Let’sEncrypt 免费ssl证书申请并自动续期

Let’sEncrypt是一家免费开放的证书颁发机构,支持申请泛域名证书,不过证书有效期仅有3个月,所以为了避免频繁申请证书,我们可以用脚本实现自动续期,目前我测试过三种方式,均成功续期,在此记录下过程。

前提:获取key&Secret

参考:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md

1.acme自动续期:

#安装acme
curl https://get.acme.sh | sh
wget -O -  https://get.acme.sh | sh
#查看acme版本
acme.sh --version
#请填写实际key&Secret
export Ali_Key="4xvxbCThnjerg955"
export Ali_Secret="fwyhkkp0"
#申请证书
acme.sh --issue --dns dns_ali -d *.peakchao.com
#更新证书
acme.sh --renew -d '*.peakchao.com' --force
# 查看证书列表
acme.sh --list 
# 删除证书
acme.sh remove <SAN_Domains>

#升级 acme.sh 到最新版:
acme.sh --upgrade
#开启自动升级:
acme.sh  --upgrade  --auto-upgrade
#关闭自动更新:
acme.sh --upgrade  --auto-upgrade  0

#以下命令无需执行,据查看,acme会自动添加续期的定时任务
crontab -e
# 添加如下的任务:三个月执行一次
0 0 29 */3 * acme.sh --renew -d '*.peakchao.com' --force
#最后请不要忘记修改nginx配置以及重启

输出

[root@izf9t76wjp0zs8z ~]# wget -O -  https://get.acme.sh | sh
--2019-03-09 15:17:22--  https://get.acme.sh/
Resolving get.acme.sh (get.acme.sh)... 144.217.161.63, 2607:5300:201:3100::5663
Connecting to get.acme.sh (get.acme.sh)|144.217.161.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 705 [text/plain]
Saving to: ‘STDOUT’

100%[===========================================================================================================>] 705         --.-K/s   in 0s      

2019-03-09 15:17:24 (176 MB/s) - written to stdout [705/705]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  171k  100  171k    0     0  10938      0  0:00:16  0:00:16 --:--:-- 45873
[Sat Mar  9 15:17:40 CST 2019] Installing from online archive.
[Sat Mar  9 15:17:40 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar  9 15:17:46 CST 2019] Extracting master.tar.gz
[Sat Mar  9 15:17:46 CST 2019] It is recommended to install socat first.
[Sat Mar  9 15:17:46 CST 2019] We use socat for standalone server if you use standalone mode.
[Sat Mar  9 15:17:46 CST 2019] If you don't use standalone mode, just ignore this warning.
[Sat Mar  9 15:17:46 CST 2019] Installing to /usr/local/acme.sh
[Sat Mar  9 15:17:46 CST 2019] Installed to /usr/local/acme.sh/acme.sh
[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.bashrc'
[Sat Mar  9 15:17:46 CST 2019] OK, Close and reopen your terminal to start using acme.sh
[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.cshrc'
[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.tcshrc'
[Sat Mar  9 15:17:46 CST 2019] Installing cron job
57 0 * * * "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" > /dev/null
[Sat Mar  9 15:17:46 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar  9 15:17:46 CST 2019] OK
[Sat Mar  9 15:17:46 CST 2019] Install success!

[root@izf9t76wjp0zs8z ~]

# export Ali_Key=”4xvxbCThnjerg955″

[root@izf9t76wjp0zs8z ~]

# export Ali_Secret=”fwyhkkp0″

[root@izf9t76wjp0zs8z ~]

# acme.sh –issue –dns dns_ali -d *.peakchao.com [Sat Mar 9 15:19:42 CST 2019] Creating domain key [Sat Mar 9 15:19:43 CST 2019] The domain key is here: /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key [Sat Mar 9 15:19:43 CST 2019] Single domain=’*.peakchao.com’ [Sat Mar 9 15:19:43 CST 2019] Getting domain auth token for each domain [Sat Mar 9 15:19:46 CST 2019] Getting webroot for domain=’*.peakchao.com’ [Sat Mar 9 15:19:46 CST 2019] Found domain api file: /usr/local/acme.sh/dnsapi/dns_ali.sh [Sat Mar 9 15:19:49 CST 2019] Let’s check each dns records now. Sleep 20 seconds first. [Sat Mar 9 15:20:10 CST 2019] Checking peakchao.com for _acme-challenge.peakchao.com [Sat Mar 9 15:20:11 CST 2019] Domain peakchao.com ‘_acme-challenge.peakchao.com’ success. [Sat Mar 9 15:20:11 CST 2019] All success, let’s return [Sat Mar 9 15:20:11 CST 2019] Verifying: *.peakchao.com [Sat Mar 9 15:20:15 CST 2019] Success [Sat Mar 9 15:20:15 CST 2019] Removing DNS records. [Sat Mar 9 15:20:19 CST 2019] Verify finished, start to sign. [Sat Mar 9 15:20:19 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/48893963/348010849 [Sat Mar 9 15:20:21 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0325e2883ade3b454bcf95c37c112b884689 [Sat Mar 9 15:20:23 CST 2019] Cert success. —–BEGIN CERTIFICATE—– MIIFVTCCBD2gAwIBAgISAyXiiDreO0VLz5XDfBEriEaJMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDkwNjIwMjBaFw0x OTA2MDcwNjIwMjBaMBkxFzAVBgNVBAMMDioucGVha2NoYW8uY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8A —–END CERTIFICATE—– [Sat Mar 9 15:20:23 CST 2019] Your cert is in /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.cer [Sat Mar 9 15:20:23 CST 2019] Your cert key is in /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key [Sat Mar 9 15:20:23 CST 2019] The intermediate CA cert is in /usr/local/nginx/conf/ssl/*.peakchao.com/ca.cer [Sat Mar 9 15:20:23 CST 2019] And the full chain certs is there: /usr/local/nginx/conf/ssl/*.peakchao.com/fullchain.cer

2.lnmp自动续期:

#请填写实际key&Secret
export Ali_Key="4xvxbCThnjerg955"
export Ali_Secret="fwyhkkp0"
#执行此命令后按下图配置
lnmp dnsssl ali 或 lnmp dns ali
#最后请不要忘记修改nginx配置以及重启
lnmp-1.5-dnsssl.png

3.使用 certbot-auto

这是官方推荐的方法,通过 shell 命令的方式,可以最简单方便地达到目的。步骤如下:

访问 certbot 网站,地址为:https://certbot.eff.org/

在首页选择好 webserver 和 系统类型,则会显示对应的操作步骤。按照步骤逐步操作,如无意外则可完成。

注意:如服务器已启用了 https 服务,则先停止它。certbot-auto 在作验证时会使用 433 端口。

#下载 certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
#执行自动安装,该命令会尝试自动配置 nginx ,你也可以使用下条命令只生成适合 nginx 使用的证书,然后手动配置 nginx
./certbot-auto --nginx
#生成适合 nginx 使用的证书
certbot-auto --nginx certonly
#生成成功后,可以查看证书状态
./certbot-auto certificates
#测试自动更新
./certbot-auto renew --dry-run
#执行自动更新
service nginx stop
certbot-auto renew
service nginx start
#查看证书状态
./certbot-auto certificates

发表评论