之前的文章介绍了在CentOS上使用certbot配合cloudflare获取通配符证书的文章,详见:
环境配置
如果你的DNS是在aliyun上的,可以看如下:
首先检查你的系统环境是否安装了python3
[root@localhost ~]# python3 Python 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux Type "help", "copyright", "credits" or "license" for more information. >>>
如果命令未找到(一般来说CentOS7上都默认有python3的),说明没有安装python3,可以使用yum install python3来安装。
接下来安装certbot和虚拟环境
# 假设certbot安装到/opt/certbot mkdir -p /opt/certbot cd /opt/certbot python3 -m venv venv source venv/bin/activate # 升级一下pip pip install --upgrade pip # 安装certbot等 pip install certbot certbot-nginx certbot-dns-aliyun
到阿里云DNS后台申请访问access_key和access_secret
地址:https://ram.console.aliyun.com 创建账号,记录access_key和access_secret,并授予创建的账号的权限是:AliyunDNSFullAccess
新建配置文件/opt/certbot/aliyun.ini,内容如下(其中access_key和access_secret就替换成阿里云刚才记录下来的内容):
dns_aliyun_access_key = 12345678 dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
修改文件权限:
chmod 600 /opt/certbot/aliyun.ini
申请证书
命令如下:
/opt/certbot/venv/bin/certbot certonly \ -a dns-aliyun \ --dns-aliyun-credentials /opt/certbot/aliyun.ini \ -d example.com.cn \ -d "*.example.com.cn"
会提示输出你的邮箱、同意条款(输入Y)、是否需要分享邮箱地址(不需要输入N)
(venv) [root@xundeng bin]# /opt/certbot/venv/bin/certbot certonly \ > -a dns-aliyun \ > --dns-aliyun-credentials /opt/certbot/aliyun.ini \ > -d example.com.cn \ > -d "*.example.com.cn" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugin legacy name certbot-dns-aliyun:dns-aliyun may be removed in a future version. Please use dns-aliyun instead. Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Requesting a certificate for xundeng-tech.com.cn and *.xundeng-tech.com.cn Waiting 30 seconds for DNS changes to propagate Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/xundeng-tech.com.cn/fullchain.pem Key is saved at: /etc/letsencrypt/live/xundeng-tech.com.cn/privkey.pem This certificate expires on 2022-05-10. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
域名证书就申请成功了,会在/etc/letsencrypt/live/example.com. cn看看到pem的证书了,接下来,你可以在nginx或者其他应用中调用这些证书了。
证书续期
使用如下命令更新证书:
# --dry-run 的是模拟更新证书 /opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.ini --dry-run # 正式更新证书 /opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.ini
Lets Encrypt的证书有效期只有3个月,显然 手动去更新证书是比较麻烦的,我们需要利用linux的crontab定期更新证书
首先新建定期续期的脚本:/opt/renew_cert.sh,
# 更新证书 /opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.ini # 还可以根据renew后的结果,给你自己发送提醒,例如钉钉等 #if /opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.iniw | grep -q 'all renewals succeeded'; then # # 发送提醒,省略 #fi
给/opt/renew_cert.sh加上可执行权限
chmod +x /opt/renew_cert.sh
新建排程
crontab -e
增加如下一行:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /opt/renew_cert.sh
文章评论