LetsEncrypt免费SSL证书续期
Let's Encrypt 默认情况下只提供三个⽉的有效期,在有效期剩余半个⽉的时候,Let's Encrypt 会发送邮件给你,提醒你需要做证书的续期操作。
⼀、验证域名⽂件剩余有效期:
可以通过以下命令查看证书的剩余有效期限:
# /usr/local/letncrypt/certbot-auto certificates
Saving debug log to /var/log/letncrypt/letncrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name:
广州供电局电话
Serial Number: 43767e5d8b5768b451f49dc6d2898caf9c4
Domains: *.
Expiry Date: 2020-09-09 08:06:12+00:00 (VALID: 6 days)
Certificate Path: /etc/letncrypt//fullchain.pem
Private Key Path: /etc/letncrypt//privkey.pem
Certificate Name: st
Serial Number: 309acc59b6d1526c6f219b3708b92f10c9a
Domains: *.st
Expiry Date: 2020-01-22 10:08:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letncrypt/st/fullchain.pem
Private Key Path: /etc/letncrypt/st/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
⼆、域名续期:
1、直接续期:
Let's Encrypt 有多种验证⽅式,常⽤的有 http 和 dns ⽅式,如果服务器运⾏在本机的话,可以采⽤http⽅式验证,直接执⾏renew命令
# /usr/local/letncrypt/certbot-auto renew --force-renewal
Saving debug log to /var/log/letncrypt/letncrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letncrypt/nf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choo appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
明星大全
Attempting to renew cert () from /etc/letncrypt/nf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2、脚本认证⽅式续期:
上边的报错信息是因为验证域名所有者失败,没有指定 --manual-auth-hook 参数。
由于是在另外⼀台机器⾥⾯申请的证书,⽆法使⽤ http ⽅式,所以之前申请证书⽤的是 dns ⽅式,也就是创建 TXT 记录。
如果是⽤DNSpod的域名解析,可以通过第三⽅的脚本实现dns⾃动验证功能,⽤其它服务商的也会有对应的脚本。
# /usr/local/letncrypt/certbot-auto certonly -d *. - --manual --preferred-challenges dns-01 --email admin@test --rver acme-v02.api.letncrypt/directory --manual-auth-hook /path/to/certbot-auth-dnspod.sh 或者:
/usr/local/letncrypt/certbot-auto renew --manual-auth-hook /path/to/certbot-auth-dnspod.sh
3、⼿动续期:
创建第三⽅脚本需要⽤的DNS服务商的令牌服务,这个不太容易实现,所以只能⽤⼿动续期的⽅式实现(就是⽣成⼀个新的key⽂件来覆盖旧的⽂件)。
# /usr/local/letncrypt/certbot-auto certonly -d *. - --manual --preferred-challenges dns --email admin@test --rver acme-v02.api.letncrypt/directory
Saving debug log to /var/log/letncrypt/letncrypt.log
Plugins lected: Authenticator manual, Installer None
孔字成语
Cert is due for renewal,
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge
dns-01 challenge
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your rver, plea ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
氧气的用途
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plea deploy a DNS TXT record under the name
_ with the following value:声声慢吉他谱
t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plea deploy a DNS TXT record under the name
_ with the following value:
ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y
Before continuing, verify the record is deployed.
(This must be t up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
中间要经历2次域名解析验证,按照提⽰添加域名TXT记录。
打开你的域名提供商,添加⼀条TXT类型的记录。
主机记录是上⾯打印出来的 _ 记录值为 t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc 。
填写完毕之后,验证域名TXT记录是否⽣效:
# dig -t txt _ @8.8.8.8
;
<<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t txt _ @8.8.8.8 ;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53987
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
宏图三胞
;_ IN TXT
;; ANSWER SECTION:
_ 599 IN TXT "t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc" _ 599 IN TXT "ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y" ;; Q
uery time: 1190 mc
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 04 14:14:39 CST 2020
;; MSG SIZE rcvd: 168
或者:
λ nslookup -qt=txt
默认服务器:
Address: 223.5.5.5
> _
服务器:
Address: 223.5.5.5
⾮权威应答:
_ text =
"t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc"
_ text =
"ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y"
验证TXT⽣效后,回车继续。
Waiting
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letncrypt//fullchain.pem
Your key file has been saved at:
/etc/letncrypt//privkey.pem
草莓有什么营养Your cert will expire on 2020-09-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
宝马型号
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, plea consider supporting our work by:
Donating to ISRG / Let's Encrypt: letncrypt/donate
Donating to EFF: eff/donate-le
⾄此域名验证key⽣成完毕。
三、重启nginx服务使配置⽣效:
拷贝key⽂件⾄/usr/local/nginx/conf/
重新加载nginx配置⽂件⽣效
# /usr/local/nginx/sbin/nginx -s reload
⾄此证书续期完成。
[THE END]
