通過手動方式既不用修改域名解析記錄的,也不需要在服務器上安裝自動獲取腳本。實在想在服務器定期cron獲取证書,也可以按照官方文档,自動替換。文本只介紹手動獲取证書的方法。
首先打開terminal.app運行
brew install certbot
因爲好久沒運行homebrew了,所以等待了一段時間。最終certbot安裝完了。
brew ls certbot
控制台列印了certbot安裝完畢的消息。
接下來運行
certbot --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log certonly --manual
意思是告訴客戶耑,我要使用手動方式申請证書,接下來是詢問你的郵箱、是否要訂閲郵件,筆者在這裡選擇了不訂閲。
Saving debug log to /Users/someusr/letsencrypt/log/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): someusr@wwooo.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): www.wwooo.com Requesting a certificate for - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data: ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd And make it available on your web server at this URL: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Successfully received certificate. Certificate is saved at: /Users/someusr/letsencrypt/etc/live/www.wwooo.com/fullchain.pem Key is saved at: /Users/someusr/letsencrypt/etc/live/www.wwooo.com/privkey.pem This certificate expires on 2024-xx-xx. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
見上文,中間有個階段,提示你在網站根目錄下的.well-known/acme-challenge/創建一個文档名爲dddddddddddddddddd_dddddddd
文档内容寫一堆亂碼ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
自己手動創建,擺放完了按回車繼續。如果证書服務器驗证到了確實有這個文档,ok那证明網站確實是你的,就會在你用戶目錄下方down幾個证給你。
以筆者爲例,用的是nginx最新版,那麽就用fullchain.pem對應阿裡雲的公鈅.pem, 而privkey.pem對應阿裡雲的私鈅.key文档, 這倆文档的地址並不是上文控制台給出的路徑,而是以下兩個實際路徑
/Users/someusr/letsencrypt/etc/archive/www.wwooo.com/fullchain.pem /Users/someusr/letsencrypt/etc/archive/www.wwooo.com/privkey.pem
someusr是你當前的用戶名
最後塞到nginx证書目錄裡,路徑對應正確了, 爲了证書生效,別忘了重啓一下nginx服務
nginx -s reload
完結撒花。搞不明白的加QQ群2702237找我要。
