05-11 02:11 阅读 181

Let'sEncrypt 免费ssl证书申请并自动续期

Let’sEncrypt是一家免费开放的证书颁发机构，支持申请泛域名证书，不过证书有效期仅有3个月，所以为了避免频繁申请证书，我们可以用脚本实现自动续期，目前我测试过三种方式，均成功续期，在此记录下过程。

前提：获取key&Secret

参考:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md

1.acme自动续期：

#安装acme

curl https://get.acme.sh | sh

wget -O - https://get.acme.sh | sh

#查看acme版本

acme.sh --version

#请填写实际key&Secret

export Ali_Key="4xvxbCThnjerg955"

export Ali_Secret="fwyhkkp0"

#申请证书

acme.sh --issue --dns dns_ali -d *.peakchao.com

#更新证书

acme.sh --renew -d '*.peakchao.com' --force

# 查看证书列表

acme.sh --list

# 删除证书

acme.sh remove <SAN_Domains>

#升级 acme.sh 到最新版：

acme.sh --upgrade

#开启自动升级：

acme.sh --upgrade --auto-upgrade

#关闭自动更新：

acme.sh --upgrade --auto-upgrade 0

#以下命令无需执行，据查看，acme会自动添加续期的定时任务

crontab -e

# 添加如下的任务：三个月执行一次

0 0 29 */3 * acme.sh --renew -d '*.peakchao.com' --force

#最后请不要忘记修改nginx配置以及重启

输出

[root@izf9t76wjp0zs8z ~]# wget -O - https://get.acme.sh | sh

--2019-03-09 15:17:22-- https://get.acme.sh/

Resolving get.acme.sh (get.acme.sh)... 144.217.161.63, 2607:5300:201:3100::5663

Connecting to get.acme.sh (get.acme.sh)|144.217.161.63|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 705 [text/plain]

Saving to: ‘STDOUT’

100%[===========================================================================================================>] 705 --.-K/s in 0s

2019-03-09 15:17:24 (176 MB/s) - written to stdout [705/705]

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 171k 100 171k 0 0 10938 0 0:00:16 0:00:16 --:--:-- 45873

[Sat Mar 9 15:17:40 CST 2019] Installing from online archive.

[Sat Mar 9 15:17:40 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz

[Sat Mar 9 15:17:46 CST 2019] Extracting master.tar.gz

[Sat Mar 9 15:17:46 CST 2019] It is recommended to install socat first.

[Sat Mar 9 15:17:46 CST 2019] We use socat for standalone server if you use standalone mode.

[Sat Mar 9 15:17:46 CST 2019] If you don't use standalone mode, just ignore this warning.

[Sat Mar 9 15:17:46 CST 2019] Installing to /usr/local/acme.sh

[Sat Mar 9 15:17:46 CST 2019] Installed to /usr/local/acme.sh/acme.sh

[Sat Mar 9 15:17:46 CST 2019] Installing alias to '/root/.bashrc'

[Sat Mar 9 15:17:46 CST 2019] OK, Close and reopen your terminal to start using acme.sh

[Sat Mar 9 15:17:46 CST 2019] Installing alias to '/root/.cshrc'

[Sat Mar 9 15:17:46 CST 2019] Installing alias to '/root/.tcshrc'

[Sat Mar 9 15:17:46 CST 2019] Installing cron job

57 0 * * * "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" > /dev/null

[Sat Mar 9 15:17:46 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.

[Sat Mar 9 15:17:46 CST 2019] OK

[Sat Mar 9 15:17:46 CST 2019] Install success!

[root@izf9t76wjp0zs8z ~]# export Ali_Key="4xvxbCThnjerg955"

[root@izf9t76wjp0zs8z ~]# export Ali_Secret="fwyhkkp0"

[root@izf9t76wjp0zs8z ~]# acme.sh --issue --dns dns_ali -d *.peakchao.com

[Sat Mar 9 15:19:42 CST 2019] Creating domain key

[Sat Mar 9 15:19:43 CST 2019] The domain key is here: /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key

[Sat Mar 9 15:19:43 CST 2019] Single domain='*.peakchao.com'

[Sat Mar 9 15:19:43 CST 2019] Getting domain auth token for each domain

[Sat Mar 9 15:19:46 CST 2019] Getting webroot for domain='*.peakchao.com'

[Sat Mar 9 15:19:46 CST 2019] Found domain api file: /usr/local/acme.sh/dnsapi/dns_ali.sh

[Sat Mar 9 15:19:49 CST 2019] Let's check each dns records now. Sleep 20 seconds first.

[Sat Mar 9 15:20:10 CST 2019] Checking peakchao.com for _acme-challenge.peakchao.com

[Sat Mar 9 15:20:11 CST 2019] Domain peakchao.com '_acme-challenge.peakchao.com' success.

[Sat Mar 9 15:20:11 CST 2019] All success, let's return

[Sat Mar 9 15:20:11 CST 2019] Verifying: *.peakchao.com

[Sat Mar 9 15:20:15 CST 2019] Success

[Sat Mar 9 15:20:15 CST 2019] Removing DNS records.

[Sat Mar 9 15:20:19 CST 2019] Verify finished, start to sign.

[Sat Mar 9 15:20:19 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/48893963/348010849

[Sat Mar 9 15:20:21 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0325e2883ade3b454bcf95c37c112b884689

[Sat Mar 9 15:20:23 CST 2019] Cert success.

-----BEGIN CERTIFICATE-----

MIIFVTCCBD2gAwIBAgISAyXiiDreO0VLz5XDfBEriEaJMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDkwNjIwMjBaFw0x

OTA2MDcwNjIwMjBaMBkxFzAVBgNVBAMMDioucGVha2NoYW8uY29tMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8A

-----END CERTIFICATE-----

[Sat Mar 9 15:20:23 CST 2019] Your cert is in /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.cer

[Sat Mar 9 15:20:23 CST 2019] Your cert key is in /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key

[Sat Mar 9 15:20:23 CST 2019] The intermediate CA cert is in /usr/local/nginx/conf/ssl/*.peakchao.com/ca.cer

[Sat Mar 9 15:20:23 CST 2019] And the full chain certs is there: /usr/local/nginx/conf/ssl/*.peakchao.com/fullchain.cer

2.lnmp自动续期：

#请填写实际key&Secret

export Ali_Key="4xvxbCThnjerg955"

export Ali_Secret="fwyhkkp0"

#执行此命令后按下图配置

lnmp dnsssl ali 或 lnmp dns ali

#最后请不要忘记修改nginx配置以及重启

3.使用 certbot-auto

这是官方推荐的方法，通过 shell 命令的方式，可以最简单方便地达到目的。步骤如下：

访问 certbot 网站，地址为：https://certbot.eff.org/

在首页选择好 webserver 和系统类型，则会显示对应的操作步骤。按照步骤逐步操作，如无意外则可完成。

注意：如服务器已启用了 https 服务，则先停止它。certbot-auto 在作验证时会使用 433 端口。

#下载 certbot-auto

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

#执行自动安装,该命令会尝试自动配置 nginx ,你也可以使用下条命令只生成适合 nginx 使用的证书，然后手动配置 nginx

./certbot-auto --nginx

#生成适合 nginx 使用的证书

certbot-auto --nginx certonly

#生成成功后，可以查看证书状态

./certbot-auto certificates

#测试自动更新

./certbot-auto renew --dry-run

#执行自动更新

service nginx stop

certbot-auto renew

service nginx start

#查看证书状态

./certbot-auto certificates

————————————————

原文链接：https://blog.csdn.net/c__chao/article/details/88368048