Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to apply for Let's Encrypt wildcard HTTPS certificate". In daily operation, I believe many people have doubts about how to apply for Let's Encrypt wildcard HTTPS certificate. Xiaobian consulted all kinds of materials and sorted out simple and easy operation methods. I hope to answer your doubts about "how to apply for Let's Encrypt wildcard HTTPS certificate"! Next, please follow the small series to learn together!

Note: This tutorial works on centos 7, and other Linux systems are similar.

2018.03.15 20:48 Updated the method of obtaining certificates through acme.sh, which is recommended by Wall Crack

2018.08.13 18:30 Added a method to obtain certificates via docker images

1. Acme. sh method 1. Acme.shcurl https://get.acme.sh| sh

Installation success as shown below

Note: I encountered a problem on centos 7, after installation, execute acme.sh, prompt command not found, if you encounter the same problem as me, please turn off the terminal and then log in, or execute the following command:

source ~/.bashrc2. Start obtaining certificates

Acme.sh is powerful in that it can automatically configure DNS, do not have to go to the domain name background operation resolution record, my domain name is registered in Ali, the following gives an example of Ali cloud resolution, other places registered please refer to here to modify: Portal

Please go to Alibaba Cloud background to get App_Key and App_Secret portal, and then execute the following script

#Replace with the key obtained from Alibaba Cloud backstage export Ali_Key="sdfsdfljlbjkljkjsdfoiwje"export Ali_Secret="jlsdflanjkljlfdsaklkjflsa"#Replace with your own domain name acme.sh --issue --dns dns_ali -d zhuziyu.cn-d *.zhuziyu.cn

Here is how to wait for DNS to take effect by sleeping for 120 seconds, so wait at least two minutes

Here we go. We're done. Flowers.

The generated certificates are placed under this directory: ~/acme.sh/domain/

Here is an example of Nginx using this certificate:

# domain replaces itself with its own domain name server { server_name xx.domain.com; listen 443 http2 ssl; ssl_certificate /path/.acme.sh/domain/fullchain.cer; ssl_certificate_key /path/.acme.sh/domain/domain.key; ssl_trusted_certificate /path/.acme.sh/domain/ca.cer; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass http://127.0.0.1:10086; }}

acme.sh is more automated than certbot, eliminating the need to manually change DNS records in the background of domain names, and without relying on Python, wall cracking recommendation

After the first success, acme.sh records App_Key and App_Secret and generates a timed task to automatically detect expired domain names and renew them at 0:00 a.m. every day. If you have concerns about this method, please be careful, but you can also delete the user-level timed tasks and clean up the ~/.acme.sh folder.

Second, docker image acquisition

If docker environment is installed, you can also use docker image to obtain certificate, just one line command

docker run --rm -it \ -v "$(pwd)/out":/acme.sh \ -e Ali_Key="xxxxxx" \ -e Ali_Secret="xxxx" \ neilpang/acme.sh --issue --dns dns_ali -d domain.cn -d *.domain.cn

After success, the certificate will be saved in the out folder under the current directory. You can also specify the path, modify the first line "$(pwd)/out" above, and change it to the path you want to save.

For detailed usage, please refer to: Portal

The certificate obtained is exactly the same as that obtained in Method 1. For other information, please refer to Method 1.

Third, certbot method to obtain certificates [not recommended]1. Get certbot-auto#Download wget https://dl.eff.org/certbot-auto# Set to executable permissions chmod a+x certbot-auto2. Start applying for certificates #Note xxx.com Please change it according to your own domain name./ certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly

After this step is completed, some required dependencies will be downloaded. After a while, you will be prompted to enter an email address. You can enter any email address.[This email address is used for safety reminders and renewal reminders.]

Note that the application for wildcard certificates is subject to DNS authentication. Follow the prompts and go to the domain name background to add the corresponding DNS TXT record. After adding, do not press Enter in a hurry, first execute dig xxxx.xxx.com txt to confirm whether the parsing record is effective, and then go back and press Enter to confirm

After this step, it's done!! The requested URL/etc/letsencrypt/live/xxx.com/was not found on this server.

If you want to renew, just execute certbot-auto renew.

Note: As pointed out by ddatsh in the comment area, such a certificate cannot be applied to the primary domain xxx.com. If you want to add the primary domain name to the coverage of the certificate, please add the primary domain name to the instruction at the beginning of the certificate application step, as follows: Note that in this case, you need to modify the resolution record twice.

./ certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" -d "xxx.com" --manual --preferred-challenges dns-01 certonly

Here is an example of an nginx application using this certificate

server { server_name xxx.com; listen 443 http2 ssl; ssl on; ssl_certificate /etc/cert/xxx.cn/fullchain.pem; ssl_certificate_key /etc/cert/xxx.cn/privkey.pem; ssl_trusted_certificate /etc/cert/xxx.cn/chain.pem; location / { proxy_pass http://127.0.0.1:6666; }} At this point, the study on "How to apply for Let's Encrypt wildcard HTTPS certificate" is over, hoping to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.