免费泛域名SSL证书申请和更新-certbot＆letsencrypt

申请免费泛域名证书，参考：

首次申请

# Ubuntu 22.04 LTS

# 移除自带的 certbot
sudo apt-get remove certbot

# 确认 snap 管理器已安装
snap --version

# 按官方建议从 snap 安装 certbot
sudo snap install --classic certbot

# 确认 certbot 安装
certbot --version

# 建立链接
which certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

# Confirm plugin containment level:
# Run this command on the command line on the machine to acknowledge that the installed plugin will have the same classic containment as the Certbot snap.
sudo snap set certbot trust-plugin-with-root=ok

# 安装对应的插件
# 腾讯云 dnspod 无支持插件，所以不装


# 创建证书，过程日志记录在 /var/log/letsencrypt/letsencrypt.log
sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com

# ...输入 email，再同意一些选项...然后停在手动验证部分

# 根据输出的提示，手动在腾讯云 DNS 配置界面上添加 TXT 验证记录
# 如将 _acme-challenge.yourdomain.com 添加 TXT 类型解析，值为 B8p8l...VkP9E

# 新开个命令行，检查新加的 DNS TXT 记录是否生效，如果生效应该输出对应的值
dig +nocmd _acme-challenge.yourdomain.com txt +noall +answer

# 回到 certbot 命令行，回车让其继续执行，验证 TXT 记录

# 如果验证成功就会生成泛域名证书相关文件，如
#
# Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
# Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
# This certificate expires on 2024-01-30.
# These files will be updated when the certificate renews.

更新

证书有效期 3 个月，一般到期前 15 天可以开始更新证书。

在创建的同一台机器上执行。

# NEXT STEPS:
# - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
#
# 自动 hook 脚本参考：https://eff-certbot.readthedocs.io/en/latest/using.html#hooks
# 涉及到使用 dnspod api 配置 dns 记录，这里没有继续尝试

sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com