当前位置:   article > 正文

docker certbot颁发letsencrypt证书_certbot docker

certbot docker

webroot方式配置https证书,定时执行续期

参数解释
certonly创建时使用, 表示采用验证模式,只会获取证书
renew更新时使用
–manual配置插件,http验证/dns验证
–webroothttp验证
–force-renewal强制续签
–preferred-challengesdnsdns验证, 表示采用DNS验证申请者合法性
–dry-run测试执行,不会真正去申请
–manual-auth-hook动态验证DNS的脚本服务
–deploy-hook后面的参数是证书更新成功之后,要指定执行的命令,这里是重启 nginx, 因为nginx不会自动重新加载证书,reload也不会
-d *.xxx.com域名(可以是通配符)
-m xxx@xxx.com通知邮箱
  1. nginx配置访问地址

        location ~/.well-known/acme-challenge/ {
            root /mnt/cert/webroot_acme-challenge;
        }
  • 1
  • 2
  • 3
  1. 执行certbot certonly webroot方式

docker run -it --rm --name certbot \
            -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
            -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
            -v "/mnt/cert/log/:/var/log/letsencrypt/" \
            -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
            certbot/certbot certonly  \
            --webroot --agree-tos \
            --webroot-path=/data/letsencrypt \
            -m xxx@xxx.cn -d www.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for www.example.com




Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.example.com/privkey.pem
This certificate expires on 2022-09-10.
These files will be updated when the certificate renews.


NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  1. nginx被访问

18.188.144.19 - - [13/Jun/2022:01:15:33 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.237.56.27 - - [13/Jun/2022:01:15:33 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [13/Jun/2022:01:15:34 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
176.107.176.83 - - [13/Jun/2022:01:16:37 +0800] "GET /.git/config HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3"
95.211.187.223 - - [13/Jun/2022:01:17:00 +0800] "GET / HTTP/1.1" 200 1843 "-" "Go-http-client/1.1”
  • 1
  • 2
  • 3
  • 4
  • 5
  1. 查询结果

docker run -it --rm --name certbot \
            -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
            -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
            certbot/certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.example.com
    Serial Number: 42667b9821f5721a9733aa071ebf6b3ddfb
    Key Type: RSA
    Domains: www.example.com
    Expiry Date: 2022-09-10 16:15:42+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  1. 查询帮助信息

docker run -it --rm certbot/certbot —help
  • 1
  1. 执行续期证书命令

docker run -it --rm --name certbot \
            -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
            -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
            -v "/mnt/cert/log/:/var/log/letsencrypt/" \
            -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
            certbot/certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2022-09-10 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  1. 定时任务自动续期

0 3 * * 1 cd /mnt/cert/ && renew.sh &&  nginx -s reload
  • 1
  1. 手动更新证书-日志
# 尝试更新
$ docker run -it --rm --name certbot \
    -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
    -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
    -v "/mnt/cert/log/:/var/log/letsencrypt/" \
    -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
    certbot/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for m.me56.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/m.me56.cn/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


# 更新
$ docker run -it --rm --name certbot \
>     -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
>     -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
>     -v "/mnt/cert/log/:/var/log/letsencrypt/" \
>     -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
>     certbot/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/m.me56.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for m.me56.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/www.example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# 重复更新
$ docker run -it --rm --name certbot    \
		 -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt"    \
		 -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt"     \
		 -v "/mnt/cert/log/:/var/log/letsencrypt/"     \
		 -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt     \
		 certbot/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2022-12-05 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58

问题:

docker run -it --rm --name certbot \
            -v "/mnt/cert/m.xxx.cn/letsencrypt:/etc/letsencrypt" \
            -v "/mnt/cert/m.xxx.cn/letsencrypt1:/var/lib/letsencrypt" \
            -v "/mnt/cert/log/:/var/log/letsencrypt/" \
            -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
            certbot/certbot renew
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

报了以下错误:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for m.xxx.cn

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: m.xxx.cn
  Type:   unauthorized
  Detail: 121.xx.161.xx: Invalid response from https://m.xxx.cn/.well-known/acme-challenge/FCyKJVpjk_6c9ogLkIPzrCLWpWzo_nDmzgMZFZof0ss: "<!DOCTYPE html><html lang=\"\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta http-equiv=\""

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

解决: 需要把.well-known配置加以443端口里

server {
        listen 443 ssl http2;
        server_name  m.xxx.cn;
        ssl_certificate     xxx.pem;
        ssl_certificate_key xxx.pem;

        location ^~ /.well-known/acme-challenge/ {
                root /mnt/cert/webroot_acme-challenge;
        }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Gausst松鼠会/article/detail/640025
推荐阅读
相关标签
  

闽ICP备14008679号