用Certbot实现LetsEncrypt主域名证书以及通配符证书的自动更新

     0评论

本文介绍用certbot、certbot-auto自动更新主域名、通配符域名的SSL证书的方法以及原理。

一些概念的理清

以下几个概念要分清楚:

  • EFF 机构
  • ACME 协议
  • Certbot 工具
  • Let’s Encrypt 项目
  • HTTPS Everywhere 浏览器扩展
  • Challenge Types 认证域名所有权的标准

https://certbot.eff.org/

要解决的问题

certbot renew是根据证书之前获取的方式尝试更新,但不能自动更新通配符域名证书。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com-0001.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/example.com.conf with version 0.31.0 of Certbot. This might not work. Cert not yet due for renewal

使用certbot-auto

certbot-auto是一个自动化脚本,其会自动安装certbot以及依赖包,并为执行certbot任务提供一层包装。certbot-auto运行在virtual env中,会自动安装、更新certbot,通过cerbot-auto运行的证书管理命令、参数等都会转发给certbot处理。

All arguments are accepted and forwarded to the Certbot client when run.

下载安装certbot-auto

wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto cp certbot-auto /usr/local/bin ./certbot-auto --help

certbot-auto的用法

qiushan@topvps:~/app# ./certbot-auto --help Usage: certbot-auto [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates to both this script and certbot will be downloaded and installed. After ensuring you have the latest versions installed, certbot will be invoked with all arguments you have provided. Help for certbot itself cannot be provided until it is installed. --debug attempt experimental installation -h, --help print this help -n, --non-interactive, --noninteractive run without asking for user input --no-bootstrap do not install OS dependencies --no-permissions-check do not warn about file system permissions --no-self-upgrade do not download updates --os-packages-only install OS dependencies and exit --install-only install certbot, upgrade if needed, and exit -v, --verbose provide more output -q, --quiet provide only update/error output; implies --non-interactive All arguments are accepted and forwarded to the Certbot client when run.

只安装

./certbot-auto --install-only

gcc is already the newest version (4:5.3.1-1ubuntu1). gcc set to manually installed. augeas-lenses is already the newest version (1.4.0-0ubuntu1.1). augeas-lenses set to manually installed. libaugeas0 is already the newest version (1.4.0-0ubuntu1.1). libaugeas0 set to manually installed. ca-certificates is already the newest version (20170717~16.04.2). python is already the newest version (2.7.12-1~16.04). python-dev is already the newest version (2.7.12-1~16.04). python-dev set to manually installed. openssl is already the newest version (1.1.1-1+ubuntu16.04.1+deb.sury.org+1). The following additional packages will be installed: python3-virtualenv Suggested packages: libssl-doc The following NEW packages will be installed: libffi-dev libssl-dev python-virtualenv python3-virtualenv virtualenv 0 upgraded, 5 newly installed, 0 to remove and 33 not upgraded. Need to get 2,044 kB of archives. After this operation, 8,823 kB of additional disk space will be used. Do you want to continue? [Y/n] y

webroot和certbot的插件机制

使用webroot插件时,可以同时服务放在单独路径或者分别路径的多个域名。

certbot certonly --webroot -w /var/www/html/example -d example.net -d example.com -w /var/www/html/other -d other.example.net -d another.other.example.net

插件主要提供认证(-a)和安装(-i)两项功能,认证当然就是验证你对域名的所有权或对web服务器的管理权,安装就是自动将证书配置到你使用的web服务器上,如apache、nginx等。有时你运行着web服务,有时则没有,standalone就是在你没有可用的web服务器用于验证时,由certbot临时开启一个web服务以完成验证,当然前提是你已经将域名解析指向当前服务器的IP。下面是这些插件在主要层面的比较:

Plugin Auth Inst Challenge types (and port) Notes
apache Y Y http-01(80) Automates obtaining and installing a certificate with Apache.
nginx Y Y http-01(80) Automates obtaining and installing a certificate with Nginx.
webroot Y N http-01(80) Obtains a certificate by writing to the webroot directory of an already running webserver.
standalone Y N http-01(80) Uses a “standalone” webserver to obtain a certificate. Requires port 80 to be available. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desired.
DNS plugins Y N dns-01(53) This category of plugins automates obtaining a certificate by modifying DNS records to prove you have control over a domain. Doing domain validation in this way is the only way to obtain wildcard certificates from Let’s Encrypt.
manual Y N http-01(80) ordns-01(53) Helps you obtain a certificate by giving you instructions to perform domain validation yourself. Additionally allows you to specify scripts to automate the validation task in a customized way.

