝程序
下載完成后直接雙擊安裝就行了
安裝完成后�����,以管理員方式運(yùn)行cmd�����,輸入cretbot --version��,如果有顯示就說明安裝成功了
C : \Windows \System32 > certbot -- version
certbot 2.5 . 0 命令行工具使用說明
用法 :
certbot [ 子命令 ] [ 選項(xiàng) ] [ - d 域名 ] [ - d 域名 ] ...
Certbot工具用于獲取和安裝 HTTPS / TLS / SSL 證書�。默認(rèn)情況下, Certbot會(huì)嘗試為本地網(wǎng)頁(yè)服務(wù)器
( 如果不存在會(huì)默認(rèn)安裝一個(gè)到本地 ) 獲取并安裝證書���。最常用的子命令和選項(xiàng)如下 :
獲取 , 安裝 , 更新證書 :
( 默認(rèn) ) run 獲取并安裝證書到當(dāng)前網(wǎng)頁(yè)服務(wù)器
certonly 獲取或更新證書�,但是不安裝
renew 更新已經(jīng)獲取但快過期的所有證書
- d 域名列表 指定證書對(duì)應(yīng)的域名列表�����,域名之間使用逗號(hào)分隔
-- apache 使用 Apache插件進(jìn)行身份認(rèn)證和安裝
-- standalone 運(yùn)行一個(gè)獨(dú)立的網(wǎng)頁(yè)服務(wù)器用于身份認(rèn)證
-- nginx 使用 Nginx插件進(jìn)行身份認(rèn)證和安裝
-- webroot 把身份認(rèn)證文件放置在服務(wù)器的網(wǎng)頁(yè)根目錄下
-- manual 使用交互式或腳本鉤子的方式獲取證書
- n 非交互式運(yùn)行
-- test - cert 從預(yù)交付服務(wù)器上獲取測(cè)試證書
-- dry - run 測(cè)試獲取或更新證書���,但是不存儲(chǔ)到本地硬盤
證書管理 :
certificates 顯示使用 Certbot生成的所有證書的信息
revoke 撤銷證書 ( supply -- cert - path )
delete 刪除證書 二�����、申請(qǐng)通配符證書 的命令 certbot certonly - d "*.example.top" - d example . top -- manual -- preferred - challenges dns - 01 -- server https : // acme - v02 . api . letsencrypt . org / directory 命令說明:
certonly 安裝模式 -d 申請(qǐng)證書的域名���,如果是通配符域名輸入 *.http://example.com –manual 使用交互式或腳本鉤子的方式獲取證書 –preferred-challenges dns 使用 DNS 方式校驗(yàn)域名所有權(quán) –server,Let’s Encrypt ACME v2 版本使用的服務(wù)器不同于 v1 版本���,需要顯示指定
官網(wǎng)里v2說明
*.example.top換成你想要申請(qǐng)的域名就可以了���,接下來�,會(huì)提示需要進(jìn)行手動(dòng)驗(yàn)證DNS:
Saving debug log to C : \Certbot \log \letsencrypt . log
Requesting a certificate for *. example . top and example . top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name :
_acme - challenge . example . top .
with the following value :
MeZetcO - 5 n_7WeJIitM_eAR8lWUZ2EQriWOg1OxBcaE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 我的域名是阿里云申請(qǐng)的域名�����,去域名解析那手動(dòng)添加一條TXT記錄就可以了���,我這里申請(qǐng)的是通配符域名�,還有一級(jí)域名����,就需要添加兩條記錄來驗(yàn)證
Please deploy a DNS TXT record under the name :
_acme - challenge . example . top .
with the following value :
8 eBntKwxymhu1erZuE7J9KPZnuxmE6kiYnBrDD3DkXU
( This must be set up in addition to the previous challenges ; do not remove ,
replace , or undo the previous challenge tasks yet . Note that you might be
asked to create multiple distinct TXT records with the same name . This is
permitted by DNS standards . )
Before continuing , verify the TXT record has been deployed . Depending on the DNS
provider , this may take some time , from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools , such as the Google
Admin Toolbox : https : // toolbox . googleapps . com / apps / dig / #TXT/_acme-challenge.example.top.
Look for one or more bolded line ( s ) below the line ';ANSWER' . It should show the
value ( s ) you 've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 根據(jù)提示操作完成后�����,在域名解析那就有兩條TXT記錄了�����,如下:
設(shè)置好之后的域名解析
接著就會(huì)顯示申請(qǐng)成功的信息了
Successfully received certificate .
Certificate is saved at : C : \Certbot \live \example . top \fullchain . pem
Key is saved at : C : \Certbot \live \example . top \privkey . pem
This certificate expires on 2023 - 08 - 05.
These files will be updated when the certificate renews .
NEXT STEPS :
- This certificate will not be renewed automatically . Autorenewal of -- manual certificates requires the use of an authentication hook script ( -- manual - auth - hook ) but one was not provided . To renew this certificate , repeat this same certbot command before the certificate 's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot , please consider supporting our work by :
* Donating to ISRG / Let 's Encrypt: https://letsencrypt.org/donate
* Donating to EFF : https : // eff . org / donate - le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 這里已經(jīng)提示的證書的存放位置��,直接進(jìn)c盤去找就好了,這里發(fā)現(xiàn)這些文件是快捷方式�,然后還有一個(gè)readme文件,打開里面提示是不要移動(dòng)也不要修改名稱���,看一下快捷方式的屬性就發(fā)現(xiàn)證書文件存在了另一個(gè)文件夾:C:\Certbot\archive
This directory contains your keys and certificates .
`privkey.pem` : the private key for your certificate .
`fullchain.pem` : the certificate file used in most server software .
`chain.pem` : used for OCSP stapling in Nginx >= 1.3 . 7.
`cert.pem` : will break many server configurations , and should not be used
without reading further documentation ( see link below ) .
WARNING : DO NOT MOVE OR RENAME THESE FILES !
Certbot expects these files to remain in this location in order
to function properly !
We recommend not moving these files . For more information , see the Certbot
User Guide at https : // certbot . eff . org / docs / using . html #where-are-my-certificates. 既然不讓我移動(dòng)或改名�,那我復(fù)制出來使用就可以了�����。
三����、關(guān)于續(xù)簽證書 剛剛申請(qǐng)成功的地方,有一個(gè)關(guān)于續(xù)簽的說明如下:
NEXT STEPS :
- This certificate will not be renewed automatically . Autorenewal of -- manual certificates requires the use of an authentication hook script ( -- manual - auth - hook ) but one was not provided . To renew this certificate , repeat this same certbot command before the certificate 's expiry date. 翻譯過來就是說:
下一個(gè)步驟:
—該證書不會(huì)自動(dòng)更新����。——manual證書的自動(dòng)更新需要使用身份驗(yàn)證掛鉤腳本(——manual-auth-hook)��,但沒有提供���。要更新該證書�����,請(qǐng)?jiān)谧C書到期之前重復(fù)相同的certbot命令�。
我理解就是如果下次經(jīng)續(xù)簽,可能就是要重新申請(qǐng)一次�。反正也不麻煩,大概幾分鐘就搞定了�����,那就下次再重新申請(qǐng)吧���。
轉(zhuǎn)自https://zhuanlan.zhihu.com/p/627526278
400 186 1886
