我目前已设置我的 pi-hole 以使用 Acme.sh 从 ZeroSSL 请求 SSL 证书,效果很好。
然后我必须将两个证书和密钥文件合并为一个,然后从 cli 重新启动 lighttpd 服务器。
我有下面列出的 crontab -l:
47 3 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
59 3 * * 6 /bin/bash cat pi-hole01.na.com.key pi-hole01.na.com.cer > pi-hole01.na.com.pem
15 4 * * 6 systemctl restart lighttpd
有什么更可靠的方法来刷新 pem 并重新启动服务?
答案1
经过一些研究和讨论,并处理了一个不同但类似的问题后,我遇到了一个需要进行一些调整才能解决我遇到的问题的解释。
我对此的解决方案很简单,找到一个读取证书哈希值的脚本,然后如果测试通过 1 而不是 0,就更新它。
更多说明SSL 身份验证通过 Cloudflare 完成,最初使用这些说明适用于 Unifi。这些说明可用于实际续订。 https://www.markuszehnle.com/2018/07/02/secure-ubiquiti-unifi-controller-cloudkey-with-an-lets-encrypt-certificate/
#!/bin/sh
HOST="sub.root.tld"
ACMEHOME=/root/.acme.sh
CERTDIR=${ACMEHOME}/${HOST}
CERTPASS="somepasswordifyouneedpkcs12" #For this use case I needed PKCS12
DESTDIR="/etc/sslcerts" #The location where your cert should reside after being encrypted.
PKFXFILE="plex-certificate.pkfx" #The Name of the File as a packed cert
#Below is the logic as run under debian, but I am sure regular distro's should read it similar.
TMPFILE=$(mktemp)
md5sum ${CERTDIR}/${HOST}.cer > ${TMPFILE}
${ACMEHOME}/acme.sh --cron --home ${ACMEHOME}
md5sum -c ${TMPFILE}
if [ $? -eq 0 ] #compares the output of md5sum to the hash, and passes 1 or 0.
then
# nothing has changed
rm -f ${TMPFILE}
exit 0
else
# something changed! Quick update the cert!
openssl pkcs12 -export -out ${DESTDIR}/${PKFXFILE} -inkey ${CERTDIR}/${HOST}.key -in ${CERTDIR}/${HOST}.cer -certfile ${CERTDIR}/fullchain.cer -passout pass:${CERTPASS}
chmod 644 ${DESTDIR}/${PKFXFILE}
chown plex:plex ${DESTDIR}/${PKFXFILE}
rm -f ${TMPFILE}
fi
#Uncomment to restart Plex as needed.
#systemctl restart plexmediaserver
Vincent Danen 是我复制的 BSD 脚本的原作者。 https://annvix.com/blog/using-letsencrypt-with-plex
随着更深入的探讨和持续的解释,可以修改此脚本以添加 pem 支持,如下所示:
#!/bin/sh
HOST="sub.root.tld"
ACMEHOME=/root/.acme.sh
CERTDIR=${ACMEHOME}/${HOST}
#DESTDIR="/etc/sslcerts" #The location where your cert should reside after being encrypted if you so choose.
MRGFILE="merged-certificate.pem" #Name of your file including the extension: pem
#Below is the logic as run under debian, but I am sure regular distro's should read it similar.
TMPFILE=$(mktemp)
md5sum ${CERTDIR}/${HOST}.cer > ${TMPFILE}
${ACMEHOME}/acme.sh --cron --home ${ACMEHOME}
md5sum -c ${TMPFILE}
if [ $? -eq 1 ]; then
#compares the output of md5sum to the hash, and passes 1 or 0.
# nothing has changed
rm -f ${TMPFILE}
exit 0
else
# something changed! Quick update the cert!
cat ${CERTDIR}/${HOST}.cer ${CERTDIR}/${HOST}.key > ${CERTDIR}/${MRGFILE}
chmod 644 ${CERTDIR}/${MRGFILE}
rm -f ${TMPFILE}
# Uncomment to restart desired service as needed.
systemctl restart lighttpd #Service name is at the end.
fi
在您的根 crontab 中它应该被这样调用。
47 3 * * * "/root/"namedscripthere.sh > /dev/null