亲测-acme生成免费泛域名https证书导出成pfx

亲测-acme生成免费泛域名https证书导出成pfx

274发表于2020-09-01

https证书(letsencrypt的证书有效期是三个月

客户在申请 Let’s Encrypt 证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:
  • dns01:给域名添加一个 DNS TXT 记录。
  • http01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
  • tls-sni01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。
申请通配符证书,只能使用 dns验证的方式,下面开始申请

curl https://get.acme.sh | sh

from clipboard


from clipboard

阿里云

from clipboard

这里申请阿里云 Accesskey
获取到 KEYSecret 后执行下面命令:

export Ali_Key="LTAI4FdTqemAgHo"

export Ali_Secret="CicDnTD9KM9XeX"

+++++++++++++++++++++++++++++++++++++++++
[root@LanhuServer1 .acme.sh]# sh acme.sh --issue --dns -d *.lanhucms.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Thu Apr 9 11:33:22 CST 2020] Single domain='*.lanhucms.com'
[Thu Apr 9 11:33:22 CST 2020] Getting domain auth token for each domain
[Thu Apr 9 11:33:42 CST 2020] Getting webroot for domain='*.lanhucms.com'
[Thu Apr 9 11:33:43 CST 2020] Add the following TXT record:
[Thu Apr 9 11:33:43 CST 2020] Domain: '_acme-challenge.lanhucms.com'
[Thu Apr 9 11:33:43 CST 2020] TXT value: 'tiT5rAg5TPDbaXB7Dg1kVBz-CTI6VO9zVE9r1kX99xc'
[Thu Apr 9 11:33:43 CST 2020] Please be aware that you prepend _acme-challenge. before your domain
[Thu Apr 9 11:33:43 CST 2020] so the resulting subdomain will be: _acme-challenge.lanhucms.com
[Thu Apr 9 11:33:43 CST 2020] Please add the TXT records to the domains, and re-run with --renew.
[Thu Apr 9 11:33:43 CST 2020] Please add '--debug' or '--log' to check more details.
[Thu Apr 9 11:33:43 CST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[root@LanhuServer1 .acme.sh]# sh acme.sh --renew
Usage: acme.sh --renew -d domain.com [--ecc]
[root@LanhuServer1 .acme.sh]# sh acme.sh --renew -d *.lanhucms.com
[Thu Apr 9 11:35:10 CST 2020] Renew: '*.lanhucms.com'
[Thu Apr 9 11:35:10 CST 2020] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
[root@LanhuServer1 .acme.sh]# sh acme.sh --renew -d *.lanhucms.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Thu Apr 9 11:35:39 CST 2020] Renew: '*.lanhucms.com'
[Thu Apr 9 11:35:47 CST 2020] Single domain='*.lanhucms.com'
[Thu Apr 9 11:35:47 CST 2020] Getting domain auth token for each domain
[Thu Apr 9 11:35:47 CST 2020] Verifying: *.lanhucms.com
[Thu Apr 9 11:36:11 CST 2020] Success
from clipboard

