1.前提说明
目前在用域名所使用的证书,是Letsencrypt机构颁发的免费证书,但证书的使用周期只有90天。为了方便下次更新免费的证书,所以记录下更新证书的操作步骤。
2.以webroot方式更新证书方法
- 下载证书更新工具并赋予可执行权限
#若已经下载,请忽略此步骤
wget https://dl.eff.org/certbot-auto
#若已执行,请忽略此步骤
chmod +x certbot-auto
- 查看域名证书信息: |#使用示例:
- 更新证书(
适用于证书有效期只有30天以内
)
#--no-self-upgrade 表示不在执行certbot-auto时更新letsencrypt程序,防止新程序不兼容系统环境。
./certbot-auto renew --webroot --no-self-upgrade
#查看指定DOMAIN_NAME证书信息
./certbot-auto certificates --cert-name DOMAIN_NAME
#更新后需要重载nginx服务来加载新的ssl证书
nginx -s reload
- 强制更新证书(
强制更新证书,有效期大于30天也可以执行
)
./certbot-auto renew --webroot --no-self-upgrade --force-renewal
nginx -s reload
3.证书首次安装和原理参考博客
https://blog.csdn.net/dancen/article/details/81311688
4.额外提醒
- 下图说明,目前renew还不支持指定单个域名更新证书。
- 更新证书提示如下内容: Tips:证书速率限制导致,一个子域名每周更新证书不超过5次。
- 原文参考
5.报错及解决办法
更新证书报错
- 报错关键词: Attempting to renew cert (dev.api.dajxyl.com) from /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf produced an unexpected error: Missing command line flag or config entry for this setting: Input the webroot for dev.api.dajxyl.com:. Skipping.
- 解决报错参考链接
#报错及解决的全过程如下:
#执行如下命令更新证书:
certbot-auto renew --no-self-upgrade --force-renewal
#报错如下:
Processing /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev.api.dajxyl.com
Cleaning up challenges
Attempting to renew cert (dev.api.dajxyl.com) from /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dev.api.dajxyl.com:. Skipping.
#查看更新的配置文件
cat /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf
# renew_before_expiry = 30 days
version = 1.5.0
archive_dir = /etc/letsencrypt/archive/dev.api.dajxyl.com
cert = /etc/letsencrypt/live/dev.api.dajxyl.com/cert.pem
privkey = /etc/letsencrypt/live/dev.api.dajxyl.com/privkey.pem
chain = /etc/letsencrypt/live/dev.api.dajxyl.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 8eda3b714d1fefae2ade5ae13b8e002c
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
#修改更新配置文件
cat /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf
# renew_before_expiry = 30 days
version = 1.7.0
archive_dir = /etc/letsencrypt/archive/dev.api.dajxyl.com
cert = /etc/letsencrypt/live/dev.api.dajxyl.com/cert.pem
privkey = /etc/letsencrypt/live/dev.api.dajxyl.com/privkey.pem
chain = /etc/letsencrypt/live/dev.api.dajxyl.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 8eda3b714d1fefae2ade5ae13b8e002c
authenticator = webroot
webroot_path = /tmp
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
dev.api.dajxyl.com = /tmp
#再次执行更新
certbot-auto renew --webroot --force-renewal
#结果如下:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs were successfully renewed:
/etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem (success)
- 总结:使用standalone方式生成证书后,要使用webroot方式更新证书。操作步骤:
- [情况一] 查看域名对应web服务器的配置,若指定域名没有监听80的http服务,则更新步骤如下:
- 修改证书更新的配置文件:
[renewalparams]
#修改为webroot
authenticator = webroot
#新增webroot_path
webroot_path = /tmp
- 添加nginx配置文件
#以nginx为web服务器为例,添加一个默认的http站点。
#目的是为了通过浏览器输入http://domain 访问不存在的http服务能够访问到以下配置的站点。
echo '
server {
server_name HOST_IP;
listen 80;
location /{
root /tmp;
}
}
' > /usr/local/nginx/conf/vhost/cert.conf
nginx -t
- [情况二] 查看域名对应web服务器的配置,有监听再80端口的http服务,则更新步骤如下:
- 修改更新证书的配置文件:
[renewalparams]
#修改为webroot
authenticator = webroot
#新增webroot_path,将/tmp替换成域名配置的root路径。如:/usr/local/nginx/html。
webroot_path = /tmp
A记录和ip地址不匹配错误
- 出错情景:
A是CNAME方式绑定到B,使用如下命令更新A域名证书有效期:
/root/init/certbot-auto renew --webroot --no-self-upgrade
错误提示:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
-
解决办法:
- 登录域名管理系统,将A的CNAME记录改成A记录,然后用相同的命令更新需要更新的证书。