关于https:博客主机自动申请续期免费证书

51次阅读

共计 3714 个字符,预计需要花费 10 分钟才能阅读完成。

原创:博客主机_主动申请续期收费证书

一不留神,之前的域名证书过期了。因为是 Let’s Encrypt 收费证书,须要 3 个月手工续期一次,一年就得 4 次,还是有点麻烦,搞成自动化多好。
以下操作均在服务器上执行 (ubuntu16,腾讯云)

下载脚本 certbot-auto

cd opt/
wget https://dl.eff.org/certbot-auto  
chmod a+x certbot-auto

执行 certbot-auto 可能报错:

 An unexpected error occurred: UnicodeEncodeError: 'ascii' codec can't encode

阐明脚本尝试批改 nginx 配置文件,后果文件中蕴含中文字符。这个自己更偏向于自主管制,不依赖脚本,脚本复仅仅负责生成证书或 renew 证书即可,证书的复制和配置还是人工脚本实现更佳。一方面可控性更强,另一方面遇到谬误也晓得怎么回事!

生成秘钥

命令

./certbot-auto certonly  -d *.example.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 
  1. certonly 装置模式
  2. -d 申请证书的域名,如果是通配符域名输出 *.example.cn
  3. –manual 手动装置插件
  4. –preferred-challenges dns 应用 DNS 形式校验域名所有权
  5. –server,Let’s Encrypt ACME v2 版本应用的服务器不同于 v1 版本,须要显示指定

响应

Requesting to rerun ./certbot-auto with root privileges...
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.cn with the following value:

v8somjB6jyjkZ9-fi_5l705CA_ERu0hRJcGFbLpHNaQ# 配置 dns 的 txt 解析

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxxxx(your email)@163.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.cn/privkey.pem
   Your cert will expire on 2021-02-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

以上命令须要留神 2 点
1,最好在部署服务的机器上执行
2,第二步须要批改 dns 记录,然而批改后未必实时失效,须要等到失效后再按“回车”,否则可能会生成失败

腾讯云的 dns 配置样例

验证 dns 解析失效的命令

# 域名为解析的二级域名
 nslookup -q=txt _acme-challenge.example.cn

返回如下信息阐明配置失效了

生成的秘钥

(base) john@VM-0-3-ubuntu:~$ sudo ls -lh /etc/letsencrypt/live/example.cn
总用量 4.0K
lrwxrwxrwx 1 root root  33 Nov 22 16:25 cert.pem -> ../../archive/example.cn/cert1.pem
lrwxrwxrwx 1 root root  34 Nov 22 16:25 chain.pem -> ../../archive/example.cn/chain1.pem
lrwxrwxrwx 1 root root  38 Nov 22 16:25 fullchain.pem -> ../../archive/example.cn/fullchain1.pem
lrwxrwxrwx 1 root root  36 Nov 22 16:25 privkey.pem -> ../../archive/example.cn/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 22 16:25 README

配置 nginx

样例

server {
        listen       443 ssl;
        server_name  localhost;
        
        location / {
            root   html;
            index  index.html index.htm;
        }
        ssl on;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;
        ssl_certificate      /etc/letsencrypt/live/example.cn/fullchain.pem;# 若应用 cert.pem 虽证书无效,但浏览器仍然会提醒不平安
        ssl_certificate_key  /etc/letsencrypt/live/example.cn/privkey.pem;
}

批改后验证 nginx:sudo nginx -t
验证 ok 后重启 nginx:sudo service nginx restart
登录本人站点,点击地址栏的锁图标,能够发现证书曾经失效

主动续期

收费的证书必须 3 个月续期 1 次,比拟麻烦,能够增加定时工作脚本进行主动续期

touch sslrenew.sh
chmod +x sslrenew.sh

sslrenew.sh 内容

<path to certbot>/certbot-auto renew   

配置定时工作

 编辑定时工作:crontab -e
0 0 1 * * /home/john/opt/sslrenew.sh #每月 1 日
查看定时工作:crontab -l

参考

certbot 申请通配符域名证书:https://www.jianshu.com/p/7b6…
[转] 部署 Let’s Encrypt 收费 SSL 证书 && 主动续期:https://www.cnblogs.com/lzpon…
Let’sEncrypt 收费 ssl 证书申请并主动续期:https://blog.csdn.net/c__chao…

正文完
 0