用Certbot实现LetsEncrypt主域名证书以及通配符证书的自动更新

本文介绍用certbot、certbot-auto自动更新主域名、通配符域名的SSL证书的方法以及原理。

一些概念的理清

以下几个概念要分清楚：

• EFF 机构
• ACME 协议
• Certbot 工具
• Let’s Encrypt 项目
• HTTPS Everywhere 浏览器扩展
• Challenge Types 认证域名所有权的标准

https://certbot.eff.org/

要解决的问题

certbot renew是根据证书之前获取的方式尝试更新，但不能自动更新通配符域名证书。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/example.com.conf with version 0.31.0 of Certbot. This might not work.
Cert not yet due for renewal

使用certbot-auto

certbot-auto是一个自动化脚本，其会自动安装certbot以及依赖包，并为执行certbot任务提供一层包装。certbot-auto运行在virtual env中，会自动安装、更新certbot，通过cerbot-auto运行的证书管理命令、参数等都会转发给certbot处理。

All arguments are accepted and forwarded to the Certbot client when run.

下载安装certbot-auto

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
cp certbot-auto /usr/local/bin
./certbot-auto --help

certbot-auto的用法

qiushan@topvps:~/app# ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-permissions-check                    do not warn about file system permissions
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  --install-only                            install certbot, upgrade if needed, and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.

只安装

./certbot-auto --install-only

gcc is already the newest version (4:5.3.1-1ubuntu1).
gcc set to manually installed.
augeas-lenses is already the newest version (1.4.0-0ubuntu1.1).
augeas-lenses set to manually installed.
libaugeas0 is already the newest version (1.4.0-0ubuntu1.1).
libaugeas0 set to manually installed.
ca-certificates is already the newest version (20170717~16.04.2).
python is already the newest version (2.7.12-1~16.04).
python-dev is already the newest version (2.7.12-1~16.04).
python-dev set to manually installed.
openssl is already the newest version (1.1.1-1+ubuntu16.04.1+deb.sury.org+1).
The following additional packages will be installed:
 python3-virtualenv
Suggested packages:
 libssl-doc
The following NEW packages will be installed:
 libffi-dev libssl-dev python-virtualenv python3-virtualenv virtualenv
0 upgraded, 5 newly installed, 0 to remove and 33 not upgraded.
Need to get 2,044 kB of archives.
After this operation, 8,823 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

webroot和certbot的插件机制

使用webroot插件时，可以同时服务放在单独路径或者分别路径的多个域名。

certbot certonly --webroot -w /var/www/html/example -d example.net -d example.com -w /var/www/html/other -d other.example.net -d another.other.example.net

插件主要提供认证（-a）和安装（-i）两项功能，认证当然就是验证你对域名的所有权或对web服务器的管理权，安装就是自动将证书配置到你使用的web服务器上，如apache、nginx等。有时你运行着web服务，有时则没有，standalone就是在你没有可用的web服务器用于验证时，由certbot临时开启一个web服务以完成验证，当然前提是你已经将域名解析指向当前服务器的IP。下面是这些插件在主要层面的比较：

使用webroot插件自动换取单域名证书。

qiushan@topvps:~$ sudo certbot certonly --webroot -w /var/www/html/example -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
# certonly指令包含获取、更新证书两项功能，所以这里的意图是首次获取单域名的证书，它还是会检测是否有其它需要更新的证书，以及它能否更新。
Attempting to parse the version 0.34.2 renewal configuration file found at /etc/letsencrypt/renewal/example.net.conf with version 0.31.0 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Using the webroot path /var/www/html/example for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com-0001/privkey.pem
   Your cert will expire on 2019-08-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

使用hook插件实现通配符域名的自动获取、更新。

要完成dns-01验证，需要通过manual插件，手动去DNS服务商那里更新解析比较费事，manual插件的一些插件/钩子脚本可以自动帮我们更新域名记录并完成认证，所以我们使用此类钩子脚本完成这项工作。国内常用的阿里云、腾讯DNSPOD可以通过下面这个插件实现，cloudflare等国外常用的DNS服务则需要其它的插件。

插件地址：certbot-letencrypt-wildcardcertificates-alydns-au

$ git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
$ cd certbot-letencrypt-wildcardcertificates-alydns-au
# 根据其中的说明配置所需响应DNS服务的api token，支持阿里云、腾讯DNSPOD和GoDaddy
$ vim au.sh
$ chmod 0777 au.sh

此插件的默认路径比较长，我们配置个变量，以方便使用，尤其要运行多次时，还是很省事的：

toolpath=~/app/certbot-letencrypt-wildcardcertificates-alydns-au

# 使用manual-auth-hook 和 manual-cleanup-hook这两个钩子参数调用我们配置的插件

# 更新全部
./certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"
# 更新一个
./certbot-auto renew --cert-name simplehttps.com --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"

配置cronjob：

#证书有效期<30天才会renew，所以crontab可以配置为1天或1周
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"

# 如果是certbot 机器和运行web服务（比如 nginx，apache）的机器是同一台，那么成功renew证书后，可以启动对应的web 服务器，运行下列crontab:
# 注意只有成功renew证书，才会重新启动nginx
1 1 */1 * * root certbot-auto renew --manual --preferred-challenges dns --manual-public-ip-logging-ok --deploy-hook "service nginx restart" --manual-auth-hook "/$toolpath/au.sh php aly add" --manual-cleanup-hook "/$toolpath/au.sh php aly clean"

定期更新多个域名证书

对于多个DNS服务商管理的域名，可以通过下面的脚本实现一次性更新：

#!/bin/bash
toolpath=/home/ubuntu/app/certbot-letencrypt-wildcardcertificates-alydns-au
ws=apache2
while read -r certname sp
do
    certbot-auto renew --cert-name $certname --manual --preferred-challenges dns --manual-public-ip-logging-ok --deploy-hook "service $ws restart" --manual-auth-hook "/$toolpath/au.sh php $sp add" --manual-cleanup-hook "/$toolpath/au.sh php $sp clean"
done < /home/ubuntu/app/wildchar_certs.txt

配置cron任务，定期执行主域名证书更新任务和通配符域名证书更新任务：

1 1 * * 6 certbot renew >/dev/null 2>&1
1 1 * * 7 /home/ubuntu/app/update_wildchar_certs.sh > /dev/null 2>&1

附certbot-auto帮助页

man page：

certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path or --cert-name)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
    unregister      Deactivate a Let's Encrypt ACME account
    update_account  Update a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- EOF --

本文最后修改于5年前 (2019-07-08)

(1 votes, average: 1.00 out of 5)

读取中...