[Thu Apr 9 11:33:43 CST 2020] Please add the TXT records to the domains, and re-run with --renew.
[Thu Apr 9 11:33:43 CST 2020] Please add '--debug' or '--log' to check more details.
[Thu Apr 9 11:33:43 CST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[root@LanhuServer1 .acme.sh]# sh acme.sh --renew
Usage: acme.sh --renew -d domain.com [--ecc]
[root@LanhuServer1 .acme.sh]# sh acme.sh --renew -d *.lanhucms.com
[Thu Apr 9 11:35:10 CST 2020] Renew: '*.lanhucms.com'
[Thu Apr 9 11:35:10 CST 2020] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
[root@LanhuServer1 .acme.sh]# sh acme.sh --renew -d *.lanhucms.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Thu Apr 9 11:35:39 CST 2020] Renew: '*.lanhucms.com'
[Thu Apr 9 11:35:47 CST 2020] Single domain='*.lanhucms.com'
[Thu Apr 9 11:35:47 CST 2020] Getting domain auth token for each domain
[Thu Apr 9 11:35:47 CST 2020] Verifying: *.lanhucms.com
[Thu Apr 9 11:36:11 CST 2020] Success
[Thu Apr 9 11:36:11 CST 2020] Verify finished, start to sign.
[Thu Apr 9 11:36:11 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/82906674/2939585051
[Thu Apr 9 11:36:18 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0404d11d3817ae4bea5d94983811d0143f60
[Thu Apr 9 11:36:25 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgISBATRHTgXrkvqXZSYOBHQFD9gMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA0MDkwMjM2MTlaFw0y
MDA3MDgwMjM2MTlaMBkxFzAVBgNVBAMMDioubGFuaHVjbXMuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBJV5CxAlbL0uWnMaQgbE5PppbOJ1JZb
pJQOR1gHc8T+t8JA6xgZW73q1g3q2hXiGZPdkWYhRsH0M23N4CTO9/okbOla0DkD
Qds9vHgNHoQorsgZrHAVgNHVOJgCoFAvIT//fnPeQuro2mt5TWLUAfI995HSMNfI
AXFdAomwAAAEAwBIMEYCIQDet0/KVRBl7EVore+Wjir171X91lJKbz9YzN6oYeQ8
agIhANsd5Tn2XnfsUkCQm+t+tZxliKm+k2Ybw89ioyeB3FxyMA0GCSqGSIb3DQEB
CwUAA4IBAQApix9tx/upvKnHlTQSaHylU7WUKGeBwZtTybUmpgyW4EHAqW9LCScx
A18SxeBl2GSuySDvTkgXv91UXWKfjuIgrsQiC2PR7W6M3wGN6y6XbtsUKGa4ZfgM
pB+ESCpvss7KO13T5JoMv1CQ9q26OSOersjUGnlpRzX5xHq+zptpRNhpGfBQYnEd
mIz4DtnZ7rc9+v0PoVfrkOsQjievUxdCWehp7krSMODF1j0d8ORLCwc/N/64kShV
Hb/Mia30MpMf/N+37RGBhNhTfaHdQz9ROxlSU5xYTNkG8pG7xm8uW36SOUYSfZkN
C8ZwERIyLePmCQrSoJYlXo0LNWCJ/ilz
-----END CERTIFICATE-----
[Thu Apr 9 11:36:25 CST 2020] Your cert is in /root/.acme.sh/*.lanhucms.com/*.lanhucms.com.cer
[Thu Apr 9 11:36:25 CST 2020] Your cert key is in /root/.acme.sh/*.lanhucms.com/*.lanhucms.com.key
[Thu Apr 9 11:36:25 CST 2020] The intermediate CA cert is in /root/.acme.sh/*.lanhucms.com/ca.cer
[Thu Apr 9 11:36:25 CST 2020] And the full chain certs is there: /root/.acme.sh/*.lanhucms.com/fullchain.cer
[root@LanhuServer1 .acme.sh]#


导出成pfx
openssl pkcs12 -export -out *.lanhucms.com.pfx -inkey *.lanhucms.com.key -in *.lanhucms.com.cer -certfile fullchain.cer
============https绑定报错
---------------------------
添加网站绑定
---------------------------
执行此操作时出错。

详细信息:

指定的登录会话不存在。可能已被终止。 (异常来自 HRESULT:0x80070520)
---------------------------
确定
---------------------------
解决办法:通过mmc管理单元导入证书
from clipboard

显示如下问题:

from clipboard

因为服务器只支持TLS1.0不支持TLS.12所以提示,开启TLS1.2,然后重启就可以了。
https://www.cnblogs.com/minamiko/p/6128455.html
win2008 配置TLS1.2
把下面的代码复制到PowerShell里运行一下,然后重启服务器。
# Enables TLS 1.2 on windows Server 2008 R2 and Windows 7

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.2 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"
# Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7
# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
# Enable TLS 1.2 for client and server SCHANNEL communications new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
# Disable SSL 2.0 (PCI Compliance)

md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"

参考:



小编蓝狐