通过手动方式既不用修改域名解析记录的,也不需要在服务器上安装自动获取脚本。实在想在服务器定期cron获取证书,也可以按照官方文档,自动替换。文本只介绍手动获取证书的方法。
首先打开terminal.app运行
brew install certbot
因为好久没运行homebrew了,所以等待了一段时间。最终certbot安装完了。
brew ls certbot
控制台打印了certbot安装完毕的消息。
接下来运行
certbot --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log certonly --manual
意思是告诉客户端,我要使用手动方式申请证书,接下来是询问你的邮箱、是否要订阅邮件,笔者在这里选择了不订阅。
Saving debug log to /Users/someusr/letsencrypt/log/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): someusr@wwooo.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): www.wwooo.com Requesting a certificate for - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data: ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd And make it available on your web server at this URL: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Successfully received certificate. Certificate is saved at: /Users/someusr/letsencrypt/etc/live/www.wwooo.com/fullchain.pem Key is saved at: /Users/someusr/letsencrypt/etc/live/www.wwooo.com/privkey.pem This certificate expires on 2024-xx-xx. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
见上文,中间有个阶段,提示你在网站根目录下的.well-known/acme-challenge/创建一个文件名为dddddddddddddddddd_dddddddd
文件内容写一堆乱码ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
自己手动创建,摆放完了按回车继续。如果证书服务器验证到了确实有这个文件,ok那证明网站确实是你的,就会在你用户目录下方down几个证给你。
以笔者为例,用的是nginx最新版,那么就用fullchain.pem对应阿里云的公钥.pem, 而privkey.pem对应阿里云的私钥.key文件, 这俩文件的地址并不是上文控制台给出的路径,而是以下两个实际路径
/Users/someusr/letsencrypt/etc/archive/www.wwooo.com/fullchain.pem /Users/someusr/letsencrypt/etc/archive/www.wwooo.com/privkey.pem
someusr是你当前的用户名
最后塞到nginx证书目录里,路径对应正确了, 为了证书生效,别忘了重启一下nginx服务
nginx -s reload
完结撒花。搞不明白的加QQ群2702237找我要。
