# nginx 的 https 证书自动续期
本文讲述 nginx 的 https 证书如何自动续期。有很多方法,本文采用的是 acme.sh 方案。
# 1. 安装 acme 客户端
acme 客户端实际上就是个 shell 脚本,执行如下命令完成安装。
curl https://get.acme.sh | sh
[root@iZ2ze7011et12xez70sp3dZ nginx]# curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 775 0 775 0 0 145 0 --:--:-- 0:00:05 --:--:-- 160
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 201k 100 201k 0 0 18804 0 0:00:10 0:00:10 --:--:-- 19012
[2020年 11月 02日 星期一 16:12:52 CST] Installing from online archive.
[2020年 11月 02日 星期一 16:12:52 CST] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[2020年 11月 02日 星期一 16:13:10 CST] Extracting master.tar.gz
[2020年 11月 02日 星期一 16:13:10 CST] It is recommended to install socat first.
[2020年 11月 02日 星期一 16:13:10 CST] We use socat for standalone server if you use standalone mode.
[2020年 11月 02日 星期一 16:13:10 CST] If you don't use standalone mode, just ignore this warning.
[2020年 11月 02日 星期一 16:13:10 CST] Installing to /root/.acme.sh
[2020年 11月 02日 星期一 16:13:10 CST] Installed to /root/.acme.sh/acme.sh
[2020年 11月 02日 星期一 16:13:10 CST] Installing alias to '/root/.bashrc'
[2020年 11月 02日 星期一 16:13:10 CST] OK, Close and reopen your terminal to start using acme.sh
[2020年 11月 02日 星期一 16:13:10 CST] Installing alias to '/root/.cshrc'
[2020年 11月 02日 星期一 16:13:10 CST] Installing alias to '/root/.tcshrc'
[2020年 11月 02日 星期一 16:13:10 CST] Installing cron job
[2020年 11月 02日 星期一 16:13:10 CST] Good, bash is found, so change the shebang to use bash as preferred.
[2020年 11月 02日 星期一 16:13:10 CST] OK
[2020年 11月 02日 星期一 16:13:10 CST] Install success!
[root@iZ2ze7011et12xez70sp3dZ nginx]#
acme 依赖定时任务, 所以若系统没有安装 cron 服务,安装会失败,并提示您安装 cron 服务。
如上的安装过程中,会:
- 自动创建目录~/.acme.sh/
最终的 acme 客户端路径为~/.acme.sh/acme.sh
执行~/.acme.sh/acme.sh -v, 查看客户端版本
[root@iZ2ze7011et12xez70sp3dZ nginx]# ~/.acme.sh/acme.sh -v
https://github.com/acmesh-official/acme.sh
v2.8.8
[root@iZ2ze7011et12xez70sp3dZ nginx]#
- 自动创建 alias 别名 acme.sh
这样在执行脚本/root/.acme.sh/acme.sh 的时候就没必要填写完整路径,只需要执行 acme.sh 即可识别。
[root@iZ2ze7011et12xez70sp3dZ nginx]# alias
alias acme.sh='/root/.acme.sh/acme.sh'
alias cp='cp -i'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias mv='mv -i'
alias rm='rm -i'
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --show-tilde'
[root@iZ2ze7011et12xez70sp3dZ nginx]#
- 自动创建 cronjob 定时任务, 每天定时自动检测所有的证书,如果快过期了,则会自动更新证书。
执行crontab -l,查看当前的定时任务列表,发现已经被自动增加了 acme 脚本的定时任务。
[root@iZ2ze7011et12xez70sp3dZ nginx]# crontab -l
10 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[root@iZ2ze7011et12xez70sp3dZ nginx]#
# 2. 生成证书
执行如下命令
~/.acme.sh/acme.sh –issue -d sofineday.com -d www.sofineday.com –webroot /static-file/blog/
参数的含义:
- –issue 是 acme.sh 脚本用来颁发证书的指令
- -d 是–domain 的简称,其后面填写要续期的域名
- -w 是–webroot 的简称,其后面须填写网站的根目录
证书的实际生成过程如下:
root@ff939cf2d477:~# ~/.acme.sh/acme.sh --issue -d sofineday.com -d www.sofineday.com --webroot /static-file/blog/
[Mon Nov 2 09:34:37 UTC 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Nov 2 09:34:37 UTC 2020] Create account key ok.
[Mon Nov 2 09:34:37 UTC 2020] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Mon Nov 2 09:34:39 UTC 2020] Registered
[Mon Nov 2 09:34:39 UTC 2020] ACCOUNT_THUMBPRINT='J2XJiPj7rSQ4wODVXqtkbk5G3j3Jk6fVuw0j2EYNQr8'
[Mon Nov 2 09:34:39 UTC 2020] Creating domain key
[Mon Nov 2 09:34:39 UTC 2020] The domain key is here: /root/.acme.sh/sofineday.com/sofineday.com.key
[Mon Nov 2 09:34:39 UTC 2020] Multi domain='DNS:sofineday.com,DNS:www.sofineday.com'
[Mon Nov 2 09:34:40 UTC 2020] Getting domain auth token for each domain
[Mon Nov 2 09:34:42 UTC 2020] Getting webroot for domain='sofineday.com'
[Mon Nov 2 09:34:42 UTC 2020] Getting webroot for domain='www.sofineday.com'
[Mon Nov 2 09:34:42 UTC 2020] Verifying: sofineday.com
[Mon Nov 2 09:34:46 UTC 2020] Success
[Mon Nov 2 09:34:46 UTC 2020] Verifying: www.sofineday.com
[Mon Nov 2 09:34:50 UTC 2020] Pending
[Mon Nov 2 09:34:53 UTC 2020] Pending
[Mon Nov 2 09:34:57 UTC 2020] Pending
[Mon Nov 2 09:35:00 UTC 2020] Pending
[Mon Nov 2 09:35:03 UTC 2020] Pending
[Mon Nov 2 09:35:07 UTC 2020] Pending
[Mon Nov 2 09:35:10 UTC 2020] Pending
[Mon Nov 2 09:35:12 UTC 2020] Pending
[Mon Nov 2 09:35:15 UTC 2020] Pending
[Mon Nov 2 09:35:18 UTC 2020] Pending
[Mon Nov 2 09:35:21 UTC 2020] Pending
[Mon Nov 2 09:35:24 UTC 2020] Pending
[Mon Nov 2 09:35:27 UTC 2020] Pending
[Mon Nov 2 09:35:30 UTC 2020] Pending
[Mon Nov 2 09:35:32 UTC 2020] Pending
[Mon Nov 2 09:35:35 UTC 2020] Success
[Mon Nov 2 09:35:35 UTC 2020] Verify finished, start to sign.
[Mon Nov 2 09:35:35 UTC 2020] Lets finalize the order.
[Mon Nov 2 09:35:35 UTC 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/101076451/5997675384'
[Mon Nov 2 09:35:36 UTC 2020] Downloading cert.
[Mon Nov 2 09:35:36 UTC 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03a494dee4d14855d98ee65a117330602f7b'
[Mon Nov 2 09:35:37 UTC 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgISA6SU3uTRSFXZjuZaEXMwYC97MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMDIwODM1MzZaFw0y
MTAxMzEwODM1MzZaMBgxFjAUBgNVBAMTDXNvZmluZWRheS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs+qLKD9XM+HZ9s9rFNnoN+6s/+NAgbD4A
N7J2v2x19EGI68V+3p4PfJ9mC/hyPGOE/S09Is+h3gI1q5G9ePExbeImUnuhTfid
9IOq9wf26EmqGj0Q2wXxP5QQf1kBQvweX/bel5xun9s8UdqDhOQnDEFhWRue4DHB
Fmdme7bl0dtSeuVM7AOTW9obUA2tz4h6zWPJY4vXTNcrnBst3CCzDOV3vivIO08z
CqCapQGJleQTUM+OQNJ63vM63vA2YH1HmQx0h2HTrlCa4RcGaCudUO8p1uBjsi5N
Da74KJHn8uAAKiGmNVxH3UfHptipj83tDl/gVYc8ImsxNcZkDQxZAgMBAAGjggJ0
MIICcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIkCvyI57dP+OAsBKxndWaiV8IYQ
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKwYDVR0RBCQwIoINc29maW5lZGF5LmNvbYIRd3d3LnNvZmluZWRheS5jb20w
TAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcC
ARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0
BIHxAO8AdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXWIT9xE
AAAEAwBHMEUCIC8k9sHNJLRPehn8rXklLCqPeH4xAfvhBF5SgLAmurIvAiEA0Csc
tInX7h/WYncMNZArhZbzW0CWDGe5XaORBul36gAAdQD2XJQv0XcwIhRUGAgwlFaO
400TGTO/3wwvIAvMTvFk4wAAAXWIT9wkAAAEAwBGMEQCIGQ6tViJ6Vy5ZUjTVLpg
jynJ+faFUtTU+O1izPw3cvldAiB0J3OxmXMr8h3KdqmDFhJxSqa+hYd7TV4SkkEH
nt3BjzANBgkqhkiG9w0BAQsFAAOCAQEAbEoKns5FpQj5VgxoYlS+StnJS/db5wnc
6hnZ3Rya0X8huuOeprtWpFEH3qMIrCmXSsWJLmUaaJKRIAhTqRPsoLXf/HxT4IW2
9xrW435RKxisSfD4EJ4pybbNunHFms+FjJY+m5a3ojDjpErz8FVSeo88811yXNBz
rfv5Pyt6s+0gFg0gO8wB6SWbsNPGA0HvhBmlo8mVOr2l2jNuH0uIRROKgZXvK/V1
+bxpWUwAo5p/CSjFqWc7P/BPM3VQ/gHlkcpH37PWJDB+vzZkYzhuDc9hvxxR2/56
86mbiykVKVvpK91imQy7sD0L1Rpv1kDNHhoBY5l3XBcr6gdv5STrpw==
-----END CERTIFICATE-----
[Mon Nov 2 09:35:37 UTC 2020] Your cert is in /root/.acme.sh/sofineday.com/sofineday.com.cer
[Mon Nov 2 09:35:37 UTC 2020] Your cert key is in /root/.acme.sh/sofineday.com/sofineday.com.key
[Mon Nov 2 09:35:37 UTC 2020] The intermediate CA cert is in /root/.acme.sh/sofineday.com/ca.cer
[Mon Nov 2 09:35:37 UTC 2020] And the full chain certs is there: /root/.acme.sh/sofineday.com/fullchain.cer
root@ff939cf2d477:~#
从以上生成过程可以看出,证书的生成位置为/root/.acme.sh/sofineday.com/目录。
root@ff939cf2d477:~# ls -l /root/.acme.sh/sofineday.com/
total 28
-rw-r--r-- 1 root root 1648 Nov 2 09:35 ca.cer
-rw-r--r-- 1 root root 3579 Nov 2 09:35 fullchain.cer
-rw-r--r-- 1 root root 1931 Nov 2 09:35 sofineday.com.cer
-rw-r--r-- 1 root root 639 Nov 2 09:35 sofineday.com.conf
-rw-r--r-- 1 root root 997 Nov 2 09:34 sofineday.com.csr
-rw-r--r-- 1 root root 230 Nov 2 09:34 sofineday.com.csr.conf
-rw-r--r-- 1 root root 1679 Nov 2 09:34 sofineday.com.key
root@ff939cf2d477:~#
# 3. 查看证书列表
执行如下命令,查看证书列表
~/.acme.sh/acme.sh –list
root@ff939cf2d477:~# ~/.acme.sh/acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
sofineday.com "" www.sofineday.com LetsEncrypt.org Mon Nov 2 09:35:37 UTC 2020 Fri Jan 1 09:35:37 UTC 2021
root@ff939cf2d477:~#
# 4. 删除证书
~/.acme.sh/acme.sh remove
# 5. 安装证书
安装失败,后续再完善该教程。
# 6. 自动续期
# 7. 参考网站
参考教程https 自动续期
文章来源于互联网:
nginx的https证书自动续期
cancun attractions packages
top 10 resorts in cancun
luxe auto spa
all inclusive package to cancun mexico
cancun best all inclusive resort
5 star adults only all inclusive resorts cancun
cancun mexico free hotel stays
cheap cancun trip
cancun mexico vacation packages
colonial resort cape coral
cheap cancun all inclusive vacations
vacations packages all inclusive cancun
5 star adults only all inclusive resorts cancun
paradisus cancun all inclusive
best cancun all inclusive resorts adults only
Hello. And Bye Bye Bye.
palace all inclusive resorts
https://1abakan.ru/forum/showthread-41046/
top resorts cancun
https://cassellsghantoothotel.com/article/north-goa-vs-south-goa-the-never-ending-dilemma-of-visiting-the-hippest-city-in-2022
cancun island resort
best resort in cancun mexico for families
luxury all inclusive resort club med
cancun 5 star resorts all inclusive
best area in cancun to stay
couples resorts cancun
2 bedroom all inclusive cancun
can cun resorts
cancun package deals all inclusive
hotels in cancun mexico on the beach all inclusive
hyatt cancun tripadvisor
hoteles en mexico cancun todo incluido
hotel cancun mexico
cancun palace all inclusive