如果我运行certbot renew --dry-run
并且不对 Nginx 配置进行进一步更改,是否可以保证certbot renew
90 天后成功?换句话说,结果可能是误报吗?
如果是这样,我是否应该去做certbot renew --force-renewal
一次彻底的检查?
答案1
当然,如果它能满足您的需求,您可以使用它--force-renewal
。但您不能每天都运行它。该--dry-run
选项正是出于测试的目的。
看这里:https://certbot.eff.org/docs/using.html#certbot-command-line-options:
--dry-run Perform a test run of the client, obtaining test
(invalid) certificates but not saving them to disk.
This can currently only be used with the 'certonly'
and 'renew' subcommands. Note: Although --dry-run
tries to avoid making any persistent changes on a
system, it is not completely side-effect free: if used
with webserver authenticator plugins like apache and
nginx, it makes and then reverts temporary config
changes in order to obtain test certificates, and
reloads webservers to deploy and then roll back those
changes. It also calls --pre-hook and --post-hook
commands if they are defined because they may be
necessary to accurately simulate renewal. --deploy-
hook commands are not called. (default: False)
此选项是测试您的配置并确保一切配置正确,但它有一些副作用。
对于更新,您可以安全地renew
通过 cron 定期使用该选项:
renew:
The 'renew' subcommand will attempt to renew all certificates (or more
precisely, certificate lineages) you have previously obtained if they are
close to expiry, and print a summary of the results. By default, 'renew'
will reuse the options used to create obtain or most recently successfully
renew each certificate lineage. You can try it with `--dry-run` first. For
more fine-grained control, you can renew individual lineages with the
`certonly` subcommand. Hooks are available to run commands before and
after renewal; see https://certbot.eff.org/docs/using.html#renewal for
more information on these.
这将定期运行更新过程,但只会更新证书即将到期或需要更换时,请更换证书。
自动更新证书并不是正确的选择--force-renewal
,而应该手动更新:
如果您手动更新所有证书,--force-renewal 标志可能会有所帮助;它会在考虑更新时忽略证书的到期时间,并尝试更新每个已安装的证书,而不管其年龄多大。(此形式不适合每天运行,因为每个证书每天都会更新,这很快就会达到证书颁发机构的速率限制。)
至于保证,它是一款免费开源软件,我想没人会为你提供任何保证。因此,使用它需要您自担风险。