Let’sEncrypt是一家免费开放的证书颁发机构,支持申请泛域名证书,不过证书有效期仅有3个月,所以为了避免频繁申请证书,我们可以用脚本实现自动续期,目前我测试过三种方式,均成功续期,在此记录下过程。
前提:获取key&Secret
参考:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
1.acme自动续期:
#安装acme
curl https://get.acme.sh | sh
wget -O - https://get.acme.sh | sh
#查看acme版本
acme.sh --version
#请填写实际key&Secret
export Ali_Key="4xvxbCThnjerg955"
export Ali_Secret="fwyhkkp0"
#申请证书
acme.sh --issue --dns dns_ali -d *.peakchao.com
#更新证书
acme.sh --renew -d '*.peakchao.com' --force
# 查看证书列表
acme.sh --list
# 删除证书
acme.sh remove <SAN_Domains>
#升级 acme.sh 到最新版:
acme.sh --upgrade
#开启自动升级:
acme.sh --upgrade --auto-upgrade
#关闭自动更新:
acme.sh --upgrade --auto-upgrade 0
#以下命令无需执行,据查看,acme会自动添加续期的定时任务
crontab -e
# 添加如下的任务:三个月执行一次
0 0 29 */3 * acme.sh --renew -d '*.peakchao.com' --force
#最后请不要忘记修改nginx配置以及重启
输出
[root@izf9t76wjp0zs8z ~]# wget -O - https://get.acme.sh | sh
--2019-03-09 15:17:22-- https://get.acme.sh/
Resolving get.acme.sh (get.acme.sh)... 144.217.161.63, 2607:5300:201:3100::5663
Connecting to get.acme.sh (get.acme.sh)|144.217.161.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 705 [text/plain]
Saving to: ‘STDOUT’
100%[===========================================================================================================>] 705 --.-K/s in 0s
2019-03-09 15:17:24 (176 MB/s) - written to stdout [705/705]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 171k 100 171k 0 0 10938 0 0:00:16 0:00:16 --:--:-- 45873
[Sat Mar 9 15:17:40 CST 2019] Installing from online archive.
[Sat Mar 9 15:17:40 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar 9 15:17:46 CST 2019] Extracting master.tar.gz
[Sat Mar 9 15:17:46 CST 2019] It is recommended to install socat first.
[Sat Mar 9 15:17:46 CST 2019] We use socat for standalone server if you use standalone mode.
[Sat Mar 9 15:17:46 CST 2019] If you don't use standalone mode, just ignore this warning.
[Sat Mar 9 15:17:46 CST 2019] Installing to /usr/local/acme.sh
[Sat Mar 9 15:17:46 CST 2019] Installed to /usr/local/acme.sh/acme.sh
[Sat Mar 9 15:17:46 CST 2019] Installing alias to '/root/.bashrc'
[Sat Mar 9 15:17:46 CST 2019] OK, Close and reopen your terminal to start using acme.sh
[Sat Mar 9 15:17:46 CST 2019] Installing alias to '/root/.cshrc'
[Sat Mar 9 15:17:46 CST 2019] Installing alias to '/root/.tcshrc'
[Sat Mar 9 15:17:46 CST 2019] Installing cron job
57 0 * * * "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" > /dev/null
[Sat Mar 9 15:17:46 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar 9 15:17:46 CST 2019] OK
[Sat Mar 9 15:17:46 CST 2019] Install success!
[root@izf9t76wjp0zs8z ~]# export Ali_Key="4xvxbCThnjerg955"
[root@izf9t76wjp0zs8z ~]# export Ali_Secret="fwyhkkp0"
[root@izf9t76wjp0zs8z ~]# acme.sh --issue --dns dns_ali -d *.peakchao.com
[Sat Mar 9 15:19:42 CST 2019] Creating domain key
[Sat Mar 9 15:19:43 CST 2019] The domain key is here: /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key
[Sat Mar 9 15:19:43 CST 2019] Single domain='*.peakchao.com'
[Sat Mar 9 15:19:43 CST 2019] Getting domain auth token for each domain
[Sat Mar 9 15:19:46 CST 2019] Getting webroot for domain='*.peakchao.com'
[Sat Mar 9 15:19:46 CST 2019] Found domain api file: /usr/local/acme.sh/dnsapi/dns_ali.sh
[Sat Mar 9 15:19:49 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Sat Mar 9 15:20:10 CST 2019] Checking peakchao.com for _acme-challenge.peakchao.com
[Sat Mar 9 15:20:11 CST 2019] Domain peakchao.com '_acme-challenge.peakchao.com' success.
[Sat Mar 9 15:20:11 CST 2019] All success, let's return
[Sat Mar 9 15:20:11 CST 2019] Verifying: *.peakchao.com
[Sat Mar 9 15:20:15 CST 2019] Success
[Sat Mar 9 15:20:15 CST 2019] Removing DNS records.
[Sat Mar 9 15:20:19 CST 2019] Verify finished, start to sign.
[Sat Mar 9 15:20:19 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/48893963/348010849
[Sat Mar 9 15:20:21 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0325e2883ade3b454bcf95c37c112b884689
[Sat Mar 9 15:20:23 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISAyXiiDreO0VLz5XDfBEriEaJMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDkwNjIwMjBaFw0x
OTA2MDcwNjIwMjBaMBkxFzAVBgNVBAMMDioucGVha2NoYW8uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8A
-----END CERTIFICATE-----
[Sat Mar 9 15:20:23 CST 2019] Your cert is in /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.cer
[Sat Mar 9 15:20:23 CST 2019] Your cert key is in /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key
[Sat Mar 9 15:20:23 CST 2019] The intermediate CA cert is in /usr/local/nginx/conf/ssl/*.peakchao.com/ca.cer
[Sat Mar 9 15:20:23 CST 2019] And the full chain certs is there: /usr/local/nginx/conf/ssl/*.peakchao.com/fullchain.cer
2.lnmp自动续期:
#请填写实际key&Secret
export Ali_Key="4xvxbCThnjerg955"
export Ali_Secret="fwyhkkp0"
#执行此命令后按下图配置
lnmp dnsssl ali 或 lnmp dns ali
#最后请不要忘记修改nginx配置以及重启
3.使用 certbot-auto
这是官方推荐的方法,通过 shell 命令的方式,可以最简单方便地达到目的。步骤如下:
访问 certbot 网站,地址为:https://certbot.eff.org/
在首页选择好 webserver 和 系统类型,则会显示对应的操作步骤。按照步骤逐步操作,如无意外则可完成。
注意:如服务器已启用了 https 服务,则先停止它。certbot-auto 在作验证时会使用 433 端口。
#下载 certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
#执行自动安装,该命令会尝试自动配置 nginx ,你也可以使用下条命令只生成适合 nginx 使用的证书,然后手动配置 nginx
./certbot-auto --nginx
#生成适合 nginx 使用的证书
certbot-auto --nginx certonly
#生成成功后,可以查看证书状态
./certbot-auto certificates
#测试自动更新
./certbot-auto renew --dry-run
#执行自动更新
service nginx stop
certbot-auto renew
service nginx start
#查看证书状态
./certbot-auto certificates