前言
LetsEncrypt的提供了免费的SSL证书,利用certbot来获取证书和安排自动续期。现在LetsEncrypt提供了通配符证书,如果有多个子域名就比较方便,只需要申请一个通配符证书就可以了。
如果要获取通配符证书,需要使用CertBot的DNS插件
我就是使用的Cloudflare的DNS插件来获取证书,并使用Linux的排程来定期检查是否需要续期,有需要的时候自动续期。
另外还可以使用acme获取通配符证书,请看:https://blog.terrynow.com/2021/02/14/acme-retrive-letsencrpt-https-ssl-cert-and-auto-renew/
如果你的DNS是aliyun上的,详见:https://blog.terrynow.com/2022/02/14/centos7-or-8-certbot-aliyun-letsencrypt-wildcard-ssl-cert-and-auto-renewal/
实现
首先,你的域名需要托管在Cloudflare上
第1步,在你的CentOS上安装CertBot
现在安装也很简单,yum依赖都帮你处理好了,只要按照安装即可:
yum install -y epel-release yum install -y certbot yum install -y python2-cloudflare python2-certbot-dns-cloudflare
第2步,在你的Cloudflare上生成API密钥
在https://dash.cloudflare.com/profile/api-tokens生成API 密钥
新建一个文件:/etc/letsencrypt/cloudflare.ini,内容如下:
dns_cloudflare_email就是你的cloudflare的邮箱账号,dns_cloudflare_api_key就是上面你生成的API密钥
dns_cloudflare_email = [email protected] dns_cloudflare_api_key = 1111122222333333
第3步,首次获取证书
使用certbot并添加floudfare插件的参数,来获取通配符证书,如下:
sudo certbot certonly --cert-name example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.com" -d example.com
CertBot会要求提供邮件、是否统一条款等等,下一步后,就完成了!
Plugins selected: Authenticator dns-cloudflare, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A Output------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: N
成功后,会在/etc/letsencrypt/live/example.com看看到pem的证书了
[root@wulala terrynow.com]# ll /etc/letsencrypt/live/terrynow.com/ total 4 lrwxrwxrwx 1 root root 37 Oct 1 22:57 cert.pem -> ../../archive/terrynow.com/cert.pem lrwxrwxrwx 1 root root 38 Oct 1 22:57 chain.pem -> ../../archive/terrynow.com/chain.pem lrwxrwxrwx 1 root root 42 Oct 1 22:57 fullchain.pem -> ../../archive/terrynow.com/fullchain.pem lrwxrwxrwx 1 root root 40 Oct 1 22:58 privkey.pem -> ../../archive/terrynow.com/privkey.pem -rw-r--r-- 1 root root 692 Oct 1 22:52 README
接下来,你可以在nginx或者其他应用中调用这些证书了。
第4步,证书续期
可以使用certbot如下命令来续期:
# 手动续期 certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew # 手动续期,测试,加上--dry-run参数,可以测试是否能续期成功,但不是真正续期! certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew --dry-run
测试信息如下,就说明测试续期成功:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/terrynow.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator dns-cloudflare, Installer None Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Simulating renewal of an existing certificate for *.terrynow.com Performing the following challenges: dns-01 challenge for terrynow.com Unsafe permissions on credentials configuration file: /etc/letsencrypt/cloudflare.ini Starting new HTTPS connection (1): api.cloudflare.com Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges Starting new HTTPS connection (1): api.cloudflare.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/terrynow.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/terrynow.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LetEncrypt的证书,只有3个月的有效期,频繁手动去续期,显然比较麻烦,我们可以利用Linux的排程功能,定期来续期
首先新建定期续期的脚本:/opt/renew_cert.sh,
# 需要加certbot的全路径,cron里可能没有办法获取你的env,可以先用which certbot来看下cert的全路径 /usr/bin/certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew # 还可以根据renew后的结果,给你自己发送提醒,例如钉钉等 #if /usr/bin/certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew | grep -q 'all renewals succeeded'; then # # 发送提醒,省略 #fi
给/opt/renew_cert.sh加上可执行权限
chmod +x /opt/renew_cert.sh
新建排程
crontab -e
增加如下一行:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /opt/renew_cert.sh
我们在排程里,增加了随机时间,给letsencrypt服务器减轻点压力
文章评论