windows下使用certbot续订/申请SSL域名证书

教程经验 · 31 天前 · 388 人浏览
有好一段时间没更新博客了,自从运营的MC服务器社区解散后,空余时间多起来了,可以去研究一些新的玩意了~

certbot Windows版本 Github下载链接

脚本内容

本文简单分享一下在windows系统下,使用certbot程序续订/申请SSL证书,为此我简单写了个Bat脚本可供使用。

07/10 更新:在系统用户非管理员情况下需要脚本提权才能运行,因此修改脚本使其可以打开后提权
@echo off
%1 mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c %~s0 ::","","runas",1)(window.close)&&exit
cd /d "%~dp0"

echo 请确保安装了Certbot,如未安装可以前往下载 https://github.com/certbot/certbot/releases/download/v2.9.0/certbot-beta-installer-win_amd64_signed.exe
echo 脚本作者by.yanhy2000
echo 申请证书需要准备一个邮箱,邮箱第一次申请会自动注册,只需要两次输入"y"并回车即可
echo 验证证书需要手动添加修改DNS的TXT记录
set /p email="请输入您的邮箱地址: "
set /p domain="请输入您的域名: "

certbot certonly -m %email% -d "%domain%" -d %domain% --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

if %errorlevel% neq 0 (
    echo 证书申请过程中发生错误。
    pause
    exit /b %errorlevel%
)

echo 证书申请成功。
pause

其中,执行certbot程序的指令简单分析一下

certonly 安装模式
-m 申请证书所需的邮箱
-d 申请证书的域名
--manual 使用交互式或脚本钩子的方式获取证书
--preferred-challenges dns 使用 DNS 方式校验域名所有权
--server Let's Encrypt指定的V2版本接口

因此,只需要传入邮箱和域名,即可开始申请证书。

使用方法

填入邮箱和所申请的域名
如果邮箱第一次申请,会提示注册等,可以直接输入y回车(可能有两次)
随后会提示这样(域名和记录值为虚拟)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.www.test.com.

with the following value:

aaaaaaaaaaaaaaaa

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.oooyn.top.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

此时不要按回车,前往域名注册站(如阿里云域名、腾讯云的DNSPod等),为目标域名添加一条记录:

  • 主机记录为“_acme-challenge.www.test.com.”去掉其中的主域名,也就是“_acme-challenge.www”
  • 记录类型为TXT
  • 记录值为上文中“aaaaaaaaaaaaaaaa”的内容

添加完成后,等待几分钟(最快几十秒也可能,dns解析和缓存需要时间),然后在命令行敲下回车键,等待验证。
如果不确定有没有解析好的话,可以先清理一下本地的DNS缓存,然后手动本地验证一下是否解析成功,再去回车。否则失败后需要重新解析DNS。

  • 本地清理DNS缓存方法:win+r,输入CMD回车,输入ipcondif /flushdns回车
  • 本地测试TXT解析方法: win+r,输入指令回车nslookup -qt=txt _acme-challenge.test.com

    服务器:  DNS1.aaaaaa.net
    Address:  1.2.3.4
    
    非权威应答:
    _acme-challenge.text.com       text =
    
          "aaaaaaaaaaaaaaaaaaaaaaaa"

回车后待显示以下内容即为成功,证书文件在 C:\Certbot\live 目录内,取出可部署需要的地方。

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\example.top\fullchain.pem
Key is saved at:         C:\Certbot\live\example.top\privkey.pem
This certificate expires on 2023-08-05.
These files will be updated when the certificate renews.
​
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
​
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

查错

问题一

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: www.test.com
  Type:   dns
  Detail: DNS problem: looking up TXT for _acme-challenge.www.test.com: DNSSEC: DNSKEY Missing

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
证书申请过程中发生错误。
请按任意键继续. . .

dns尚未解析好,需要多等一会。如果等很久还是失败,可以试试看清理本地的DNS缓存

问题二

Saving debug log to C:\Certbot\log\letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
证书申请过程中发生错误。
请按任意键继续. . .

电脑网络通讯问题,检查是否开启了代理,关闭代理即可

教程 网站
Theme Jasmine by Kent Liao
beian
皖公网安备34122202000364号