website.com 和 *.website.com 证书的自动更新方式
Automatic way of renewing certificates for website.com and *.website.com
我有一个 Web 服务器,我在该服务器上应用了不同的重写规则,以便将所有 http(s)://*.website.com 请求重定向到相同的 URL:https://website.com。一切正常,如预期。
现在,我想以自动方式更新证书(由 letsencrypt 构建)。
不幸的是,目前我必须手动完成,理想情况是通过从 crontab 调用的简单脚本来完成(我想每 2 个月更新一次证书)。
目前,我正在使用以下脚本 certbot-auto(来自 https://github.com/certbot/certbot/blob/master/certbot-auto):
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -d website.com -d *.website.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096
这是我从这个命令得到的输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/website.com.conf with version 0.31.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for website.com
dns-01 challenge for website.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/website.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/website.com/privkey.pem
Your cert will expire on 2020-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(23) Failed writing body
如您所见,我必须手动在我的 VPS DNS 帐户 2 TXT 字段上命名为 _acme-challenge.website.com 并包含:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
和
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
我想知道是否有一种方法可以自动注册 TXT 字段,或者是否有另一种方法可以在 crontab 中启动一个简单的命令或脚本(每 2 个月执行一次)以避免所有这些手动操作?
每次我想更新这些证书(以下 4 个文件)时,所有这些似乎都比较繁重:
$ ls /etc/letsencrypt/live/website.com/
privkey.pem@ fullchain.pem@ chain.pem@ cert.pem@
DNS 注册 TXT- 如果您访问以编程方式修改记录,则记录可以自动进行 - 因此您拥有 DNS 服务器或您的提供商为您提供 API。
这里有一些:
我有一个 Web 服务器,我在该服务器上应用了不同的重写规则,以便将所有 http(s)://*.website.com 请求重定向到相同的 URL:https://website.com。一切正常,如预期。
现在,我想以自动方式更新证书(由 letsencrypt 构建)。
不幸的是,目前我必须手动完成,理想情况是通过从 crontab 调用的简单脚本来完成(我想每 2 个月更新一次证书)。
目前,我正在使用以下脚本 certbot-auto(来自 https://github.com/certbot/certbot/blob/master/certbot-auto):
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -d website.com -d *.website.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096
这是我从这个命令得到的输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/website.com.conf with version 0.31.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for website.com
dns-01 challenge for website.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/website.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/website.com/privkey.pem
Your cert will expire on 2020-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(23) Failed writing body
如您所见,我必须手动在我的 VPS DNS 帐户 2 TXT 字段上命名为 _acme-challenge.website.com 并包含:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
和
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
我想知道是否有一种方法可以自动注册 TXT 字段,或者是否有另一种方法可以在 crontab 中启动一个简单的命令或脚本(每 2 个月执行一次)以避免所有这些手动操作?
每次我想更新这些证书(以下 4 个文件)时,所有这些似乎都比较繁重:
$ ls /etc/letsencrypt/live/website.com/
privkey.pem@ fullchain.pem@ chain.pem@ cert.pem@
DNS 注册 TXT- 如果您访问以编程方式修改记录,则记录可以自动进行 - 因此您拥有 DNS 服务器或您的提供商为您提供 API。
这里有一些: