赞
踩
webroot方式配置https证书,定时执行续期
参数 | 解释 |
---|---|
certonly | 创建时使用, 表示采用验证模式,只会获取证书 |
renew | 更新时使用 |
–manual | 配置插件,http验证/dns验证 |
–webroot | http验证 |
–force-renewal | 强制续签 |
–preferred-challenges | dnsdns验证, 表示采用DNS验证申请者合法性 |
–dry-run | 测试执行,不会真正去申请 |
–manual-auth-hook | 动态验证DNS的脚本服务 |
–deploy-hook | 后面的参数是证书更新成功之后,要指定执行的命令,这里是重启 nginx, 因为nginx不会自动重新加载证书,reload也不会 |
-d *.xxx.com | 域名(可以是通配符) |
-m xxx@xxx.com | 通知邮箱 |
location ~/.well-known/acme-challenge/ {
root /mnt/cert/webroot_acme-challenge;
}
docker run -it --rm --name certbot \ -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \ -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \ -v "/mnt/cert/log/:/var/log/letsencrypt/" \ -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \ certbot/certbot certonly \ --webroot --agree-tos \ --webroot-path=/data/letsencrypt \ -m xxx@xxx.cn -d www.example.com Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for www.example.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/www.example.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/www.example.com/privkey.pem This certificate expires on 2022-09-10. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18.188.144.19 - - [13/Jun/2022:01:15:33 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.237.56.27 - - [13/Jun/2022:01:15:33 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [13/Jun/2022:01:15:34 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
176.107.176.83 - - [13/Jun/2022:01:16:37 +0800] "GET /.git/config HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3"
95.211.187.223 - - [13/Jun/2022:01:17:00 +0800] "GET / HTTP/1.1" 200 1843 "-" "Go-http-client/1.1”
docker run -it --rm --name certbot \ -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \ -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \ certbot/certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: www.example.com Serial Number: 42667b9821f5721a9733aa071ebf6b3ddfb Key Type: RSA Domains: www.example.com Expiry Date: 2022-09-10 16:15:42+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker run -it --rm certbot/certbot —help
docker run -it --rm --name certbot \ -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \ -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \ -v "/mnt/cert/log/:/var/log/letsencrypt/" \ -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \ certbot/certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2022-09-10 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 3 * * 1 cd /mnt/cert/ && renew.sh && nginx -s reload
# 尝试更新 $ docker run -it --rm --name certbot \ -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \ -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \ -v "/mnt/cert/log/:/var/log/letsencrypt/" \ -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \ certbot/certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for m.me56.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/m.me56.cn/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # 更新 $ docker run -it --rm --name certbot \ > -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \ > -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \ > -v "/mnt/cert/log/:/var/log/letsencrypt/" \ > -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \ > certbot/certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/m.me56.cn.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for m.me56.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /etc/letsencrypt/live/www.example.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # 重复更新 $ docker run -it --rm --name certbot \ -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \ -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \ -v "/mnt/cert/log/:/var/log/letsencrypt/" \ -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \ certbot/certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2022-12-05 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
问题:
docker run -it --rm --name certbot \
-v "/mnt/cert/m.xxx.cn/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/m.xxx.cn/letsencrypt1:/var/lib/letsencrypt" \
-v "/mnt/cert/log/:/var/log/letsencrypt/" \
-v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
certbot/certbot renew
报了以下错误:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for m.xxx.cn
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: m.xxx.cn
Type: unauthorized
Detail: 121.xx.161.xx: Invalid response from https://m.xxx.cn/.well-known/acme-challenge/FCyKJVpjk_6c9ogLkIPzrCLWpWzo_nDmzgMZFZof0ss: "<!DOCTYPE html><html lang=\"\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta http-equiv=\""
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
解决: 需要把.well-known配置加以443端口里
server {
listen 443 ssl http2;
server_name m.xxx.cn;
ssl_certificate xxx.pem;
ssl_certificate_key xxx.pem;
location ^~ /.well-known/acme-challenge/ {
root /mnt/cert/webroot_acme-challenge;
}
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。