Let’s Encrypt 宣布 ACME v2 正式支持通配符证书。Let’s Encrypt 宣称将继续清除 Web 上采用 HTTPS 的障碍,让每个网站轻松获取管理证书。
v2 vs v1
ACME v2 与 v1 API 有许多不同之处,值得注意的变更:
- 授权/签发流程已改变
- JWS 请求授权以改变
- JWS 请求体的”resource”字段被新的 JWS 请求头“url”替换
- 目录端点/资源重命名
ACMEv 是 ACME 协议的更新版本,考虑到行业专家和其他组织可能希望在某天使用 ACME 协议进行证书颁发和管理,它已经通过 IETF 标准流程。
通配符证书 允许使用单个证书来保护域的所有子域。在某些情况下,通配符证书可以使证书更容易管理,以帮助使 Web 达到 100% 的 HTTPS 协议。但是对于大多数用例,Let’s Encrypt 仍然推荐使用非通配符证书。
通配符证书只能通过 ACMEv2 获得。为了将 ACMEv2 用于通配符或非通配符证书,你需要一个已更新且支持 ACMEv 的客户端。Let’s Encrypt 希望所有客户和订户转换为 ACMEv2,尽管 ACMEv1 API 还没有“报废”。
另外,通配符域必须使用 DNS-01 质询类型进行验证。这表明你需要修改 DNS TXT 记录才能演示对域的控制以获得通配符证书。
更多有关 ACME v2 和通配符证书的技术信息,请参阅此文章:
通配符证书解释:
域名通配符证书类似 DNS 解析的泛域名概念,主域名签发的通配符证书可以在所有子域名中使用。
通配符证书的优势:
域名通配符证书最大的特点就是申请之后可以部署在子域名使用, 因此对于子域名,没有必要再次申请新的证书。
而价格方面,通配符域名证书通常会比单域名证书高几倍, 不过价格高的主要原因自然是使用的便利性。
新闻一出,马上就有小伙伴解锁了 Let’s Encrypt 通配符 HTTPS 证书的申请方式,并分享了出来:
申请 Let’s Encrypt 通配符 HTTPS 证书
链接:https://my.oschina.net/kimver/blog/1634575#comment-list
作者:飞奔的萝卜
博客经授权发布,转载请注明来源
Let’s Encrypt 发布的 ACME v2 现已正式支持通配符证书,接下来将为大家介绍怎样申请,Let’s go.
注:本教程是在centos 7下操作的,其他Linux系统大同小异。
- 获取certbot-auto
- 下载:
wget https://dl.eff.org/certbot-auto - 添加执行权限: chmod +x certbot-auto
- 下载:
-
开始申请证书
注xxx.com请根据自己的域名自行更改
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.xxx.com" --manual --preferred-challenges dns-01 certonly执行完这一步之后,会下载一些需要的依赖,稍等片刻之后,会提示输入邮箱,随便输入都行
注意,申请通配符证书是要经过DNS认证的,按照提示,前往域名后台添加对应的DNS TXT记录。添加之后,不要心急着按回车,先执行dig xxxx.xxx.com txt确认解析记录是否生效,生效之后再回去按回车确认
lenges dns-01 certonly WARNING: unable to check for updates. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): zhanglei@tansuotv.com ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: dns-01 challenge for tansuotv.cn ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.tansuotv.cn with the following value: <--- 添加DNS解析 TXT记录,值为F7s0jeWZXJoUkwK6561gdw1SSem5psyzU_ga3A4wvF4 F7s0jeWZXJoUkwK6561gdw1SSem5psyzU_ga3A4wvF4 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/tansuotv.cn/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/tansuotv.cn/privkey.pem Your cert will expire on 2018-06-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le注意,申请通配符证书是要经过DNS认证的,按照提示,前往域名后台添加对应的DNS TXT记录。添加之后,不要心急着按回车,先执行dig xxxx.xxx.com txt确认解析记录是否生效,生效之后再回去按回车确认
dig _acme-challenge.tansuotv.cn txt ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> _acme-challenge.tansuotv.cn txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30970 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_acme-challenge.tansuotv.cn. IN TXT ;; ANSWER SECTION: _acme-challenge.tansuotv.cn. 600 IN TXT "F7s0jeWZXJoUkwK6561gdw1SSem5psyzU_ga3A4wvF4" ;; Query time: 10 msec ;; SERVER: 202.106.0.20#53(202.106.0.20) ;; WHEN: Fri Mar 16 10:31:50 2018 ;; MSG SIZE rcvd: 101到了这一步后,大功告成!!! 证书存放在/etc/letsencrypt/live/xxx.com/里面
要续期的话,执行certbot-auto renew就可以了
下面是一个nginx应用该证书的一个例子
server {
listen 443 ssl;
listen 80;
ssl on;
ssl_certificate /etc/cert/tansuotv.cn/fullchain.pem;
ssl_certificate_key /etc/cert/tansuotv.cn/privkey.pem;
ssl_trusted_certificate /etc/cert/tansuotv.cn/chain.pem;
server_name zabbix.tansuotv.cn;
access_log logs/zabbix_access.log;
index index.html index.htm index.php;
root /Data/apps/zabbix3.2/webfile;
location ~ .*\.(php|php5)?$
{
#fastcgi_pass unix:/Data/apps/php-fcgi/php-fpm.sock;
fastcgi_pass unix:/Data/apps/php_for_zabbix/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
include fastcgi.conf;
}
location /wx_api
{
include uwsgi_params;
uwsgi_pass 127.0.0.1:9001;
}
access_log logs/zabbix.log;
}