曾國藩
因為我也不希望certbot會自行更動設定檔,以免改到不該改的設定而我不自知,而且我也需要單單域名的憑證因此會有如下的執行過程:
[root@prox ~]# certbot certonly --manual -d "*.lx.idv.tw" -d "lx.idv.tw" --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for lx.idv.tw dns-01 challenge for lx.idv.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
在你接續按下"Y"之後憑證就會產生了。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.lx.idv.tw with the following value: WMKAXXXXXXXXwWfk98Nj_mIcU9GCxQzXXXXXXXX02LM Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
第一個憑證已經產生在你接續按下"enter"之後,第二個憑證也會跟著產生。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.lx.idv.tw with the following value: GJrVXXXXXXXXPU5noiVb1n90D-O2021XXXXXXXXfc08 Before continuing, verify the record is deployed. (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet. Note that you might be asked to create multiple distinct TXT records with the same name. This is permitted by DNS standards.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
要注意!!! 在二個憑證都已經產生後,在你接續按下"enter"之前,你必須要先去確認DNS已經設定成功。
Waiting for verification... Resetting dropped connection: acme-v02.api.letsencrypt.org Resetting dropped connection: acme-v02.api.letsencrypt.org Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/lx.idv.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/lx.idv.tw/privkey.pem Your cert will expire on 2019-08-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
依照上面列出來的pem檔的路徑,最後我們就可以去設定nginx的憑證了。
1-1 安裝
