Uninote
Uninote

1.前提说明

目前在用域名所使用的证书,是Letsencrypt机构颁发的免费证书,但证书的使用周期只有90天。为了方便下次更新免费的证书,所以记录下更新证书的操作步骤。

2.以webroot方式更新证书方法

  • 下载证书更新工具并赋予可执行权限
 #若已经下载,请忽略此步骤
 wget https://dl.eff.org/certbot-auto
 #若已执行,请忽略此步骤
 chmod +x certbot-auto
  • 查看域名证书信息: |#使用示例:
  • 更新证书(适用于证书有效期只有30天以内
#--no-self-upgrade 表示不在执行certbot-auto时更新letsencrypt程序,防止新程序不兼容系统环境。
./certbot-auto renew  --webroot --no-self-upgrade
#查看指定DOMAIN_NAME证书信息
./certbot-auto certificates --cert-name DOMAIN_NAME
#更新后需要重载nginx服务来加载新的ssl证书
nginx -s reload
  • 强制更新证书(强制更新证书,有效期大于30天也可以执行
./certbot-auto renew --webroot --no-self-upgrade --force-renewal
nginx -s reload

3.证书首次安装和原理参考博客

https://blog.csdn.net/dancen/article/details/81311688

4.额外提醒

  • 下图说明,目前renew还不支持指定单个域名更新证书。
  • 更新证书提示如下内容: Tips:证书速率限制导致,一个子域名每周更新证书不超过5次。
  • 原文参考

5.报错及解决办法

更新证书报错

#报错及解决的全过程如下:
#执行如下命令更新证书:
certbot-auto renew  --no-self-upgrade   --force-renewal

#报错如下:
Processing /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev.api.dajxyl.com
Cleaning up challenges
Attempting to renew cert (dev.api.dajxyl.com) from /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dev.api.dajxyl.com:. Skipping.

#查看更新的配置文件
cat /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf
# renew_before_expiry = 30 days
version = 1.5.0
archive_dir = /etc/letsencrypt/archive/dev.api.dajxyl.com
cert = /etc/letsencrypt/live/dev.api.dajxyl.com/cert.pem
privkey = /etc/letsencrypt/live/dev.api.dajxyl.com/privkey.pem
chain = /etc/letsencrypt/live/dev.api.dajxyl.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 8eda3b714d1fefae2ade5ae13b8e002c
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

#修改更新配置文件
cat /etc/letsencrypt/renewal/dev.api.dajxyl.com.conf
# renew_before_expiry = 30 days
version = 1.7.0
archive_dir = /etc/letsencrypt/archive/dev.api.dajxyl.com
cert = /etc/letsencrypt/live/dev.api.dajxyl.com/cert.pem
privkey = /etc/letsencrypt/live/dev.api.dajxyl.com/privkey.pem
chain = /etc/letsencrypt/live/dev.api.dajxyl.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 8eda3b714d1fefae2ade5ae13b8e002c
authenticator = webroot
webroot_path = /tmp
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
dev.api.dajxyl.com = /tmp

#再次执行更新
certbot-auto renew   --webroot --force-renewal

#结果如下:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs were successfully renewed:
  /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem (success)
  • 总结:使用standalone方式生成证书后,要使用webroot方式更新证书。操作步骤:
  • [情况一] 查看域名对应web服务器的配置,若指定域名没有监听80的http服务,则更新步骤如下:
    • 修改证书更新的配置文件:
[renewalparams]
#修改为webroot
authenticator = webroot
#新增webroot_path
webroot_path = /tmp
- 添加nginx配置文件
#以nginx为web服务器为例,添加一个默认的http站点。
#目的是为了通过浏览器输入http://domain 访问不存在的http服务能够访问到以下配置的站点。
echo '
server {
server_name HOST_IP;
listen 80;
  location /{
      root /tmp;
  }
}
' > /usr/local/nginx/conf/vhost/cert.conf
nginx -t
  • [情况二] 查看域名对应web服务器的配置,有监听再80端口的http服务,则更新步骤如下:
    • 修改更新证书的配置文件:
[renewalparams]
#修改为webroot
authenticator = webroot
#新增webroot_path,将/tmp替换成域名配置的root路径。如:/usr/local/nginx/html。
webroot_path = /tmp

A记录和ip地址不匹配错误

  • 出错情景:
A是CNAME方式绑定到B,使用如下命令更新A域名证书有效期:
	/root/init/certbot-auto renew --webroot --no-self-upgrade
错误提示:
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
  • 解决办法:

    • 登录域名管理系统,将A的CNAME记录改成A记录,然后用相同的命令更新需要更新的证书。

6.了解更多

nginx请求头分流

auto_cert

点赞(0) 阅读(1) 举报
目录
标题