当前位置:网站首页>Blog host_ Automatic renewal of free certificate

Blog host_ Automatic renewal of free certificate

2020-12-13 12:36:19 hello886

Hua Wei Yun HERO Alliance knowledge Summit , Participate in winning Huawei P40!>>>

original : Blog host _ Automatically apply for renewal of free certificate

 

Be careless , The previous domain name certificate has expired . Because it is Let’s Encrypt Free certificate , need 3 Manual renewal once a month , In a year 4 Time , It's still a bit of a problem , How nice to have automation .
The following operations are performed on the server (ubuntu16, Tencent cloud )

Download script certbot-auto

 
  
1
2
3
 
cd opt/
wget https://dl.eff.org/certbot-auto  
chmod a+x certbot-auto

perform certbot-auto There may be a mistake :

 
  
1
 
An unexpected error occurred: UnicodeEncodeError: 'ascii' codec can't encode

The script attempts to modify nginx The configuration file , The result file contains Chinese characters . This person is more inclined to self-control , Don't rely on scripts , Script copy is only responsible for generating certificates or renew Certificate is enough , It is better to copy and configure certificates manually . On the one hand, it is more controllable , On the other hand, I know how to deal with mistakes !

Generate secret key

command

 
  
1
 
./certbot-auto certonly  -d *.example.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
  1. certonly The installation mode
  2. -d The domain name of the certificate , If it's a wildcard domain name, enter *.example.cn
  3. –manual Install plug-ins manually
  4. –preferred-challenges dns Use DNS Method to verify domain name ownership
  5. –server,Let’s Encrypt ACME v2 Version uses a different server than v1 edition , Need to show the specified

Respond to

 
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
Requesting to rerun ./certbot-auto with root privileges...
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.cn with the following value:

v8somjB6jyjkZ9-fi_5l705CA_ERu0hRJcGFbLpHNaQ# To configure dns Of txt analysis 

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxxxx(your email)@163.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.cn/privkey.pem
   Your cert will expire on 2021-02-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The above command needs attention 2 spot
1, It is best to execute on the machine where the service is deployed
2, The second step needs to be modified dns Record , But the modification may not take effect in real time , You need to wait until it takes effect “ enter ”, Otherwise, it may fail to generate

Tencent cloud's dns Sample configuration

verification dns Parse the order in effect

 
  
1
2
 
#  The domain name is the resolved secondary domain name 
 nslookup -q=txt _acme-challenge.example.cn

Return the following information to show that the configuration is in effect

Generated secret key

 
  
1
2
3
4
5
6
7
 
(base) [email protected]:~$ sudo ls -lh /etc/letsencrypt/live/example.cn
 Total usage  4.0K
lrwxrwxrwx 1 root root  33 Nov 22 16:25 cert.pem -> ../../archive/example.cn/cert1.pem
lrwxrwxrwx 1 root root  34 Nov 22 16:25 chain.pem -> ../../archive/example.cn/chain1.pem
lrwxrwxrwx 1 root root  38 Nov 22 16:25 fullchain.pem -> ../../archive/example.cn/fullchain1.pem
lrwxrwxrwx 1 root root  36 Nov 22 16:25 privkey.pem -> ../../archive/example.cn/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 22 16:25 README

To configure nginx

Examples

 
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
server {
        listen       443 ssl;
        server_name  localhost;
        
        location / {
            root   html;
            index  index.html index.htm;
        }
        ssl on;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;
        ssl_certificate      /etc/letsencrypt/live/example.cn/fullchain.pem;#  If you use cert.pem Although the certificate is valid , But the browser still tells you it's not secure 
        ssl_certificate_key  /etc/letsencrypt/live/example.cn/privkey.pem;
}

Verify after modification nginx:sudo nginx -t
verification ok Restart after nginx:sudo service nginx restart
Log in to your site , Click on the lock icon in the address bar , You can see that the certificate is in effect

Automatic renewal

A free certificate must be 3 Months renewal 1 Time , More trouble , You can add scheduled task scripts for automatic renewal

 
  
1
2
 
touch sslrenew.sh
chmod +x sslrenew.sh

sslrenew.sh Content

 
  
1
 
<path to certbot>/certbot-auto renew

Configure scheduled tasks

 
  
1
2
3
 
 Edit scheduled tasks :crontab -e
0 0 1 * * /home/john/opt/sslrenew.sh # monthly 1 Japan 
 View scheduled tasks :crontab -l

Reference resources

certbot Apply for a wild card domain name certificate :https://www.jianshu.com/p/7b65cc562bc3
[ turn ] Deploy Let’s Encrypt free SSL certificate && Automatic renewal :https://www.cnblogs.com/lzpong/p/6433189.html
Let’sEncrypt free ssl Certificate request and automatic renewal :https://blog.csdn.net/c__chao/article/details/88368048

版权声明
本文为[hello886]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/12/20201213123533682e.html

边栏推荐

猜你喜欢

随机推荐