碼上快樂

相關內容    簡體    繁體

Let's Encrypt 免費 SSL 證書續期

本文轉載自   查看原文   2020-09-03 15:33   1264    LINUX

Let's Encrypt 默認情況下只提供三個月的有效期,在有效期剩余半個月的時候,Let's Encrypt 會發送郵件給你,提醒你需要做證書的續期操作。

一、驗證域名文件剩余有效期:

可以通過以下命令查看證書的剩余有效期限:

# /usr/local/letsencrypt/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: test.com
    Serial Number: 43767e5d8b5768b451f49dc6d2898caf9c4
    Domains: *.test.com test.com
    Expiry Date: 2020-09-09 08:06:12+00:00 (VALID: 6 days)
    Certificate Path: /etc/letsencrypt/live/test.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.com/privkey.pem
  Certificate Name: image.test.net
    Serial Number: 309acc59b6d1526c6f219b3708b92f10c9a
    Domains: *.image.test.net
    Expiry Date: 2020-01-22 10:08:05+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/image.test.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/image.test.net/privkey.pem

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
二、域名續期:

1、直接續期:
Let's Encrypt 有多種驗證方式,常用的有 http 和 dns 方式,如果服務器運行在本機的話,可以采用http方式驗證,直接執行renew命令

# /usr/local/letsencrypt/certbot-auto renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (test.com) from /etc/letsencrypt/renewal/test.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

2、腳本認證方式續期:
上邊的報錯信息是因為驗證域名所有者失敗,沒有指定 --manual-auth-hook 參數。
由於是在另外一台機器里面申請的證書,無法使用 http 方式,所以之前申請證書用的是 dns 方式,也就是創建 TXT 記錄。

如果是用DNSpod的域名解析,可以通過第三方的腳本實現dns自動驗證功能,用其它服務商的也會有對應的腳本。
https://github.com/al-one/certbot-auth-dnspod

# /usr/local/letsencrypt/certbot-auto certonly -d *.test.com -d test.com --manual --preferred-challenges dns-01 --email admin@test.net --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /path/to/certbot-auth-dnspod.sh
或者:
/usr/local/letsencrypt/certbot-auto renew --manual-auth-hook /path/to/certbot-auth-dnspod.sh


3、手動續期:
創建第三方腳本需要用的DNS服務商的令牌服務,這個不太容易實現,所以只能用手動續期的方式實現(就是生成一個新的key文件來覆蓋舊的文件)。

 

# /usr/local/letsencrypt/certbot-auto certonly -d *.test.com -d test.com --manual --preferred-challenges dns --email admin@test.net --server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for test.com
dns-01 challenge for test.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.test.com with the following value:

t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue                           

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.test.com with the following value:

ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

中間要經歷2次域名解析驗證,按照提示添加域名TXT記錄。
打開你的域名提供商,添加一條TXT類型的記錄。
主機記錄是上面打印出來的 _acme-challenge.test.com 記錄值為 t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc 。

填寫完畢之后,驗證域名TXT記錄是否生效:

# dig -t txt _acme-challenge.test.com @8.8.8.8

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t txt _acme-challenge.test.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53987
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.test.com. IN  TXT

;; ANSWER SECTION:
_acme-challenge.test.com. 599 IN TXT "t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc"
_acme-challenge.test.com. 599 IN TXT "ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y"

;; Query time: 1190 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 04 14:14:39 CST 2020
;; MSG SIZE  rcvd: 168

或者:

λ nslookup -qt=txt
默認服務器:  public1.alidns.com
Address:  223.5.5.5

> _acme-challenge.test.com
服務器:  public1.alidns.com
Address:  223.5.5.5

非權威應答:
_acme-challenge.test.com     text =

        "t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc"
_acme-challenge.test.com     text =

        "ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y"

 
驗證TXT生效后,回車繼續。

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/test.com/privkey.pem
   Your cert will expire on 2020-09-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

至此域名驗證key生成完畢。

三、重啟nginx服務使配置生效:
拷貝key文件至/usr/local/nginx/conf/ssl/test.com

重新加載nginx配置文件生效

# /usr/local/nginx/sbin/nginx -s reload

至此證書續期完成。

[THE END]


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 SSL證書續期(Let's Encrypt免費證書) [轉]部署Let’s Encrypt免費SSL證書&&自動續期 申請Let's Encrypt永久免費SSL證書過程教程及常見問題,及續期 讓網站永久擁有HTTPS - 申請免費SSL證書並自動續期 Let’s Encrypt 申請Let's Encrypt免費SSL證書 使用 Certbot 申請 Let's Encrypt SSL 證書,並定時續期 SSL免費證書之Let’s Encrypt Let's Encrypt 免費通配符 SSL 證書申請教程 centos8 申請 Let’s Encrypt免費通配符ssl 證書 給網站添加Let's Encrypt的免費ssl證書
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM