1
2
3

cd opt/
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

1

An unexpected error occurred: UnicodeEncodeError: 'ascii' codec can't encode

1

./certbot-auto certonly  -d *.example.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

Requesting to rerun ./certbot-auto with root privileges...
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.cn- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.cn with the following value:v8somjB6jyjkZ9-fi_5l705CA_ERu0hRJcGFbLpHNaQ#配置dns的txt解析Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxxxx(your email)@163.com).IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/example.cn/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/example.cn/privkey.pemYour cert will expire on 2021-02-20. To obtain a new or tweakedversion of this certificate in the future, simply run certbot-autoagain. To non-interactively renew *all* of your certificates, run"certbot-auto renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donateDonating to EFF:                    https://eff.org/donate-le

1
2

# 域名为解析的二级域名nslookup -q=txt _acme-challenge.example.cn

1
2
3
4
5
6
7

(base) john@VM-0-3-ubuntu:~$ sudo ls -lh /etc/letsencrypt/live/example.cn
总用量 4.0K
lrwxrwxrwx 1 root root  33 Nov 22 16:25 cert.pem -> ../../archive/example.cn/cert1.pem
lrwxrwxrwx 1 root root  34 Nov 22 16:25 chain.pem -> ../../archive/example.cn/chain1.pem
lrwxrwxrwx 1 root root  38 Nov 22 16:25 fullchain.pem -> ../../archive/example.cn/fullchain1.pem
lrwxrwxrwx 1 root root  36 Nov 22 16:25 privkey.pem -> ../../archive/example.cn/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 22 16:25 README

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

server {listen       443 ssl;server_name  localhost;location / {root   html;index  index.html index.htm;}ssl on;ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;ssl_prefer_server_ciphers on;ssl_certificate      /etc/letsencrypt/live/example.cn/fullchain.pem;# 若使用cert.pem虽证书有效，但浏览器依然会提示不安全ssl_certificate_key  /etc/letsencrypt/live/example.cn/privkey.pem;
}

1
2

touch sslrenew.sh
chmod +x sslrenew.sh

1

<path to certbot>/certbot-auto renew

1
2
3

编辑定时任务：crontab -e
0 0 1 * * /home/john/opt/sslrenew.sh #每月1日
查看定时任务：crontab -l