不同的 DNS 提供商可能提供了对应的「插件」,可能需要单独安装,certbot 第三方 DNS 插件可在此页面查看。如果你注册的域名提供商(例如阿里云)没有提供官方的 DNS 插件,那么只能手动完成验证。
申请通配符证书
以下以 *.frosthe.net 为例,使用 manual 插件回应 Challenge。
1
$ certbot certonly -d *.frosthe.net --manual --preferred-chanllenge dns --server https://acme-v02.api.letsencrypt.org/directory
该命令表明:
仅为 *.frosthe.net 获取通配符证书,无需安装
使用 manual 插件
使用 dns 方式回应 Challenge
告知 certbot 采用 Let's Encrypt ACME v2 协议的 API 服务器
接下来,命令行显示窗会询问申请人当前主机的 ip 地址将被记录,是否接收,输入 y:
1 2 3 4 5 6 7 8
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y
下一步 certbot 将要求申请人手动添加一条 TXT 的解析:
1 2 3 4 5 6 7 8 9 10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.frosthe.net with the following value:
h9MFbboNRKqN4_8iDlu4dpIBd9UrXKqRrmP62ZHGhJ8
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/frosthe.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/frosthe.net/privkey.pem Your cert will expire on 2019-03-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
$ certbot certonly -d *.frosthe.net --manual --preferred-challenge dns --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for frosthe.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.frosthe.net with the following value:
dhlr5daZbfwlgkjTSVHTPQXY2bWEr3VuBUHKegAofj4
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/frosthe.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/frosthe.net/privkey.pem Your cert will expire on 2019-06-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
自动更新通配符证书
由于通配符证书仅支持 dns 方式的验证,而这种方式要求申请人在其域名管理后台添加新的 TXT 记录,除了某些官方列出的域名提供商以外,其他域名托管商(例如阿里云)的申请人需要外挂脚本来自动化这一过程,参考 Pre and Post Validation Hooks。