使用webroot插件自动换取单域名证书。

qiushan@topvps:~$ sudo certbot certonly --webroot -w /var/www/html/example -d example.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None # certonly指令包含获取、更新证书两项功能,所以这里的意图是首次获取单域名的证书,它还是会检测是否有其它需要更新的证书,以及它能否更新。 Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/example.net.conf with version 0.31.0 of Certbot. This might not work. Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Using the webroot path /var/www/html/example for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com-0001/privkey.pem Your cert will expire on 2019-08-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

使用hook插件实现通配符域名的自动获取、更新。

要完成dns-01验证,需要通过manual插件,手动去DNS服务商那里更新解析比较费事,manual插件的一些插件/钩子脚本可以自动帮我们更新域名记录并完成认证,所以我们使用此类钩子脚本完成这项工作。国内常用的阿里云、腾讯DNSPOD可以通过下面这个插件实现,cloudflare等国外常用的DNS服务则需要其它的插件。

插件地址:certbot-letencrypt-wildcardcertificates-alydns-au

$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au $ cd certbot-letencrypt-wildcardcertificates-alydns-au # 根据其中的说明配置所需响应DNS服务的api token,支持阿里云、腾讯DNSPOD和GoDaddy $ vim au.sh $ chmod 0777 au.sh

此插件的默认路径比较长,我们配置个变量,以方便使用,尤其要运行多次时,还是很省事的:

toolpath=~/app/certbot-letencrypt-wildcardcertificates-alydns-au # 使用manual-auth-hook 和 manual-cleanup-hook这两个钩子参数调用我们配置的插件 # 更新全部 ./certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean" # 更新一个 ./certbot-auto renew --cert-name simplehttps.com --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"

配置cronjob:

#证书有效期<30天才会renew,所以crontab可以配置为1天或1周 1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean" # 如果是certbot 机器和运行web服务(比如 nginx,apache)的机器是同一台,那么成功renew证书后,可以启动对应的web 服务器,运行下列crontab: # 注意只有成功renew证书,才会重新启动nginx 1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --deploy-hook "service nginx restart" --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"

定期更新多个域名证书

对于多个DNS服务商管理的域名,可以通过下面的脚本实现一次性更新:

#!/bin/bash toolpath=/home/ubuntu/app/certbot-letencrypt-wildcardcertificates-alydns-au ws=apache2 while read -r certname sp do certbot-auto renew --cert-name $certname --manual --preferred-challenges dns --manual-public-ip-logging-ok --deploy-hook "service $ws restart" --manual-auth-hook "/$toolpath/au.sh php $sp add" --manual-cleanup-hook "/$toolpath/au.sh php $sp clean" done < /home/ubuntu/app/wildchar_certs.txt

配置cron任务,定期执行主域名证书更新任务和通配符域名证书更新任务:

1 1 * * 6 certbot renew >/dev/null 2>&1 1 1 * * 7 /home/ubuntu/app/update_wildchar_certs.sh > /dev/null 2>&1

附certbot-auto帮助页

man page:

certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: (default) run Obtain & install a certificate in your current webserver certonly Obtain or renew a certificate, but do not install it renew Renew all previously obtained certificates that are near expiry enhance Add security enhancements to your existing configuration -d DOMAINS Comma-separated list of domains to obtain a certificate for --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication --manual Obtain certificates interactively, or using shell script hooks -n Run non-interactively --test-cert Obtain a test certificate from a staging server --dry-run Test "renew" or "certonly" without saving any certificates to disk manage certificates: certificates Display information about certificates you have from Certbot revoke Revoke a certificate (supply --cert-path or --cert-name) delete Delete a certificate manage your account with Let's Encrypt: register Create a Let's Encrypt ACME account unregister Deactivate a Let's Encrypt ACME account update_account Update a Let's Encrypt ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications More detailed help: -h, --help [TOPIC] print this message, or detailed help on a topic; the available TOPICS are: all, automation, commands, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.) -h all print a detailed help page including all topics --version print the version number - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- EOF --

本文最后修改于5年前 (2019-07-08)

差评不太行一般挺好非常不错 (1 votes, average: 1.00 out of 5)
读取中...
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址