HTTPS证书自动生成--certbot

安装EPEL源

yum -y install epel-release.noarch

安装cerbot的rpm包

yum -y install certbot

开始生成证书

certbot certonly --manual -d *.6666li.club

Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Enter 'c' to cancel):  ***.@**.com      ---输入邮箱第一次启动出现
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:     -------------------输入A第一次启动时出现
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:                  ----------------- -输入 Y or n 第一次启动时出现

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y                  ---------------- 输入Y  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name
_acme-challenge.6666li.club with the following value:

8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue      

手动添加TXT记录 _acme-challenge 对应值为----8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng

验证命令

dig txt _acme-challenge.6666li.club
输出如下

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> txt _acme-challenge.6666li.club
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.6666li.club.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.6666li.club. 5	IN	TXT	"8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng"

;; Query time: 55 msec
;; SERVER: 192.168.11.2#53(192.168.11.2)
;; WHEN: Mon May 20 10:30:06 CST 2019
;; MSG SIZE  rcvd: 101

验证成功

接上步输入回车继续

Please deploy a DNS TXT record under the name
_acme-challenge.6666li.club with the following value:

8Irdbsr18mcZV5xZYAEo_pb0FlEY7IV42ElCXdQj8Ng

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue  

证书生成成功

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/6666li.club/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/6666li.club/privkey.pem

证书自动续订命令

certbot renew

HA证书生成

cat fullchain.pem privkey.pem > servername.pem