免费SSL申请和自动更新

当前是在mac下操作

安装certbot

# mac下brew安装即可
brew install certbot

  • centos 安装
    centos安装文档

申请泛解析证书

sudo certbot certonly --manual --preferred-challenges=dns -d  '*.yourdomain.com'

## 输出
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.yourdomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_asdfase.yourdomain.com.

with the following value:
## TXT解析值
有朋自远发来 不亦乐乎

## 此处提示注意验证是否已经在域名服务商配置了TXT解析
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/txt.yourdomain.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

## 如果多次验证失败 可能有技能冷却时间 文档说是1小时

An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/youdomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2024-04-22.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


验证证书是否有效

免费SSL申请和自动更新_第1张图片

查看证书

sudo certbot certificates

## 输出

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: yourdomain.como
    Serial Number: asdfasfasfasdfas
    Key Type: ECDSA
    Domains: *.yourdomain.com
    Expiry Date: 2024-04-22 09:45:32+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/yourdomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

默认3个月有效期

设置自动续期脚本

echo "0 0,12 * * * root $(command -v python3) -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo $(command -v certbot) renew - q”| sudo tee -a /etc/crontab > /dev/null

  • 命令比较简单 用chatgpt做下命令拆解注释

      这是一个shell命令,用于在Linux系统中将Certbot自动续订证书的命令添加到crontab中。
    
      具体分析如下:
      
      echo命令用于输出内容到标准输出。
      0 0,12 * * *部分是cron时间格式,指定了脚本运行的频率。这里表示在每天的0点和12点运行。
      
      root表示以root用户身份运行脚本。
      
      $(command -v python3)是用于获取Python3可执行文件的路径,并将其插入命令中。
      
      -c 'import random; import time; time.sleep(random.random() * 3600)'是通过Python代码实现延迟执行。这段代码会通过import random导入random模块,然后使用import time; time.sleep(random.random() * 3600)来随机延时一定时间,以避免多个服务器同时请求续订证书。
      
      sudo $(command -v certbot) renew -q是用于以root用户身份运行certbot的续订命令。-q参数表示以静默模式运行,输出更少的信息。
      
      sudo tee -a /etc/crontab > /dev/null用于将前面的命令的输出追加到/etc/crontab文件中,并将标准输出重定向到/dev/null来忽略输出。这样,命令的输出信息将不会显示在终端上。
      
      整个命令使用管道符(|)将输出传递给sudo tee命令,并将其添加到/etc/crontab文件中。
      
      
      通过执行这个命令,会将自动续订Certbot证书的任务添加到cron作业中,以在每天的0点和12点执行。这样就能够自动续订证书,确保证书在到期前得到更新。
    
  • 参考博客

https://ganzhixiong.com/p/95b00866/
letsencrypt官网

你可能感兴趣的:(ssl,网络协议,网络)