Certbot申请谷歌免费SSL证书

首先需要一个谷歌云账号，用来获取key，这个key是用来申请ssl证书的，
登录账号后按照要求启用下方的俩API：https://console.cloud.google.com/apis/library/publicca.googleapis.com，激活即可，在Cloud Shell中输入下方的命令：

gcloud beta publicca external-account-keys create

执行后控制台输出一串key，类似：

{
  "b64MacKey": "xxx...",     ← 这是 `--eab-hmac-key`
  "keyId": "xxx..."          ← 这是 `--eab-kid`
}

dnf install cerbot
certbot register \
  --email "you@example.com" \
  --no-eff-email \
  --server "https://dv.acme-v02.api.pki.goog/directory" \
  --eab-kid "替换控制台输出的eab-kid" \
  --eab-hmac-key "替换控制台输出的eab-hmac-key"

certbot certonly \
    --manual \
    --preferred-challenges "dns-01" \
    --server "https://dv.acme-v02.api.pki.goog/directory" \
    --domains "*你的域名" \
    --eab-kid "EAB_KEY_ID" \
    --eab-hmac-key "EAB_HMAC_KEY" \
    --email "you@example.com" 

验证成功后会出现以下：

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/你的域名/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/你的域名/privkey.pem
This certificate expires on 2025-08-21.
These files will be updated when the certificate renews.
 
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

提示无法自动续期，90天后需要手动续期（觉得麻烦可以考虑Let’s Encrypt证书，可脚本自动续期）。

#自动续期命令：certbot certonly --standalone -d $domain --email your@email.com --agree-tos --no-eff-email --force-renewal

参考文章：

https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=zh-cn#request-key-hmac