一、下載并安裝軟件 在這個網站下載最新的軟件并安裝https://github.com/certbot/certbot/ ?
github下載certbot安裝程序
下載完成后直接雙擊安裝就行了
安裝完成后,以管理員方式運行cmd,輸入cretbot --version,如果有顯示就說明安裝成功了
C : \Windows \System32 > certbot -- version
certbot 2.5 . 0 命令行工具使用說明
用法 :
certbot [ 子命令 ] [ 選項 ] [ - d 域名 ] [ - d 域名 ] ...
Certbot工具用于獲取和安裝 HTTPS / TLS / SSL 證書。默認情況下, Certbot會嘗試為本地網頁服務器
( 如果不存在會默認安裝一個到本地 ) 獲取并安裝證書。最常用的子命令和選項如下 :
獲取 , 安裝 , 更新證書 :
( 默認 ) run 獲取并安裝證書到當前網頁服務器
certonly 獲取或更新證書,但是不安裝
renew 更新已經獲取但快過期的所有證書
- d 域名列表 指定證書對應的域名列表,域名之間使用逗號分隔
-- apache 使用 Apache插件進行身份認證和安裝
-- standalone 運行一個獨立的網頁服務器用于身份認證
-- nginx 使用 Nginx插件進行身份認證和安裝
-- webroot 把身份認證文件放置在服務器的網頁根目錄下
-- manual 使用交互式或腳本鉤子的方式獲取證書
- n 非交互式運行
-- test - cert 從預交付服務器上獲取測試證書
-- dry - run 測試獲取或更新證書,但是不存儲到本地硬盤
證書管理 :
certificates 顯示使用 Certbot生成的所有證書的信息
revoke 撤銷證書 ( supply -- cert - path )
delete 刪除證書 二、申請通配符證書 的命令 certbot certonly - d "*.example.top" - d example . top -- manual -- preferred - challenges dns - 01 -- server https : // acme - v02 . api . letsencrypt . org / directory 命令說明:
certonly 安裝模式 -d 申請證書的域名,如果是通配符域名輸入 *.http://example.com –manual 使用交互式或腳本鉤子的方式獲取證書 –preferred-challenges dns 使用 DNS 方式校驗域名所有權 –server,Let’s Encrypt ACME v2 版本使用的服務器不同于 v1 版本,需要顯示指定
官網里v2說明
*.example.top換成你想要申請的域名就可以了,接下來,會提示需要進行手動驗證DNS:
Saving debug log to C : \Certbot \log \letsencrypt . log
Requesting a certificate for *. example . top and example . top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name :
_acme - challenge . example . top .
with the following value :
MeZetcO - 5 n_7WeJIitM_eAR8lWUZ2EQriWOg1OxBcaE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 我的域名是阿里云申請的域名,去域名解析那手動添加一條TXT記錄就可以了,我這里申請的是通配符域名,還有一級域名,就需要添加兩條記錄來驗證
Please deploy a DNS TXT record under the name :
_acme - challenge . example . top .
with the following value :
8 eBntKwxymhu1erZuE7J9KPZnuxmE6kiYnBrDD3DkXU
( This must be set up in addition to the previous challenges ; do not remove ,
replace , or undo the previous challenge tasks yet . Note that you might be
asked to create multiple distinct TXT records with the same name . This is
permitted by DNS standards . )
Before continuing , verify the TXT record has been deployed . Depending on the DNS
provider , this may take some time , from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools , such as the Google
Admin Toolbox : https : // toolbox . googleapps . com / apps / dig / #TXT/_acme-challenge.example.top.
Look for one or more bolded line ( s ) below the line ';ANSWER' . It should show the
value ( s ) you 've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 根據提示操作完成后,在域名解析那就有兩條TXT記錄了,如下:
設置好之后的域名解析
接著就會顯示申請成功的信息了
Successfully received certificate .
Certificate is saved at : C : \Certbot \live \example . top \fullchain . pem
Key is saved at : C : \Certbot \live \example . top \privkey . pem
This certificate expires on 2023 - 08 - 05.
These files will be updated when the certificate renews .
NEXT STEPS :
- This certificate will not be renewed automatically . Autorenewal of -- manual certificates requires the use of an authentication hook script ( -- manual - auth - hook ) but one was not provided . To renew this certificate , repeat this same certbot command before the certificate 's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot , please consider supporting our work by :
* Donating to ISRG / Let 's Encrypt: https://letsencrypt.org/donate
* Donating to EFF : https : // eff . org / donate - le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 這里已經提示的證書的存放位置,直接進c盤去找就好了,這里發現這些文件是快捷方式,然后還有一個readme文件,打開里面提示是不要移動也不要修改名稱,看一下快捷方式的屬性就發現證書文件存在了另一個文件夾:C:\Certbot\archive
This directory contains your keys and certificates .
`privkey.pem` : the private key for your certificate .
`fullchain.pem` : the certificate file used in most server software .
`chain.pem` : used for OCSP stapling in Nginx >= 1.3 . 7.
`cert.pem` : will break many server configurations , and should not be used
without reading further documentation ( see link below ) .
WARNING : DO NOT MOVE OR RENAME THESE FILES !
Certbot expects these files to remain in this location in order
to function properly !
We recommend not moving these files . For more information , see the Certbot
User Guide at https : // certbot . eff . org / docs / using . html #where-are-my-certificates. 既然不讓我移動或改名,那我復制出來使用就可以了。
三、關于續簽證書 剛剛申請成功的地方,有一個關于續簽的說明如下:
NEXT STEPS :
- This certificate will not be renewed automatically . Autorenewal of -- manual certificates requires the use of an authentication hook script ( -- manual - auth - hook ) but one was not provided . To renew this certificate , repeat this same certbot command before the certificate 's expiry date. 翻譯過來就是說:
下一個步驟:
—該證書不會自動更新。——manual證書的自動更新需要使用身份驗證掛鉤腳本(——manual-auth-hook),但沒有提供。要更新該證書,請在證書到期之前重復相同的certbot命令。
我理解就是如果下次經續簽,可能就是要重新申請一次。反正也不麻煩,大概幾分鐘就搞定了,那就下次再重新申請吧。
轉自https://zhuanlan.zhihu.com/p/627526278
400 186 1886
