用ACME自动续签证书实践

目录

官网：https://github.com/acmesh-official/acme.sh#7-automatic-dns-api-integration

1. 普通方式

1.1 申请证书

1.2 部署证书

2 Docker LEMP 方式

-- 定义docker-compose.yml节

-- 站点虚拟机conf

-- 命令行

-- 设置cron每月自动重启nginx

- 参考

---

官网：
https://github.com/acmesh-official/acme.sh#7-automatic-dns-api-integration

环境: LEMP

说明: 让域名证书自动续签, 普通方式与Docker方式

1. 普通方式

安装：

sudo wget -O -  https://get.acme.sh | sh

用crontab -l 可以看到已自动添加了一个cronjob来定时检查过期情况

1.1 申请证书

法一：Http文件认证方式

- 做好域名指向，设置好 www.xxx.com.conf 里面的路径

server {
        listen       80;
        listen       443 ssl;
        listen       [::]:80;
        server_name  www.xxx.com;
        
        set $host_path "/data0/Projects/PP/www.xxx.com";

        access_log   /data0/Server/Logs/www.xxx.com.log main;
        error_log    /data0/Server/Logs/www.xxx.com.error.log;
        
        charset utf-8;
        
        root   $host_path;
        index  index.php index.html index.htm;
        
        # letsencrypt file verify
        location /.well-known/acme-challenge/ {
            #alias       /usr/share/nginx/html/;
            alias       /data0/Projects/PP/www.xxx.com/.well-known/acme-challenge/;
            try_files   $uri =404;
        }
        
        location ~ \.php$ {
            try_files $uri =404;
            #fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
     
        #include agent_deny.def;
}

- 申请

acme.sh --issue --server letsencrypt -d {domain} -w {website path}

法二: DNS自认证方式：

- 申请 (namecheap 域名服务商)

  export NAMECHEAP_USERNAME="name"
  export NAMECHEAP_API_KEY="key"
  export NAMECHEAP_SOURCEIP="white list ip"
  
  acme.sh --issue --dns dns_namecheap -d www.xxx.com

1.2 部署证书

acme.sh --install-cert -d {domain} \
  --key-file       /data0/Server/Auths/certs/{domain}/the.key  \
  --fullchain-file /data0/Server/Auths/certs/{domain}/fullchain.crt 

chmod 644 -Rf /data0/Server/Auths/certs/{domain}/*

- 修改 www.xxx.com.conf

server {
        listen       80;
        listen       443 ssl;
        listen       [::]:80;
        server_name  www.xxx.com;

        ssl_certificate /data0/Server/Auths/certs/{domain}/fullchain.crt;
        ssl_certificate_key /data0/Server/Auths/certs/{domain}/the.key;
        
        set $host_path "/data0/Projects/BD/xxx";

        access_log   /data0/Server/Logs/xxx.log main;
        error_log    /data0/Server/Logs/xxx.error.log;
        
        charset utf-8;
        
        root   $host_path;
        index  index.php index.html index.htm;
        
        location ~ \.php$ {
            try_files $uri =404;
            #fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
     
        #include agent_deny.def;
}

- 重启nginx, OK

2 Docker LEMP 方式

-- 定义docker-compose.yml节

version: '3'
services:
    acme:
        image: neilpang/acme.sh
        container_name: ${APP_NAME:?err}-acme
        volumes:
            - "./acme.sh:/acme.sh:z"
            - "/data0:/data0"
        environment:
            - CF_Key=""
            - CF_Email=""
        command: daemon
    nginx:
        #image: nginx:latest
        container_name: ${APP_NAME:?err}-nginx
        restart: always
        build:
            dockerfile: nginx.Dockerfile
            context: ./docker
        ports:
            - '80:80'
            - '443:443'
        links:
            - 'php'
        depends_on:
            - php
        volumes:
            - '/data0/Server/Settings/nginx:/etc/nginx'
            - '/data0/Server/Logs/nginx:/var/log/nginx'
            - '/data0/Server/Tools:/var/server-tools'
            - '/data0/Projects:/var/www/html'
            - '/data0/Server/Auths:/var/server-auths'

-- 站点虚拟机conf

server {
        listen       80;
        listen       443 ssl;
        listen       [::]:80;
        server_name  xxx.com www.xxx.com;
        
        if ($server_port !~ 443){
            rewrite ^(/.*)$ https://$host$1 permanent;
        }
        
        ssl_certificate /var/server-auths/certs/$server_name/fullchain.crt;
        ssl_certificate_key /var/server-auths/certs/$server_name/the.key;
        
        set $host_path "/var/www/html/Eshops/xxx.com/src/web";

        access_log   /var/log/nginx/www.xxx.com.log main;
        error_log    /var/log/nginx/www.xxx.com.error.log;
        
        charset utf-8;
        
        root   $host_path;
        index  index.php index.html index.htm;
        
        # letsencrypt file verify
        location /.well-known/acme-challenge/ {
            alias       $host_path/.well-known/acme-challenge/;
            try_files   $uri =404;
        }
        
        #location / {
        #    
        #    try_files $uri $uri/ /index.php$is_args$args;
        #}
        
        ...
}

-- 命令行

#首次需要登记email
docker exec om-acme --register-account -m {your mail}

#保管目录
mkdir /data0/Server/Auths/certs/{domain}

#申请证书
docker exec om-acme --set-default-ca --server letsencrypt --issue -d {domain} -w /data0/Projects/BD/oym001/staging/src/mobile
 
#部署证书，位置与 docker-compose.yml相应
docker exec om-acme --install-cert -d {domain} --key-file /data0/Server/Auths/certs/{domain}/the.key --fullchain-file /data0/Server/Auths/certs/{domain}/fullchain.crt

#修改所属
chown www-data:www-data /data0/Server/Auths/certs/{domain} -Rf

#重启nginx
docker-compose restart nginx

-- 设置cron每月自动重启nginx

# 因证书每三个月到期，更新后需重启/重载nginx才起效，所以需设置一个自动重启cron 命令
# crontab -e

0 3 1 * * /usr/bin/docker restart om-nginx > /dev/null 2>&1

- 参考

• https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E
• Docker Hub