用certbot申请证书,自动更新

用certbot申请SSL证书，可以用certbot webroot方式颁发：

首先，要把自己的域名映射到IP，比如1h.ossrs.net，映射到自己的服务器x.x.x.x

创建目录/usr/local/letsencrypt/.well-known/acme-challenge/，这样certbot自动创建的文件，可以被访问到。

然后，执行命令，参考这里：

certbot certonly --webroot \
  -w /usr/local/letsencrypt/ -d 1h.ossrs.net \
  --register-unsafely-without-email \
  --agree-tos \
  --preferred-challenges http

Note: 注意不要包含自动创建的目录.well-known/acme-challenge/。

Note: --register-unsafely-without-email 忽略邮箱，申请一个无邮箱的证书，不够安全，不过够用了。

Note: --agree-tos 同意协议。

Note: -q 或者 --quiet 安静模式，不要交互输入。

Note:  --preferred-challenges http 使用HTTP验证，不用DNS验证。

这个命令会做两件事，为了验证域名是我们的域名：

• 写入一个临时文件到webroot目录。
• 去letsencrypt申请ssl证书，会验证webroot下面的临时文件。

比如，写入的文件是：

[root@VM-0-7-centos mgmt]# tree -a letsencrypt/.well-known/acme-challenge/
letsencrypt/.well-known/acme-challenge/
├── .gitkeep
└── .well-known
    └── acme-challenge
        └── aqUI1_zmhXKaCmMhKKgyAvY-L_MjzZ7G98DK1e6fvFQ

会验证这个HTTP地址：

   Domain: lh.ossrs.net
   http://lh.ossrs.net/.well-known/acme-challenge/aqUI1_zmhXKaCmMhKKgyAvY-L_MjzZ7G98DK1e6fvFQ

注意：目录得是不存在的，不然会创建子目录：

2022-02-02 21:47:30,690:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/.well-known/acme-challenge/.well-known/acme-challenge/vZcxgngJ6q_vOslFiUkkd3lFPu6dlvQRaEJfIM9CUXs

成功后，就会提示：

[root@VM-0-7-centos mgmt]# certbot certonly --webroot -w /usr/local/letsencrypt/ -d cvm.ossrs.net --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for cvm.ossrs.net
Performing the following challenges:
http-01 challenge for cvm.ossrs.net
Using the webroot path /usr/local/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cvm.ossrs.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cvm.ossrs.net/privkey.pem
   Your certificate will expire on 2022-05-03. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书文件：

• 私钥：/etc/letsencrypt/live/lh.ossrs.net/privkey.pem
• 证书：/etc/letsencrypt/live/cvm.ossrs.net/cert.pem

只需要定时执行命令，颁发证书就可以，会检查证书的过期时间，最后30天会更新证书：

certbot renew -q

更新证书后，需要reload nginx：

certbot renew --post-hook 'systemctl reload nginx.service'

强制更新证书：

certbot renew --post-hook 'systemctl reload nginx.service' --force-renewal

删除证书：

certbot delete --cert-name lh.ossrs.net -q

---

引用：

HTTPS: Support automatic HTTPS with let'sencrypt · Issue #2864 · ossrs/srs · GitHub

certbot官方文档

User Guide — Certbot 2.1.1 documentation