使用OVH的DNS申请通配符Let’s Encrypt证书

1、升级安装pip

python -m pip install --upgrade pip

2、安装certbot-dns-ovh

pip install certbot-dns-ovh

如果发现如下报错

certbot -h
Traceback (most recent call last):
  File "/usr/bin/certbot", line 5, in <module>
    from certbot.main import main
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 22, in <module>
    from certbot._internal import cert_manager
  File "/usr/lib/python2.7/site-packages/certbot/_internal/cert_manager.py", line 16, in <module>
    from certbot._internal import storage
  File "/usr/lib/python2.7/site-packages/certbot/_internal/storage.py", line 83, in <module>
    def add_time_interval(base_time, interval, textparser=parsedatetime.Calendar()):
  File "/usr/lib/python2.7/site-packages/parsedatetime/__init__.py", line 270, in __init__
    self.ptc = Constants()
  File "/usr/lib/python2.7/site-packages/parsedatetime/__init__.py", line 2381, in __init__
    self.locale = get_icu(self.localeID)
  File "/usr/lib/python2.7/site-packages/parsedatetime/pdt_locales/icu.py", line 56, in get_icu
    result['icu'] = icu = pyicu.Locale(locale)
AttributeError: 'module' object has no attribute 'Locale'

解决办法

pip install parsedatetime==2.5
[root@DT_Node-172_30_200_209 /tmp/ovh]# certbot --version
certbot 1.11.0
[root@DT_Node-172_30_200_209 /tmp/ovh]# certbot --help

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@DT_Node-172_30_200_209 /tmp/ovh]#

申请OVH的API
OVH Europe (endpoint: ovh-eu)
OVH North America (endpoint: ovh-ca)
使用OVH的DNS申请通配符Let's Encrypt证书

配置变量

mkdir -p ~/.secrets/certbot/ && vi ~/.secrets/certbot/ovh.ini
[root@DT_Node-172_30_200_209 /tmp/ovh]# cat ~/.secrets/certbot/ovh.ini
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = JNCqFDtImarQpIrX
dns_ovh_application_secret = 1a3nNCIiqnixnxMou4Q1Ei9snVZy8reX
dns_ovh_consumer_key = jCZFPgnWmYcKQMQI7fkYAMZIHhwdC1VM

开始申请证书

certbot certonly \
--dns-ovh \
--dns-ovh-credentials ~/.secrets/certbot/ovh.ini \
--dns-ovh-propagation-seconds 60 \
--non-interactive \
--agree-tos \
--email admin@extrementc.com \
-d curlip.me \
-d *.curlip.me

检查下DNS解析记录

[lookback@LookBack-iMAC-10.15.7 ~]$ dig -t txt _acme-challenge.curlip.me

; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.curlip.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30643
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.curlip.me.     IN      TXT

;; ANSWER SECTION:
_acme-challenge.curlip.me. 59   IN      TXT     "12fGGaqgwPsSSpS6wdpc1VHp50Zg7COl7hEy_fDUdIM"
_acme-challenge.curlip.me. 59   IN      TXT     "TkZbntYQb1E0i63zRkwuzJuNO9Uyo4aDDnGrc752MvM"

;; Query time: 428 msec
;; SERVER: 192.99.104.100#53(192.99.104.100)
;; WHEN: Tue Jul 06 13:52:46 CST 2021
;; MSG SIZE  rcvd: 166

证书申请全过程

[root@DT_Node-172_30_200_209 /tmp/ovh]# certbot certonly \
> --dns-ovh \
> --dns-ovh-credentials ~/.secrets/certbot/ovh.ini \
> --dns-ovh-propagation-seconds 60 \
> --non-interactive \
> --agree-tos \
> --email admin@extrementc.com \
> -d curlip.me \
> -d *.curlip.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Account registered.
Requesting a certificate for curlip.me and *.curlip.me
Performing the following challenges:
dns-01 challenge for curlip.me
dns-01 challenge for curlip.me
Unsafe permissions on credentials configuration file: /root/.secrets/certbot/ovh.ini
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/curlip.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/curlip.me/privkey.pem
   Your certificate will expire on 2021-10-04. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书申请成功后存放路径

/etc/letsencrypt/live/curlip.me/fullchain.pem #证书文件
/etc/letsencrypt/live/curlip.me/privkey.pem  #私钥文件

使用OVH的DNS申请通配符Let's Encrypt证书

lookback
  • 本文由 发表于 2021年7月6日14:34:21
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: