安装letsencrypt通配符证书过程记录

之前弄过一个自动更新的,后面失效了。于是手动申请了一个,后面又到期了,这个时候已经不记得当时是怎么弄的了。这次从头折腾了一把,把这个重新折腾的过程记录一下。

安装docker

这次从docker开始折腾起,首先是安装docker,参考的是阿里云的说明文档《安装Docker》和centos7安装Docker详细步骤(无坑版教程)

  1. 卸载旧的docker:
sudo yum -y remove \
docker-ce \
containerd.io \
docker-ce-rootless-extras \
docker-buildx-plugin \
docker-ce-cli \
docker-compose-plugin
  1. 更新包管理工具:

sudo yum -y update

  1. 安装需要的软件包:

yum install -y yum-utils device-mapper-persistent-data lvm2

  1. 设置 yum 源

yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo(阿里仓库)

  1. 选择docker版本并安装
  • 查看可以版本:yum list docker-ce --showduplicates | sort -r
  • 选择版本安装:yum -y install docker-ce-18.03.1.ce
  • 启动 Docker 并设置开机自启:
systemctl start docker
systemctl enable docker

使用docker安装certbot

之前安装certbot官网上面的instruction试了一下,没有成功。所以找了另外一个教程:Docker与Certbot:自动化签发和续期Let’s Encrypt证书

首先需要拉取certbot的docker镜像,但是直接docker pull certbot/certbot没有成功,后来查了下,是那啥了。

配置阿里云镜像加速器

所以需要使用阿里云的镜像加速器:

  1. 在阿里云的产品中搜索“容器镜像服务”,开通个人版(据说是免费的);然后登录容器镜像服务控制台,在左侧导航栏选择镜像工具 > 镜像加速器,在镜像加速器页面获取加速器地址。
  2. 创建并编辑/etc/docker/daemon.json文件(如果文件不存在,则创建):
{
    "registry-mirrors": ["<镜像加速器地址>"]
}
  1. 重启Docker使配置生效:
sudo systemctl daemon-reload
sudo systemctl restart docker
  1. 然后再次docker pull certbot/certbot,成功。

安装证书

  • 创建文件夹(我没有创建“/var/www/html/”这个文件夹,而是用的网站的webroot文件夹):
mkdir -p /var/www/certbot/{ssl,log,letsencrypt} #需要自定义
mkdir -p /var/www/html/
  • 然后按照教程安装证书:
docker run -it --rm --name certbot \
  -v "/path/to/certbot/ssl:/etc/letsencrypt/" \ #需要将此文件夹
  -v "/var/www/myblog:/var/www/html/" \
  -v "/path/to/certbot/letsencrypt:/var/lib/letsencrypt" \
  -v "/path/to/certbot/log:/var/log/letsencrypt" \
  certbot/certbot certonly \
  -n --no-eff-email --email your-email@example.com \
  --agree-tos \
  --webroot -w /var/www/myblog \
  -d "example.com" -d "*.example.com"

需要将其中的"/path/to/…"这些路径换成之前定义的,并且把其中的邮箱、网址换成自己的。

但是,并没有成功,提示:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

问了下ChatGPT,说可以使用plugin或者手动验证,全文摘录于下以便参考:

The error occurs because Let’s Encrypt requires DNS-based validation (DNS-01 challenge) for wildcard certificates, and the default Certbot setup doesn’t support this out-of-the-box. Here’s how you can resolve this:

  1. Understand the Requirement
•	Wildcard certificates require DNS-01 challenges to verify domain ownership.
•	You need to add a special DNS TXT record (_acme-challenge) for your domain in your DNS provider’s configuration.
  1. Use DNS Authenticator Plugins

Certbot has plugins for automated DNS validation, such as:
• certbot-dns-cloudflare
• certbot-dns-route53
• certbot-dns-google
• Other DNS provider-specific plugins.

Since you’re using Docker, you can use the corresponding Certbot image with the plugin for your DNS provider.

  1. Install a DNS Plugin

Find the appropriate plugin for your DNS provider:
• For Cloudflare: certbot-dns-cloudflare
• For AWS Route 53: certbot-dns-route53
• For DigitalOcean: certbot-dns-digitalocean

Example: To use Cloudflare’s plugin, pull the image that includes it:

docker pull certbot/dns-cloudflare

  1. Obtain Your DNS API Credentials

Get the API credentials for your DNS provider:
• For Cloudflare: Generate an API token with DNS:Edit and Zone:Read permissions.
• For AWS: Use IAM keys with Route 53 permissions.

Save the credentials in a file on your server, e.g., /path/to/cloudflare.ini:

dns_cloudflare_email = your-email@example.com
dns_cloudflare_api_key = your-api-key

Set secure permissions for the credentials file:

chmod 600 /path/to/cloudflare.ini

  1. Request the Wildcard Certificate

Run Certbot with the DNS plugin and specify the credentials file:

docker run -it --rm --name certbot \
  -v "/path/to/certbot/ssl:/etc/letsencrypt/" \
  -v "/path/to/cloudflare.ini:/cloudflare.ini" \
  certbot/dns-cloudflare certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /cloudflare.ini \
  -d "*.example.com" -d "example.com" \
  --non-interactive --agree-tos --email your-email@example.com

•	Replace example.com with your domain.
•	Replace /path/to/cloudflare.ini with the path to your credentials file.
  1. Manual DNS Validation (if Plugin Is Not Available)

If your DNS provider doesn’t have a plugin, you must add the TXT record manually:

1.	Run Certbot in manual mode:

docker run -it --rm --name certbot \
  -v "/path/to/certbot/ssl:/etc/letsencrypt/" \
  certbot/certbot certonly \
  --manual \
  --preferred-challenges dns \
  -d "*.example.com" -d "example.com" \
  --email your-email@example.com \
  --agree-tos --no-eff-email

2.	Certbot will prompt you to add a DNS TXT record. For example:
•	`Name: _acme-challenge.example.com`
•	`Value: <Certbot-generated-value>`
3.	Go to your DNS provider’s dashboard and add the TXT record.
4.	Wait for the DNS changes to propagate. You can verify using a DNS checker like MXToolbox.
5.	Once the DNS record is added, Certbot will complete the validation.
  1. Automate Certificate Renewal

If you use a DNS plugin, renewal can be automated by rerunning the Certbot command periodically (e.g., via a cron job or systemd timer). If you’re using manual DNS validation, you’ll need to repeat the manual process every 90 days.

  1. Update Nginx Configuration

After obtaining the wildcard certificate, update your Nginx configuration as mentioned earlier to use the SSL certificate and private key.

配置Nginx使用SSL证书

教程提供了一个简单的示例:

server {
    listen 443 ssl;
    server_name your-domain.com;
    ssl_certificate /path/to/certbot/ssl/fullchain.pem;
    ssl_certificate_key /path/to/certbot/ssl/privkey.pem;
    # 其他Nginx配置...
}

请确保将your-domain.com替换为你的域名,并将/path/to/certbot/ssl/fullchain.pem/path/to/certbot/ssl/privkey.pem替换为实际的证书和私钥文件路径。

也失败了,我用的宝塔,不知道和这个有没有关系,也没有找到存放ginx.conf的地方,于是直接找到密钥和key,把内容复制宝塔面板里替换到原来的证书。

所以证书到期以后,需要再次重复一下安装证书及以后的步骤,等下次有心情了再学习怎么自动更新吧。