我在 CentOS 7 上使用 EPEL 存储库中的 certbot/letsencrypt 和 apache,在“正常”域名上没有任何问题。certbot 工具可以很好地识别虚拟主机配置文件中的服务器名称别名。续订也很好用。
例如,虚拟主机配置中有如下一行:
ServerName uncovery.net
ServerAlias www.uncovery.net
certbot 会提示我安装/维护域名
1: uncovery.net
2: www.uncovery.net
但是,我的虚拟主机配置中的这一行:
ServerName uncovery.net
ServerAlias *.uncovery.net
仅显示
1: uncovery.net
运行 certbot 时。
因此我尝试了以下方法:
# certbot -d *.uncovery.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
我尝试了 apache/webroot/standalone 身份验证器,但都失败了。调试日志显示
ConfigurationError: *.uncovery.net contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.
所以问题是:
1)如何让 certbot 的命令行界面识别 *.wildcard?
2)如果这不起作用,我该如何手动配置证书?
这是我的 certbot 版本:
Package certbot-1.0.0-1.el7.noarch already installed and latest version
Package python2-certbot-apache-1.0.0-1.el7.noarch already installed and latest version
答案1
这应该有效
certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'uncovery.net,*.uncovery.net'
之后,不要忘记在 Apache 配置 SSL 设置中指向fullchain.pem和privkey.pem。通常,位于/etc/letsencrypt/live/uncovery.net/fullchain.pem
/etc/letsencrypt/live/uncovery.net/privkey.pem
如果您不更改这些,您仍然会看到自签名证书,即 apache 默认的自签名 ssl 证书。