原本的憑證快到期了,結果舊版的certbot不聽話。
renew一直失敗,本來只是想要稍作升級。結果突然發現可以申請 wildcard 憑證了!!!!
天大的好消息,那乾脆來做一點點的實驗好了
如果是一開始對於certbot還不知道的可以參考 【SSL 憑證】利用 certbot 自動更新 Let’s Encrypt 憑證


首先安裝最新版的certbot,這邊直接載下來編譯
如果不像是我用樹梅派來當server的話,就可以直接略過這步
採用官方網站的方式 apt or yum 抓下來
但我沒得選,載下來讓他跑python吧…

wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
./certbot-auto

會吃爆樹梅派的cpu,如果是server會好一點orz…
接著嘗試註冊wildcard憑證

./certbot-auto run -d *.weijweb.com

可是出現了警告
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Running pre-hook command: service apache2 stop
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

原來這次換了challenge的方式,不再使用舊有的website challenge了
本來的行為是在本地網站中建立網頁,由lets encrypt來摸。摸到就給你憑證
但是在wildcard的憑證他必須詢問你的dns紀錄,來確定你擁有網域的所有權
好。既然知道了就好辦了
我們認證方式改成手動,接著下一樣指令來取得憑證

./certbot-auto certonly --preferred-challenges dns --manual  -d *.weijweb.com --server https://acme-v02.api.letsencrypt.org/directory

–manual 是指手動驗證
–preferred-challenges dns 告訴他我想要使用dns的方式challenge
–server 則是對方challenge的來源接著是一連串的對話窗

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for weijweb.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.weijweb.com with the following value:

一串字串

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

這邊指的是你必須在你的dns zone上面加上一筆TXT record
如果你擁有dns zone的管理權限,那這邊沒什麼大問題
我直接出動godaddy來解決
新增一筆TXT record,_acme-challenge
內容是那串字串

接著等dns收斂,如果想驗證收斂完畢可以開nslookup測試

C:\>nslookup -q=txt _acme-challenge.weijweb.com

等到有回應以後,按下Enter繼續

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/weijweb.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/weijweb.com-0001/privkey.pem
   Your cert will expire on 2019-01-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

噹噹噹! 新的wildcard憑證下來囉,檔案會放在上面提示的位置

root@raspberrypi:/var/www/html/weijlab# ls /etc/letsencrypt/live/weijweb.com-0001/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

三個都有囉,憑證 中繼 還有私鑰
再來看你想要放哪就放哪囉,記得回頭把 txt record砍掉呢!

Source: 【SSL 憑證】利用 CertBot 申請 Let’s Encrypt 的 Wildcard 憑證