CentOS7上安装Certbot配合cloudflare获取letsencrypt通配符证书并排程自动续期

2021-10-04 915点热度 0人点赞 0条评论

前言

LetsEncrypt的提供了免费的SSL证书,利用certbot来获取证书和安排自动续期。现在LetsEncrypt提供了通配符证书,如果有多个子域名就比较方便,只需要申请一个通配符证书就可以了。

如果要获取通配符证书,需要使用CertBot的DNS插件

我就是使用的Cloudflare的DNS插件来获取证书,并使用Linux的排程来定期检查是否需要续期,有需要的时候自动续期。

另外还可以使用acme获取通配符证书,请看:https://blog.terrynow.com/2021/02/14/acme-retrive-letsencrpt-https-ssl-cert-and-auto-renew/

如果你的DNS是aliyun上的,详见:https://blog.terrynow.com/2022/02/14/centos7-or-8-certbot-aliyun-letsencrypt-wildcard-ssl-cert-and-auto-renewal/

实现

首先,你的域名需要托管在Cloudflare

第1步,在你的CentOS上安装CertBot

现在安装也很简单,yum依赖都帮你处理好了,只要按照安装即可:

yum install -y epel-release
yum install -y certbot
yum install -y python2-cloudflare python2-certbot-dns-cloudflare

第2步,在你的Cloudflare上生成API密钥

https://dash.cloudflare.com/profile/api-tokens生成API 密钥

 

新建一个文件:/etc/letsencrypt/cloudflare.ini,内容如下:

dns_cloudflare_email就是你的cloudflare的邮箱账号,dns_cloudflare_api_key就是上面你生成的API密钥

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 1111122222333333

第3步,首次获取证书

使用certbot并添加floudfare插件的参数,来获取通配符证书,如下:

sudo certbot certonly --cert-name example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.com" -d example.com

CertBot会要求提供邮件、是否统一条款等等,下一步后,就完成了!

Plugins selected: Authenticator dns-cloudflare, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

Output-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

成功后,会在/etc/letsencrypt/live/example.com看看到pem的证书了

[[email protected] terrynow.com]# ll /etc/letsencrypt/live/terrynow.com/
total 4
lrwxrwxrwx 1 root root  37 Oct  1 22:57 cert.pem -> ../../archive/terrynow.com/cert.pem
lrwxrwxrwx 1 root root  38 Oct  1 22:57 chain.pem -> ../../archive/terrynow.com/chain.pem
lrwxrwxrwx 1 root root  42 Oct  1 22:57 fullchain.pem -> ../../archive/terrynow.com/fullchain.pem
lrwxrwxrwx 1 root root  40 Oct  1 22:58 privkey.pem -> ../../archive/terrynow.com/privkey.pem
-rw-r--r-- 1 root root 692 Oct  1 22:52 README

接下来,你可以在nginx或者其他应用中调用这些证书了。

第4步,证书续期

可以使用certbot如下命令来续期:

# 手动续期
certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew

# 手动续期,测试,加上--dry-run参数,可以测试是否能续期成功,但不是真正续期!
certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew --dry-run

测试信息如下,就说明测试续期成功:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/terrynow.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for *.terrynow.com
Performing the following challenges:
dns-01 challenge for terrynow.com
Unsafe permissions on credentials configuration file: /etc/letsencrypt/cloudflare.ini
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/terrynow.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/terrynow.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LetEncrypt的证书,只有3个月的有效期,频繁手动去续期,显然比较麻烦,我们可以利用Linux的排程功能,定期来续期

首先新建定期续期的脚本:/opt/renew_cert.sh,

# 需要加certbot的全路径,cron里可能没有办法获取你的env,可以先用which certbot来看下cert的全路径
/usr/bin/certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew

# 还可以根据renew后的结果,给你自己发送提醒,例如钉钉等

#if /usr/bin/certbot --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini renew | grep -q 'all renewals succeeded'; then
#    # 发送提醒,省略
#fi

给/opt/renew_cert.sh加上可执行权限

chmod +x /opt/renew_cert.sh

新建排程

crontab -e

增加如下一行:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /opt/renew_cert.sh

我们在排程里,增加了随机时间,给letsencrypt服务器减轻点压力

 

admin

这个人很懒,什么都没留下

文章评论

您需要 登录 之后才可以评论