Let'sEncrypt 免費ssl證書申請並自動續期

Let'sEncrypt是一家免費開放的證書頒發機構，支持申請泛域名證書，不過證書有效期僅有3個月，所以爲了避免頻繁申請證書，我們可以用腳本實現自動續期，目前我測試過三種方式，均成功續期，在此記錄下過程。

前提：獲取key&Secret

參考:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md

1.acme自動續期：

#安裝acme
curl https://get.acme.sh | sh
wget -O -  https://get.acme.sh | sh
#查看acme版本
acme.sh --version
#請填寫實際key&Secret
export Ali_Key="4xvxbCThnjerg955"
export Ali_Secret="fwyhkkp0"
#申請證書
acme.sh --issue --dns dns_ali -d *.peakchao.com
#更新證書
acme.sh --renew -d '*.peakchao.com' --force
# 查看證書列表
acme.sh --list 
# 刪除證書
acme.sh remove <SAN_Domains>

#升級 acme.sh 到最新版：
acme.sh --upgrade
#開啓自動升級：
acme.sh  --upgrade  --auto-upgrade
#關閉自動更新：
acme.sh --upgrade  --auto-upgrade  0

#以下命令無需執行，據查看，acme會自動添加續期的定時任務
crontab -e
# 添加如下的任務：三個月執行一次
0 0 29 */3 * acme.sh --renew -d '*.peakchao.com' --force
#最後請不要忘記修改nginx配置以及重啓

輸出

[root@izf9t76wjp0zs8z ~]# wget -O -  https://get.acme.sh | sh
--2019-03-09 15:17:22--  https://get.acme.sh/
Resolving get.acme.sh (get.acme.sh)... 144.217.161.63, 2607:5300:201:3100::5663
Connecting to get.acme.sh (get.acme.sh)|144.217.161.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 705 [text/plain]
Saving to: ‘STDOUT’

100%[===========================================================================================================>] 705         --.-K/s   in 0s      

2019-03-09 15:17:24 (176 MB/s) - written to stdout [705/705]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  171k  100  171k    0     0  10938      0  0:00:16  0:00:16 --:--:-- 45873
[Sat Mar  9 15:17:40 CST 2019] Installing from online archive.
[Sat Mar  9 15:17:40 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar  9 15:17:46 CST 2019] Extracting master.tar.gz
[Sat Mar  9 15:17:46 CST 2019] It is recommended to install socat first.
[Sat Mar  9 15:17:46 CST 2019] We use socat for standalone server if you use standalone mode.
[Sat Mar  9 15:17:46 CST 2019] If you don't use standalone mode, just ignore this warning.
[Sat Mar  9 15:17:46 CST 2019] Installing to /usr/local/acme.sh
[Sat Mar  9 15:17:46 CST 2019] Installed to /usr/local/acme.sh/acme.sh
[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.bashrc'
[Sat Mar  9 15:17:46 CST 2019] OK, Close and reopen your terminal to start using acme.sh
[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.cshrc'
[Sat Mar  9 15:17:46 CST 2019] Installing alias to '/root/.tcshrc'
[Sat Mar  9 15:17:46 CST 2019] Installing cron job
57 0 * * * "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" > /dev/null
[Sat Mar  9 15:17:46 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar  9 15:17:46 CST 2019] OK
[Sat Mar  9 15:17:46 CST 2019] Install success!
[root@izf9t76wjp0zs8z ~]# export Ali_Key="4xvxbCThnjerg955"
[root@izf9t76wjp0zs8z ~]# export Ali_Secret="fwyhkkp0"
[root@izf9t76wjp0zs8z ~]# acme.sh --issue --dns dns_ali -d *.peakchao.com
[Sat Mar  9 15:19:42 CST 2019] Creating domain key
[Sat Mar  9 15:19:43 CST 2019] The domain key is here: /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key
[Sat Mar  9 15:19:43 CST 2019] Single domain='*.peakchao.com'
[Sat Mar  9 15:19:43 CST 2019] Getting domain auth token for each domain
[Sat Mar  9 15:19:46 CST 2019] Getting webroot for domain='*.peakchao.com'
[Sat Mar  9 15:19:46 CST 2019] Found domain api file: /usr/local/acme.sh/dnsapi/dns_ali.sh
[Sat Mar  9 15:19:49 CST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Sat Mar  9 15:20:10 CST 2019] Checking peakchao.com for _acme-challenge.peakchao.com
[Sat Mar  9 15:20:11 CST 2019] Domain peakchao.com '_acme-challenge.peakchao.com' success.
[Sat Mar  9 15:20:11 CST 2019] All success, let's return
[Sat Mar  9 15:20:11 CST 2019] Verifying: *.peakchao.com
[Sat Mar  9 15:20:15 CST 2019] Success
[Sat Mar  9 15:20:15 CST 2019] Removing DNS records.
[Sat Mar  9 15:20:19 CST 2019] Verify finished, start to sign.
[Sat Mar  9 15:20:19 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/48893963/348010849
[Sat Mar  9 15:20:21 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0325e2883ade3b454bcf95c37c112b884689
[Sat Mar  9 15:20:23 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISAyXiiDreO0VLz5XDfBEriEaJMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDkwNjIwMjBaFw0x
OTA2MDcwNjIwMjBaMBkxFzAVBgNVBAMMDioucGVha2NoYW8uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8A
-----END CERTIFICATE-----
[Sat Mar  9 15:20:23 CST 2019] Your cert is in  /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.cer 
[Sat Mar  9 15:20:23 CST 2019] Your cert key is in  /usr/local/nginx/conf/ssl/*.peakchao.com/*.peakchao.com.key 
[Sat Mar  9 15:20:23 CST 2019] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/*.peakchao.com/ca.cer 
[Sat Mar  9 15:20:23 CST 2019] And the full chain certs is there:  /usr/local/nginx/conf/ssl/*.peakchao.com/fullchain.cer

2.lnmp自動續期：

#請填寫實際key&Secret
export Ali_Key="4xvxbCThnjerg955"
export Ali_Secret="fwyhkkp0"
#執行此命令後按下圖配置
lnmp dnsssl ali 或 lnmp dns ali
#最後請不要忘記修改nginx配置以及重啓

3.使用 certbot-auto

這是官方推薦的方法，通過 shell 命令的方式，可以最簡單方便地達到目的。步驟如下：

訪問 certbot 網站，地址爲：https://certbot.eff.org/

在首頁選擇好 webserver 和 系統類型，則會顯示對應的操作步驟。按照步驟逐步操作，如無意外則可完成。

注意：如服務器已啓用了 https 服務，則先停止它。certbot-auto 在作驗證時會使用 433 端口。

#下載 certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
#執行自動安裝,該命令會嘗試自動配置 nginx ,你也可以使用下條命令只生成適合 nginx 使用的證書，然後手動配置 nginx
./certbot-auto --nginx
#生成適合 nginx 使用的證書
certbot-auto --nginx certonly
#生成成功後，可以查看證書狀態
./certbot-auto certificates
#測試自動更新
./certbot-auto renew --dry-run
#執行自動更新
service nginx stop
certbot-auto renew
service nginx start
#查看證書狀態
./certbot-auto certificates