Содержание

Let's Encrypt wildcard

FIXME

Установка

apt-get update
apt-get install git
cd /opt
git clone https://github.com/certbot/certbot

Получение

Пример получения сертификата для *.domain.ru

Выполняем:

/opt/certbot/letsencrypt-auto certonly -d *.domain.ru -m webmaster@domain.ru --server https://acme-v02.api.letsencrypt.org/directory --manual

Ответ:

Upgrading certbot-auto 0.22.2 to 0.25.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.ru

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Отвечаем: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.domain.ru with the following value:

RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

Вводим проверочные данные в DNS, далее нужно проверить и убедится, что изменения произведены и нажать Enter

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.ru/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.ru/privkey.pem
   Your cert will expire on 2018-09-07. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

DNS

Проверочные данные нужно ввести в поле: _acme-challenge.domain.ru. тип поля: TXT

_acme-challenge.domain.ru.        IN    TXT    "RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1"

Проверка:

dig @8.8.8.8 -t txt _acme-challenge.domain.ru

Результат:

; <<>> DiG 9.10.3-P4-Debian <<>> -t txt _acme-challenge.domain.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65104
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;_acme-challenge.domain.ru.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.domain.ru.	3600 IN	TXT	"RVSD8RHaITG8rXxh3OGiwq8fq4du5VksR6MsfGlKyE1"

Файлы

Готовые файла находятся в паке /etc/letsencrypt/live/domain.ru

cert.pemсертификат сервераApache в SSLCertificateFile
chain.pemсертификат цепочкиApache в SSLCertificateChainFile
fullchain.pemсоединение chain.pem и cert.pemApache в SSLCertificateFile
Nginx в ssl_certificate
privkey.pemприватный ключ для сертификатаApache в SSLCertificateKeyFile
Nginx в ssl_certificate_key

Ссылки

Подключаем wildcard certificate на домен с помощью letsencrypt

Получаем lets’encrypt wildcard сертификат

Let's Encrypt: получение сертификата по шагам