使用Certbot申请免费 HTTPS 证书

安装 certbot

yum install epel-release -y
yum install certbot -y

申请一个泛域名 *.klvchen.com

certbot certonly -d *.klvchen.com --manual --preferred-challenges dns

# 第一次让你输入邮箱

同意条款

输入Y

根据要求在域名运营商添加 DNS TXT 解释，解析成功后按 回车 继续

出现的错误是因为邮件没法发送，出现下面证明证书已经成功申请

# 在下面查到证书
/etc/letsencrypt/live/klvchen.com/fullchain.pem
/etc/letsencrypt/live/klvchen.com/privkey.pem

测试

# nginx 例子
[chenwenjian@jn52 conf.d]$ cat www.klvchen.com.conf 
server {
    listen       80;
    server_name   www.klvchen.com;
    charset utf-8;
    rewrite ^(.*)$ https://$host$1 permanent;
}

server {
    listen       443 ssl;
    server_name   www.klvchen.com;
    charset utf-8;
    
    ssl_certificate      cert/klvchen.com/fullchain.pem;
    ssl_certificate_key  cert/klvchen.com/privkey.pem;
    ssl_session_timeout 10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    access_log  logs/www.klvchen.com_access.log;
    error_log   logs/www.klvchen.com_error.log;

    location / {
       root /juneng/release/test;
       try_files $uri $uri/ /index.html;
       index  index.html index.htm;
    }
        
}

续签

# 根据提示处理
certbot certonly -d *.klvchen.com --manual --preferred-challenges dns
# 或
certbot renew
# 或
certbot renew --quiet

参考

https://juejin.cn/post/7205839782381928508
https://mp.weixin.qq.com/s?__biz=Mzg4ODg5NzYxMg==&mid=2247484449&idx=1&sn=e09974b81efc5d5daab3e6758f73e3aa&chksm=cff56d02f882e41412ce6129672bd9f8b632dc6e9cc8bac56950d6081080f4e8534613af544c&mpshare=1&scene=23&srcid=0914rZrKdgdKAOi5rbDJVAbH&sharer_shareinfo=f969a747c13c444facd7f64d4d68b18d&sharer_shareinfo_first=f969a747c13c444facd7f64d4d68b18d#rd