-
Notifications
You must be signed in to change notification settings - Fork 19
wildcard certificates(letsencrypt)
xxooxxooxx edited this page Apr 29, 2024
·
10 revisions
debian 9+
vi /etc/apt/sources.list
deb http://ftp.debian.org/debian stretch-backports main
certbot
apt-get install certbot -t stretch-backports
certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com -d example.com --manual --preferred-challenges dns-01 certonly --rsa-key-size 4096
dns
vi /etc/bind/db.example.com
_acme-challenge.example.com. IN TXT xxxxxxxxxx7b__gtM2ARPcUTzuRj8bAGI0GLoTq_XpU
_acme-challenge.example.com. IN TXT xxxxxxxxxxLd_Np9OiEbaE0bluedtio_1LaG0ZrQM8E
systemctl reload bind9
test
dig -t txt _acme-challenge.example.com @8.8.8.8
ECC
mkdir -p /etc/letsencrypt/live/example.com/ecc
cd /etc/letsencrypt/live/example.com/ecc
openssl ecparam -genkey -name prime256v1 | openssl ec -out e_privkey.pem
openssl ecparam -genkey -name secp384r1 | openssl ec -out e_privkey.pem
openssl req -new -sha256 -key e_privkey.pem -subj "/CN=*.example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:*.example.com")) -outform der -out ec-der.csr
certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly --csr ec-der.csr
certbot certonly --webroot -w /var/www/letsencrypt/ --csr ec-der.csr
certbot -d example.com -d *.example.com --key-type ecdsa certonly --manual --preferred-challenges dns
0000_cert.pem = cert.pem
0000_chain.pem = chain.pem
0001_chain.pem = fullchain.pem
ssl_trusted_certificate
0000_chain.pem == chain.pem