使用Certbot申请证书
使用certbot申请*通配符证书,使用letsencrypt证书服务,使用DNS方式手动验证
certbot certonly --preferred-challenges dns --manual -d *.test.cn --server https://acme-v02.api.letsencrypt.org/directory
申请过程:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.test.cn
Please deploy a DNS TXT record under the name:
_acme-challenge.test.cn.
with the following value:
Zrs3unTYtP3NfuZ9Z43O5ozijIbeh9Rz2ecq5NE1QrA
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.test.cn.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
Press Enter to Continue
创建计划任务自动复制证书文件到指定目录:
0 0 * * * /bin/cp /etc/letsencrypt/live/test.cn/* /opt/ssl/test.cn
手动复制证书文件到指定目录:
cp -f /etc/letsencrypt/live/test.cn/* /opt/ssl/test.cn
转换为PFX格式证书,用于IIS:
openssl pkcs12 -export -out test.com.pfx -in fullchain.pem -inkey privkey.pem
查看所申请的证书信息:
certbot certificates
源文档 https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins