【https】Let’s Encrypt 通配符证书如何续期

Let’s Encrypt 通配符证书如何续期

• 查看证书
  certbot-auto certificates

• 更新证书
  certbot-auto renew更新，单域名的证书更新完成了，但通配符就蛋疼了，出现错误如下：

[root@iZbp1hiskkdk1gdsxz4yogZ letsencrypt]# certbot-auto renew --cert-name e-shigong.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e-shigong.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (e-shigong.com) from /etc/letsencrypt/renewal/e-shigong.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/e-shigong.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/e-shigong.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

--manual-auth-hook，意思就是当我们自动使用插件的时候必须提供一个身份验证脚本，我们可以使用cerbot提供的--manual-auth-hook来进行证书的更新，因为要录入DNS记录，所以会失败

• 可以使用 certbot 插件，比如 certbot-dns-cloudflare 插件（还有其他的），就是自动更新 cloudflare 等 DNS 的记录。
• 手动编写脚本，cerbot 官方提供了 cloudflare 的样例。

参考github样例：
https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
替换掉py文件中的ACCESS_KEY_ID和ACCESS_TOKEN（阿里云的key和token）

然后在/etc/letsencrypt/目录下执行命令：

certbot-auto renew --cert-name e-shigong.com --manual-auth-hook "./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add" --manual-cleanup-hook "./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean"

更新成功：

[root@iZbp1hiskkdk1gdsxz4yogZ letsencrypt]# certbot-auto renew --cert-name e-shigong.com --manual-auth-hook "./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add" --manual-cleanup-hook "./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e-shigong.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for e-shigong.com
Running manual-auth-hook command: ./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: ./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/e-shigong.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/e-shigong.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

• 配置crond自动更新

[root@iZbp1hiskkdk1gdsxz4yogZ letsencrypt]# vi /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
1 1 */1 * * root /etc/letsencrypt/auto.sh

auto.sh内容：

#!/bin/bash

cd /etc/letsencrypt

certbot-auto renew --cert-name e-shigong.com --manual-auth-hook "./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add" --manual-cleanup-hook "./certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean"

nginx_container_id=`docker ps -a |grep sgb_production_nginx |awk '{print $ 1}'`

docker restart ${nginx_container_id}