通过Let’s Encrypt申请SSL泛域名证书

介绍

Let’s Encrypt 是一个免费的、自动化、开放的证书颁发机构，为网站提供 HTTPS 加密。它使用 ACME 协议来验证域名所有权，并颁发免费的 SSL/TLS 证书。

这里通过ubuntu环境来演示申请过程,其他环境类似。

并且此文章出现的域名皆为example.com。

安装工具

1 2	apt update apt install certbot python3-certbot-nginx -y

申请证书

:::warning
需要注意,在申请之前,你的域名(如example.com)必须已解析到支持 80/443 端口的设备上,并且运行 nginx 或者 http 服务去监听端口,否则申请无法进行。
:::

比如我这里直接申请一个*.example.com泛域名的证书,然后参考下面的命令:

certbot certonly \
  --manual \
  --preferred-challenges dns \
  -d "*.example.com" -d example.com

执行后,如果顺利,他会给你提供一个 TXT 记录让你去做一下解析,比如你的域名是example.com,那么他应该会给你提供一个_acme-challenge.example.com让你去做解析, 相应的,解析值也会提供给你,比如_UqBFNOgsaxR6TfP7x-mE0FRknUb9AcSplePkgK1n1A。

你必须在你的域名解析中添加这个TXT记录,比如你的域名是阿里云来买的,那你就去阿里云的控制台,找到你的域名,然后添加TXT记录。

添加完成后,你可以使用命令dig TXT _acme-challenge.example.com +short来查看是否添加成功, 如果生效了,他应该会输出如下内容:

1 2	_UqBFNOgsaxR6TfP7x-mE0FRknUb9AcSplePkgK1n1A ...

:::danger
这里额外再提一嘴,你申请时,出现了添加 TXT 记录的提示时,先去添加,加完了再回车下一步,一共需要添加两次,加完了用上面的dig命令验证一下是否生效了,如果生效了再回车继续,否则必定申请失败! ! ! 务必保证解析生效后再回车继续! ! !

当然,据我实际测试,有时他会让你添加两个 TXT 记录,但有时只需加一次,还没搞懂是为什么,反正加就对了
:::

接下来是命令的完整输出,可以参考一下长啥样,如果顺利,他会输出如下内容:

root@localhost:~# certbot certonly   --manual   --preferred-challenges dns   -d "*.example.com" -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.example.com and example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.example.com.

with the following value:

_UqBFNOgsaxR6TfP7x-mE0FRknUb9AcSplePkgK1n1A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.example.com.

with the following value:

Ac1evz91bSOAyGRXHzYWaBB94xj-pUgEo6SMEbeJWGY

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.example.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2025-11-14.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

直到最后,他会输出Successfully received certificate.,表示证书申请成功。

并且你的证书文件存放在/etc/letsencrypt/live/example.com目录下, 分别是:

fullchain.pem 证书文件
privkey.pem 私钥文件

到这里证书申请流程就结束了,证书有效期为90天,到期后需要重新申请。