关于https:博客主机自动申请续期免费证书

原创：博客主机_主动申请续期收费证书

一不留神，之前的域名证书过期了。因为是Let’s Encrypt收费证书，须要3个月手工续期一次，一年就得4次，还是有点麻烦，搞成自动化多好。
以下操作均在服务器上执行(ubuntu16，腾讯云)

下载脚本certbot-auto

cd opt/wget https://dl.eff.org/certbot-auto  chmod a+x certbot-auto

执行certbot-auto可能报错:

 An unexpected error occurred: UnicodeEncodeError: 'ascii' codec can't encode

阐明脚本尝试批改nginx配置文件，后果文件中蕴含中文字符。这个自己更偏向于自主管制，不依赖脚本，脚本复仅仅负责生成证书或renew证书即可，证书的复制和配置还是人工脚本实现更佳。一方面可控性更强，另一方面遇到谬误也晓得怎么回事！

生成秘钥

命令

./certbot-auto certonly  -d *.example.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 

1. certonly 装置模式
2. -d 申请证书的域名，如果是通配符域名输出 *.example.cn
3. --manual 手动装置插件
4. --preferred-challenges dns 应用 DNS 形式校验域名所有权
5. --server，Let's Encrypt ACME v2 版本应用的服务器不同于 v1 版本，须要显示指定

响应

Requesting to rerun ./certbot-auto with root privileges..../certbot-auto has insecure permissions!To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneObtaining a new certificatePerforming the following challenges:dns-01 challenge for example.cn- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that.Are you OK with your IP being logged?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please deploy a DNS TXT record under the name_acme-challenge.example.cn with the following value:v8somjB6jyjkZ9-fi_5l705CA_ERu0hRJcGFbLpHNaQ#配置dns的txt解析Before continuing, verify the record is deployed.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Press Enter to ContinueWaiting for verification...Cleaning up challengesSubscribe to the EFF mailing list (email: xxxxx(your email)@163.com).IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/example.cn/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/example.cn/privkey.pem   Your cert will expire on 2021-02-20. To obtain a new or tweaked   version of this certificate in the future, simply run certbot-auto   again. To non-interactively renew *all* of your certificates, run   "certbot-auto renew" - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

以上命令须要留神2点
1，最好在部署服务的机器上执行
2，第二步须要批改dns记录，然而批改后未必实时失效，须要等到失效后再按“回车”，否则可能会生成失败

腾讯云的dns配置样例

验证dns解析失效的命令

# 域名为解析的二级域名 nslookup -q=txt _acme-challenge.example.cn

返回如下信息阐明配置失效了

生成的秘钥

(base) john@VM-0-3-ubuntu:~$ sudo ls -lh /etc/letsencrypt/live/example.cn总用量 4.0Klrwxrwxrwx 1 root root  33 Nov 22 16:25 cert.pem -> ../../archive/example.cn/cert1.pemlrwxrwxrwx 1 root root  34 Nov 22 16:25 chain.pem -> ../../archive/example.cn/chain1.pemlrwxrwxrwx 1 root root  38 Nov 22 16:25 fullchain.pem -> ../../archive/example.cn/fullchain1.pemlrwxrwxrwx 1 root root  36 Nov 22 16:25 privkey.pem -> ../../archive/example.cn/privkey1.pem-rw-r--r-- 1 root root 692 Nov 22 16:25 README

配置nginx

样例

server {        listen       443 ssl;        server_name  localhost;                location / {            root   html;            index  index.html index.htm;        }        ssl on;        ssl_session_timeout 5m;        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;        ssl_prefer_server_ciphers on;        ssl_certificate      /etc/letsencrypt/live/example.cn/fullchain.pem;# 若应用cert.pem虽证书无效，但浏览器仍然会提醒不平安        ssl_certificate_key  /etc/letsencrypt/live/example.cn/privkey.pem;}

批改后验证nginx：sudo nginx -t
验证ok后重启nginx：sudo service nginx restart
登录本人站点，点击地址栏的锁图标，能够发现证书曾经失效

主动续期

收费的证书必须3个月续期1次，比拟麻烦，能够增加定时工作脚本进行主动续期

touch sslrenew.shchmod +x sslrenew.sh

sslrenew.sh内容

<path to certbot>/certbot-auto renew   

配置定时工作

编辑定时工作：crontab -e0 0 1 * * /home/john/opt/sslrenew.sh #每月1日查看定时工作：crontab -l

参考

certbot申请通配符域名证书：https://www.jianshu.com/p/7b6...
[转]部署Let’s Encrypt收费SSL证书&&主动续期：https://www.cnblogs.com/lzpon...
Let'sEncrypt 收费ssl证书申请并主动续期：https://blog.csdn.net/c__chao...