Request Let's Encrypt wildcard SSL certificate

Preface

This article installs certbot on your own computer.

Verify domain name ownership through DNS. After 90 days, the certificate needs to be renewed manually.

After the certificate is obtained, it is uploaded to the server manually, which is only suitable for the development mode.

Please refer to other articles for the automated issuance process.

Technological process

  1. Install CertBot (Let's Encrypt a tool for issuing certificates, compiled by python)

    brew is a software management tool, very easy to use, automatic download dependent package.

    $ brew install certbot
    

    If prompted, follow the prompts to install the dependent environment. Execute the previous line again after completion.

    $ xcode-select --install
    
  2. Execute request instruction

    For specific parameters, please refer to the official documents of Let's Encrypt and certbot.

    $ sudo certbot certonly  -d "*.Your domain name" -d "Your domain name" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory
    
  3. Enter relevant information

    Plugins selected: Authenticator manual, Installer None
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel): Your mailbox
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
    agree in order to register with the ACME server at
    https://acme-v02.api.letsencrypt.org/directory
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (A)gree/(C)ancel: a    // Agree!
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let's Encrypt project and the non-profit
    organization that develops Certbot? We'd like to send you email about our work
    encrypting the web, EFF news, campaigns, and ways to support digital freedom.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: y  // Agree!
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for Your domain name
    dns-01 challenge for Your domain name
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: y   // Agree!
    
  4. DNS resolution verification

    Add resolution of type TXT.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.Your domain name with the following value:
    
    18eEXZpvkS0WPSog8T9YtWZEeUWf6r2lyScf_NfAurc
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    
  5. Successful results

    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/Your domain name/fullchain.pem   // Certificate save path
       Your key file has been saved at:
       /etc/letsencrypt/live/Your domain name/privkey.pem     // Certificate save path
       Your cert will expire on 2019-06-15. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
  6. Obtaining certificates

    $sudo cat /etc/letsencrypt/live / your domain name / fullchain.pem | pbcopy
    
    $sudo cat /etc/letsencrypt/live / your domain name / privkey.pem | pbcopy
    
  7. Renewal of certificate

    $ sudo certbot renew
    

Tags: DNS sudo brew Python

Posted on Sun, 01 Dec 2019 14:39:09 -0800 by freynolds