用mac申请ssl证书给nas使用
2024-04-13 09:49 ≈ 516字 ≈ 2分钟

由于群晖自带的申请letsencrypt证书使用的是http的方式,必须要求diskstation走80端口才可以,但是家里的网络默认是封闭80端口的,导致你怎么试都是失败,只能用自己的电脑来申请

最头疼的是三个月需要续订一次,每次都要如此操作…记录一下吧,省的满世界找命令

1、安装homebrew

2、安装certbot

1
brew install certbot

3、执行命令,比如域名是 *.example.com

1
sudo certbot certonly --manual --preferred-challenges=dns -d "*.yourdomain.com"

4、剩下的基本默认都是选择y,直到出现下面内容的时候,则需要在域名解析控制台增加一个TXT解析,添加后等待10分钟左右,继续回车下一步

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Please deploy a DNS TXT record under the name:

_acme-challenge.example.com.

with the following value:

D1kOMANSfZG0HVM6-swGIqHrD87p7LGrnDLmoOclSuw

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.wangboweb.site.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

5、成功后就会有如下提示

1
2
3
4
5
6
7
8
9
10
11
12
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2022-12-23.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le

6、默认生成的证书在/etc/letsencrypt/achive/example.com/ 目录下,但是这个目录默认是没有权限访问的,需要复制出来的话,只需要在该文件夹右键-显示简介,加个权限就好,然后将fullchain.pem和privkey.pem两个文件复制出来

7、在群晖-控制面板-安全性-证书中上传对应的证书文件即可