如何让 SSL Lets Encrypt 证书在 Ubuntu 上自动更新

如何让 SSL Lets Encrypt 证书在 Ubuntu 上自动更新

我如何才能获得vgo 网站每次都自动更新,这样我就不必手动更新,或者它会自动更新?

ssl_certificate /etc/letsencrypt/live/www.site.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.vsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


ssl_trusted_certificate /etc/letsencrypt/live/www.site.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot

我有 ubuntu,nginx,并且我正在使用 letsencrypt

编辑: 就像 Gerald Schneider 建议的那样,在 ubuntu 上安装 certbot 默认自动更新,我该如何检查呢?

root@ubuntu-s-1vcpu-1gb-amd-sfo3-01:~# certbot -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: site.com
2: www.site.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

答案1

如果您在 Ubuntu 上将 certbot 作为常规包安装,则无需执行任何操作,systemd 计时器会自动安装。

$ sudo apt install certbot python3-certbot-nginx
$ dpkg -L certbot |grep systemd
/lib/systemd/system/certbot.service
/lib/systemd/system/certbot.timer
$ cat /lib/systemd/system/certbot.timer
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

当您使用--nginx参数获取证书时,certbot 知道 nginx 必须在更新后重新加载,并自动执行此操作。

答案2

/etc/cron.daily/certbot

#!/bin/sh

/usr/local/bin/certbot renew --renew-hook "systemctl reload nginx"

(或者用 apache2 代替 nginx)

但我还是建议你留意一下证书,有时更新可能会失败(因为 cron 失败或者有人更改了网站的根目录或者添加了重写规则或者某些 DNS 名称停止工作),我建议展示证书为了这

sudo showcert -q :le -w20 || echo panic

(当某些证书即将到期时向自己发送邮件或发出任何其他警报)

免责声明:showcert 是我的业余项目。

相关内容