阅读 42 SEO

Let'sEncrypt 免费ssl证书申请并自动续期

Let'sEncrypt 免费ssl证书申请并自动续期

Let’sEncrypt是一家免费开放的证书颁发机构,支持申请泛域名证书,不过证书有效期仅有3个月,所以为了避免频繁申请证书,我们可以用脚本实现自动续期,目前我测试过三种方式,均成功续期,在此记录下过程。

前提:获取key&Secret

参考:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md

1.acme自动续期:

#安装acme

curl https://get.acme.sh | sh

wget -O -  https://get.acme.sh | sh

#查看acme版本

acme.sh --version

#请填写实际key&Secret

export Ali_Key="4xvxbCThnjerg955"

export Ali_Secret="fwyhkkp0"

#申请证书

acme.sh --issue --dns dns_ali -d *.peakchao.com

#更新证书

acme.sh --renew -d '*.peakchao.com' --force

# 查看证书列表

acme.sh --list 

# 删除证书

acme.sh remove <SAN_Domains>


#升级 acme.sh 到最新版:

acme.sh --upgrade

#开启自动升级:

acme.sh  --upgrade  --auto-upgrade

#关闭自动更新:

acme.sh --upgrade  --auto-upgrade  0


#以下命令无需执行,据查看,acme会自动添加续期的定时任务

crontab -e

# 添加如下的任务:三个月执行一次

0 0 29 */3 * acme.sh --renew -d '*.peakchao.com' --force

#最后请不要忘记修改nginx配置以及重启

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

输出


[root@izf9t76wjp0zs8z ~]# wget -O -  https://get.acme.sh | sh

--2019-03-09 15:17:22--  https://get.acme.sh/

Resolving get.acme.sh (get.acme.sh)... 144.217.161.63, 2607:5300:201:3100::5663

Connecting to get.acme.sh (get.acme.sh)|144.217.161.63|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 705 [text/plain]

Saving to: ‘STDOUT’


100%[===========================================================================================================>] 705         --.-K/s   in 0s      


2019-03-09 15:17:24 (176 MB/s) - written to stdout [705/705]


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100  171k  100  171k    0     0  10938      0  0:00:16  0:00:16 --:--:-- 45873

[Sat Mar  9 15:17:40 CST 2019] Installing from online archive.

[Sat Mar  9 15:17:40 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz

[Sat Mar  9 15:17:46 CST 2019] Extracting master.tar.gz

[Sat Mar  9 15:17:46 CST 2019] It is recommended to install socat first.

[Sat Mar  9 15:17:46 CST 2019] We use socat for standalone server if you use standalone mode.

[Sat Mar  9 15:17:46 CST 2019] If you don't use standalone mode, just ignore this warning.

[Sat Mar  9 15:17:46 CST 2019] Installing to /usr/local/acme.sh

[Sat Mar  9 15:17:46 CST 2019] Installed to /usr/local/acme.sh/acme.sh

[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.bashrc'

[Sat Mar  9 15:17:46 CST 2019] OK, Close and reopen your terminal to start using acme.sh

[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.cshrc'

[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.tcshrc'

[Sat Mar  9 15:17:46 CST 2019] Installing cron job

57 0 * * * "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" > /dev/null

[Sat Mar  9 15:17:46 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.

[Sat Mar  9 15:17:46 CST 2019] OK

[Sat Mar  9 15:17:46 CST 2019] Install success!

[root@izf9t76wjp0zs8z ~]# export Ali_Key="4xvxbCThnjerg955"

[root@izf9t76wjp0zs8z ~]# export Ali_Secret="fwyhkkp0"

[root@izf9t76wjp0zs8z ~]# acme.sh --issue --dns dns_ali -d *.peakchao.com

[Sat Mar  9 15:19:42 CST 2019] Creating domain key

[Sat Mar  9 15:19:43 CST 2019] The domain key is here: /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key

[Sat Mar  9 15:19:43 CST 2019] Single domain='*.peakchao.com'

[Sat Mar  9 15:19:43 CST 2019] Getting domain auth token for each domain

[Sat Mar  9 15:19:46 CST 2019] Getting webroot for domain='*.peakchao.com'

[Sat Mar  9 15:19:46 CST 2019] Found domain api file: /usr/local/acme.sh/dnsapi/dns_ali.sh

[Sat Mar  9 15:19:49 CST 2019] Let's check each dns records now. Sleep 20 seconds first.

[Sat Mar  9 15:20:10 CST 2019] Checking peakchao.com for _acme-challenge.peakchao.com

[Sat Mar  9 15:20:11 CST 2019] Domain peakchao.com '_acme-challenge.peakchao.com' success.

[Sat Mar  9 15:20:11 CST 2019] All success, let's return

[Sat Mar  9 15:20:11 CST 2019] Verifying: *.peakchao.com

[Sat Mar  9 15:20:15 CST 2019] Success

[Sat Mar  9 15:20:15 CST 2019] Removing DNS records.

[Sat Mar  9 15:20:19 CST 2019] Verify finished, start to sign.

[Sat Mar  9 15:20:19 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/48893963/348010849

[Sat Mar  9 15:20:21 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0325e2883ade3b454bcf95c37c112b884689

[Sat Mar  9 15:20:23 CST 2019] Cert success.

-----BEGIN CERTIFICATE-----

MIIFVTCCBD2gAwIBAgISAyXiiDreO0VLz5XDfBEriEaJMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDkwNjIwMjBaFw0x

OTA2MDcwNjIwMjBaMBkxFzAVBgNVBAMMDioucGVha2NoYW8uY29tMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8A

-----END CERTIFICATE-----

[Sat Mar  9 15:20:23 CST 2019] Your cert is in  /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.cer 

[Sat Mar  9 15:20:23 CST 2019] Your cert key is in  /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key 

[Sat Mar  9 15:20:23 CST 2019] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/*.peakchao.com/ca.cer 

[Sat Mar  9 15:20:23 CST 2019] And the full chain certs is there:  /usr/local/nginx/conf/ssl/*.peakchao.com/fullchain.cer

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

2.lnmp自动续期:

#请填写实际key&Secret

export Ali_Key="4xvxbCThnjerg955"

export Ali_Secret="fwyhkkp0"

#执行此命令后按下图配置

lnmp dnsssl ali 或 lnmp dns ali

#最后请不要忘记修改nginx配置以及重启

1

2

3

4

5

6



3.使用 certbot-auto

这是官方推荐的方法,通过 shell 命令的方式,可以最简单方便地达到目的。步骤如下:


访问 certbot 网站,地址为:https://certbot.eff.org/

在首页选择好 webserver 和 系统类型,则会显示对应的操作步骤。按照步骤逐步操作,如无意外则可完成。

注意:如服务器已启用了 https 服务,则先停止它。certbot-auto 在作验证时会使用 433 端口。

#下载 certbot-auto

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

#执行自动安装,该命令会尝试自动配置 nginx ,你也可以使用下条命令只生成适合 nginx 使用的证书,然后手动配置 nginx

./certbot-auto --nginx

#生成适合 nginx 使用的证书

certbot-auto --nginx certonly

#生成成功后,可以查看证书状态

./certbot-auto certificates

#测试自动更新

./certbot-auto renew --dry-run

#执行自动更新

service nginx stop

certbot-auto renew

service nginx start

#查看证书状态

./certbot-auto certificates

————————————————

版权声明:本文为CSDN博主「peakchao」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。

原文链接:https://blog.csdn.net/c__chao/article/details/88368048


文章分类
后端
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至 gxwowoo@163.com 举报,一经查实,本站将立刻删除。
相关推荐