macOS下使用certbot申请免费的域名泛证书之letsencrypt

macOS下使用certbot申请免费的域名泛证书之letsencrypt

1.安装工具

brew install certbot

2.申请证书

sudo /usr/local/opt/certbot/bin/certbot certonly -d '*.lvtao.org' --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

输入自己的电脑密码,至于为嘛sudo嘛... 因为申请的证书要写入到etc目录下

3.填写一个常用的邮箱

If you really want to skip this, you can run the client with
--register-unsafely-without-email but you will then be unable to receive notice
about impending expiration or revocation of your certificates or problems with
your Certbot installation that will lead to failure to renew.

Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): 

4.同意服务协议,Y同意即可

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

5.是否允许向你发送邮件并公开,Y同意即可

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 

6.验证域名,这儿操作请注意:不要急着回车

Please deploy a DNS TXT record under the name:

_acme-challenge.lvtao.org.

with the following value:

qUx_KiIubBTX6sQlj4ZGBffT3QT6q8-QAHAie1-so9I

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.lvtao.org.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

看到上面_acme-challengeqUx_KiIubBTX6sQlj4ZGBffT3QT6q8-QAHAie1了吗?请按你自己的申请显示的值,在你的域名管理面板,添加一条TXT的解析记录

7.新开一个终端窗口,验证你的TXT记录是否生效

dig -t txt _acme-challenge.lvtao.org @8.8.8.8

在显示中看到你刚才的那条记录了,就表示已经成功了

8.在第6步的窗口中,回车继续Press Enter to Continue

9.成功提示

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/lvtao.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/lvtao.org/privkey.pem
This certificate expires on 2021-12-14.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

成功后会告诉你证书和私钥的保存位置,以及过期时间,如何用证书不是本文所讲。

10.续签证书
This certificate expires on 2021-12-14.这个日期的前一周时间,通过如下命令续签

sudo /usr/local/opt/certbot/bin/certbot renew