Skip to content

Instantly share code, notes, and snippets.

@mumubin

mumubin/Let's Encrypt DNS challenge Manual.md

Last active April 2, 2020 06:56
Show Gist options
  • Save mumubin/11ba661e301c4912324e5d1e4384d858 to your computer and use it in GitHub Desktop.
Save mumubin/11ba661e301c4912324e5d1e4384d858 to your computer and use it in GitHub Desktop.
Download ZIP
acme,Let's Encrypt
Raw
Let's Encrypt DNS challenge Manual.md

Let's Encrypt DNS challenge Manual - Certot

Challenge选择

DNS

知识

申请测试域名

curl --location --request POST 'https://dnsapi.test.com/rr' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic ccccccccccc==' \
--data-raw '[
  {
    "operation_type": "NEW",
    "type": "A",
    "name": "mumubin.ocp.test.com",
    "content": "10.xxx.36.xxx",
    "ttl": 0,
    "ext": {
      "wo": "string"
    },
    "comment": "string"
  }
]'

怎么做?

1.申请认证材料

certbot -d mumubin.ocp.test.com --manual --preferred-challenges dns certonly

2.认证Token放入DNS

Please deploy a DNS TXT record under the name
_acme-challenge.mumubin.ocp.test.com with the following value:

39Eb0Kn2YZ83S6TwUZEBgJxxxxxxxxxxGzgOP5A2nkHo

Before continuing, verify the record is deployed.
  1. 更改DNS API
curl --location --request POST 'https://dnsapi.test.com/rr' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic ccccccccccccc==' \
--data-raw '[
  {
    "operation_type": "NEW",
    "type": "TXT",
    "name": "_acme-challenge.dalahu.ocp.test.com",
    "content": "39Eb0Kn2YZ83S6TwUZEBgJxxxxxxxxxxGzgOP5A2nkHo",
    "ttl": 0,
    "ext": {
      "wo": "string"
    },
    "comment": "string"
  }
]'
  1. 查看DNS是否配置成功
dig +short _acme-challenge.dalahu.ocp.test.com TXT

39Eb0Kn2YZ83S6TwUZEBgJxxxxxxxxxxGzgOP5A2nkHo
  1. 手工确认下是否验证成功
certbot --text --agree-tos --email mumubin@test.com -d mumubin.ocp.test.com --manual --preferred-challenges dns --expand --renew-by-default  --manual-public-ip-logging-ok certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mumubin.ocp.test.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mumubin.ocp.test.com/privkey.pem
   Your cert will expire on 2020-06-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

  1. 获取到一个证书,一个私钥可放入nginx直接使用

    • /etc/letsencrypt/live/mumubin.ocp.test.com/fullchain.pem
    • /etc/letsencrypt/live/mumubin.ocp.test.com/privkey.pem

  2. 查看证书相信信息(含过期时间)

~ ᐅ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mumubin.test.com
    Domains: mumubin.test.com
    Expiry Date: 2020-06-25 02:27:33+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mumubin.ocp.test.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mumubin.ocp.test.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CertBot方式的缺点

不支持并发操作,大规模申请建议使用acme库

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment