本文介绍用certbot、certbot-auto自动更新主域名、通配符域名的SSL证书的方法以及原理。
一些概念的理清
以下几个概念要分清楚:
- EFF 机构
- ACME 协议
- Certbot 工具
- Let’s Encrypt 项目
- HTTPS Everywhere 浏览器扩展
- Challenge Types 认证域名所有权的标准
要解决的问题
certbot renew
是根据证书之前获取的方式尝试更新,但不能自动更新通配符域名证书。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/example.com.conf with version 0.31.0 of Certbot. This might not work.
Cert not yet due for renewal
使用certbot-auto
certbot-auto
是一个自动化脚本,其会自动安装certbot以及依赖包,并为执行certbot任务提供一层包装。certbot-auto运行在virtual env中,会自动安装、更新certbot,通过cerbot-auto运行的证书管理命令、参数等都会转发给certbot处理。
All arguments are accepted and forwarded to the Certbot client when run.
下载安装certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
cp certbot-auto /usr/local/bin
./certbot-auto --help
certbot-auto的用法
qiushan@topvps:~/app# ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.
Help for certbot itself cannot be provided until it is installed.
--debug attempt experimental installation
-h, --help print this help
-n, --non-interactive, --noninteractive run without asking for user input
--no-bootstrap do not install OS dependencies
--no-permissions-check do not warn about file system permissions
--no-self-upgrade do not download updates
--os-packages-only install OS dependencies and exit
--install-only install certbot, upgrade if needed, and exit
-v, --verbose provide more output
-q, --quiet provide only update/error output;
implies --non-interactive
All arguments are accepted and forwarded to the Certbot client when run.
只安装
./certbot-auto --install-only
gcc is already the newest version (4:5.3.1-1ubuntu1).
gcc set to manually installed.
augeas-lenses is already the newest version (1.4.0-0ubuntu1.1).
augeas-lenses set to manually installed.
libaugeas0 is already the newest version (1.4.0-0ubuntu1.1).
libaugeas0 set to manually installed.
ca-certificates is already the newest version (20170717~16.04.2).
python is already the newest version (2.7.12-1~16.04).
python-dev is already the newest version (2.7.12-1~16.04).
python-dev set to manually installed.
openssl is already the newest version (1.1.1-1+ubuntu16.04.1+deb.sury.org+1).
The following additional packages will be installed:
python3-virtualenv
Suggested packages:
libssl-doc
The following NEW packages will be installed:
libffi-dev libssl-dev python-virtualenv python3-virtualenv virtualenv
0 upgraded, 5 newly installed, 0 to remove and 33 not upgraded.
Need to get 2,044 kB of archives.
After this operation, 8,823 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
webroot和certbot的插件机制
使用webroot
插件时,可以同时服务放在单独路径或者分别路径的多个域名。
certbot certonly --webroot -w /var/www/html/example -d example.net -d example.com -w /var/www/html/other -d other.example.net -d another.other.example.net
插件主要提供认证(-a)和安装(-i)两项功能,认证当然就是验证你对域名的所有权或对web服务器的管理权,安装就是自动将证书配置到你使用的web服务器上,如apache、nginx等。有时你运行着web服务,有时则没有,standalone就是在你没有可用的web服务器用于验证时,由certbot临时开启一个web服务以完成验证,当然前提是你已经将域名解析指向当前服务器的IP。下面是这些插件在主要层面的比较:
Plugin | Auth | Inst | Challenge types (and port) | Notes |
---|---|---|---|---|
apache | Y | Y | http-01(80) | Automates obtaining and installing a certificate with Apache. |
nginx | Y | Y | http-01(80) | Automates obtaining and installing a certificate with Nginx. |
webroot | Y | N | http-01(80) | Obtains a certificate by writing to the webroot directory of an already running webserver. |
standalone | Y | N | http-01(80) | Uses a “standalone” webserver to obtain a certificate. Requires port 80 to be available. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desired. |
DNS plugins | Y | N | dns-01(53) | This category of plugins automates obtaining a certificate by modifying DNS records to prove you have control over a domain. Doing domain validation in this way is the only way to obtain wildcard certificates from Let’s Encrypt. |
manual | Y | N | http-01(80) ordns-01(53) | Helps you obtain a certificate by giving you instructions to perform domain validation yourself. Additionally allows you to specify scripts to automate the validation task in a customized way. |
使用webroot插件自动换取单域名证书。
qiushan@topvps:~$ sudo certbot certonly --webroot -w /var/www/html/example -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
# certonly指令包含获取、更新证书两项功能,所以这里的意图是首次获取单域名的证书,它还是会检测是否有其它需要更新的证书,以及它能否更新。
Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/example.net.conf with version 0.31.0 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Using the webroot path /var/www/html/example for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com-0001/privkey.pem
Your cert will expire on 2019-08-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
使用hook插件实现通配符域名的自动获取、更新。
要完成dns-01
验证,需要通过manual插件,手动去DNS服务商那里更新解析比较费事,manual插件的一些插件/钩子脚本可以自动帮我们更新域名记录并完成认证,所以我们使用此类钩子脚本完成这项工作。国内常用的阿里云、腾讯DNSPOD可以通过下面这个插件实现,cloudflare等国外常用的DNS服务则需要其它的插件。
插件地址:certbot-letencrypt-wildcardcertificates-alydns-au
$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
$ cd certbot-letencrypt-wildcardcertificates-alydns-au
# 根据其中的说明配置所需响应DNS服务的api token,支持阿里云、腾讯DNSPOD和GoDaddy
$ vim au.sh
$ chmod 0777 au.sh
此插件的默认路径比较长,我们配置个变量,以方便使用,尤其要运行多次时,还是很省事的:
toolpath=~/app/certbot-letencrypt-wildcardcertificates-alydns-au
# 使用manual-auth-hook 和 manual-cleanup-hook这两个钩子参数调用我们配置的插件
# 更新全部
./certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"
# 更新一个
./certbot-auto renew --cert-name simplehttps.com --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"
配置cronjob:
#证书有效期<30天才会renew,所以crontab可以配置为1天或1周
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"
# 如果是certbot 机器和运行web服务(比如 nginx,apache)的机器是同一台,那么成功renew证书后,可以启动对应的web 服务器,运行下列crontab:
# 注意只有成功renew证书,才会重新启动nginx
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --deploy-hook "service nginx restart" --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"
定期更新多个域名证书
对于多个DNS服务商管理的域名,可以通过下面的脚本实现一次性更新:
#!/bin/bash
toolpath=/home/ubuntu/app/certbot-letencrypt-wildcardcertificates-alydns-au
ws=apache2
while read -r certname sp
do
certbot-auto renew --cert-name $certname --manual --preferred-challenges dns --manual-public-ip-logging-ok --deploy-hook "service $ws restart" --manual-auth-hook "/$toolpath/au.sh php $sp add" --manual-cleanup-hook "/$toolpath/au.sh php $sp clean"
done < /home/ubuntu/app/wildchar_certs.txt
配置cron任务,定期执行主域名证书更新任务和通配符域名证书更新任务:
1 1 * * 6 certbot renew >/dev/null 2>&1
1 1 * * 7 /home/ubuntu/app/update_wildchar_certs.sh > /dev/null 2>&1
附certbot-auto帮助页
man page:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
unregister Deactivate a Let's Encrypt ACME account
update_account Update a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
-h all print a detailed help page including all topics
--version print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-- EOF --
本文最后修改于5年前 (2019-07-08)