我有一个 Web 服务器,我在其上应用不同的重写规则以重定向所有 http(s)://*.website.com
对同一 URL 的请求:https://website.com
.一切都按预期正常工作。
现在,我想以自动方式更新证书(由 letsencrypt
构建)。
不幸的是,目前,我必须手动完成,理想的做法是通过从 crontab 调用的简单脚本来完成(我想每 2 个月更新一次证书)。
目前,我正在使用以下脚本 certbot-auto (来自 https://github.com/certbot/certbot/blob/master/certbot-auto
)这样:
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -d website.com -d *.website.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096
这是我从此命令获得的输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/website.com.conf with version 0.31.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for website.com
dns-01 challenge for website.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/website.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/website.com/privkey.pem
Your cert will expire on 2020-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(23) Failed writing body
如您所见,我必须手动输入我的 VPS DNS 帐户 2
TXT
名为 _acme-challenge.website.com
的字段并包含:j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA
和
eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU
我想知道是否有办法自动注册
TXT
字段或者是否有另一种方法可以在 crontab 中启动一个简单的命令或脚本(每 2 个月执行一次)以避免所有这些手动操作?每次我想更新这些证书(以下 4 个文件)时,所有这些似乎都比较繁重:
$ ls /etc/letsencrypt/live/website.com/
privkey.pem@ fullchain.pem@ chain.pem@ cert.pem@
最佳答案
DNS的注册TXT
- 如果您访问以编程方式修改记录,则记录可以自动化 - 因此您拥有 DNS 服务器或您的提供商为您提供 API。
这里有一些:
关于ssl - 自动更新 website.com 和 *.website.com 证书的方式,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60960144/