CentOS7上安装Certbot配合阿里云aliyun获取letsencrypt通配符证书并排程自动续期

2022-02-14 1054点热度 0人点赞 0条评论

之前的文章介绍了在CentOS上使用certbot配合cloudflare获取通配符证书的文章,详见:

https://blog.terrynow.com/2021/10/04/centos7-or-8-certbot-cloudflare-letsencrypt-wildcard-ssl-cert-and-auto-renew/

环境配置

如果你的DNS是在aliyun上的,可以看如下:

首先检查你的系统环境是否安装了python3

[root@localhost ~]# python3
Python 3.6.8 (default, Nov 16 2020, 16:55:22)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

如果命令未找到(一般来说CentOS7上都默认有python3的),说明没有安装python3,可以使用yum install python3来安装。

接下来安装certbot和虚拟环境

# 假设certbot安装到/opt/certbot
mkdir -p /opt/certbot
cd /opt/certbot
python3 -m venv venv
source venv/bin/activate

# 升级一下pip
pip install --upgrade pip
# 安装certbot等
pip install certbot certbot-nginx certbot-dns-aliyun

到阿里云DNS后台申请访问access_key和access_secret

地址:https://ram.console.aliyun.com 创建账号,记录access_key和access_secret,并授予创建的账号的权限是:AliyunDNSFullAccess

新建配置文件/opt/certbot/aliyun.ini,内容如下(其中access_key和access_secret就替换成阿里云刚才记录下来的内容):

dns_aliyun_access_key = 12345678
dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef

修改文件权限:

chmod 600 /opt/certbot/aliyun.ini

申请证书

命令如下:

/opt/certbot/venv/bin/certbot certonly \
-a dns-aliyun \
--dns-aliyun-credentials /opt/certbot/aliyun.ini \
-d example.com.cn \
-d "*.example.com.cn"

会提示输出你的邮箱、同意条款(输入Y)、是否需要分享邮箱地址(不需要输入N)

(venv) [root@xundeng bin]# /opt/certbot/venv/bin/certbot certonly \
> -a dns-aliyun \
> --dns-aliyun-credentials /opt/certbot/aliyun.ini \
> -d example.com.cn \
> -d "*.example.com.cn"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin legacy name certbot-dns-aliyun:dns-aliyun may be removed in a future version. Please use dns-aliyun instead.
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for xundeng-tech.com.cn and *.xundeng-tech.com.cn
Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xundeng-tech.com.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/xundeng-tech.com.cn/privkey.pem
This certificate expires on 2022-05-10.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

域名证书就申请成功了,会在/etc/letsencrypt/live/example.com. cn看看到pem的证书了,接下来,你可以在nginx或者其他应用中调用这些证书了。

证书续期

使用如下命令更新证书:

# --dry-run 的是模拟更新证书
/opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.ini --dry-run

# 正式更新证书
/opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.ini

Lets Encrypt的证书有效期只有3个月,显然 手动去更新证书是比较麻烦的,我们需要利用linux的crontab定期更新证书

首先新建定期续期的脚本:/opt/renew_cert.sh,

# 更新证书
/opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.ini

# 还可以根据renew后的结果,给你自己发送提醒,例如钉钉等

#if /opt/certbot/venv/bin/certbot renew -a dns-aliyun --dns-aliyun-credentials /opt/certbot/aliyun.iniw | grep -q 'all renewals succeeded'; then
#    # 发送提醒,省略
#fi

给/opt/renew_cert.sh加上可执行权限

chmod +x /opt/renew_cert.sh

新建排程

crontab -e

增加如下一行:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /opt/renew_cert.sh

 

admin

这个人很懒,什么都没留下

文章评论

您需要 登录 之后才可以评论