certbot很早就支持申请泛域名证书了,不过总有其中有些坑。。。。。。

首先肯定是要把*.example.com 解析到你的IP的,不然百分百报错:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

而且如果有以前申请的二级域名证书还在服务器上,要先删除掉否则会提示:

Attempting to parse the version 0.35.1 renewal configuration file found at /etc/letsencrypt/renewal/xxxx.conf with version 0.23.0 of Certbot. This might not work.

但不要把/etc/letsencrypt/都删掉 ,有些文件比如/etc/letsencrypt/options-ssl-apache.conf或/etc/letsencrypt/options-ssl-nginx.conf 是有用的。

最好以certonly的形式申请,利用–Apache 和–nginx申请泛域名证书有时候会崩溃。

即命令如下:certbot certonly –manual –preferred-challenges dns -d *.imlhx.com -d imlhx.com
如果提示

The currently selected ACME CA endpoint does not support issuing wildcard certificates.

可以指定

–server https://acme-v02.api.letsencrypt.org/directory

即:

certbot certonly –manual –preferred-challenges dns -d *.imlhx.com -d imlhx.com –server https://acme-v02.api.letsencrypt.org/directory

然后会让你为两条“_acme-challenge.example.com”的TXT解析记录,设置好回车即可。