gpt4 book ai didi

ssl - 自动更新 website.com 和 *.website.com 证书的方式

转载 作者:行者123 更新时间:2023-12-04 22:41:21 28 4
gpt4 key购买 nike

我有一个 Web 服务器,我在其上应用不同的重写规则以重定向所有 http(s)://*.website.com对同一 URL 的请求:https://website.com .一切都按预期正常工作。

现在,我想以自动方式更新证书(由 letsencrypt 构建)。

不幸的是,目前,我必须手动完成,理想的做法是通过从 crontab 调用的简单脚本来完成(我想每 2 个月更新一次证书)。

目前,我正在使用以下脚本 certbot-auto (来自 https://github.com/certbot/certbot/blob/master/certbot-auto )这样:

./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -d website.com -d *.website.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096

这是我从此命令获得的输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/website.com.conf with version 0.31.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for website.com
dns-01 challenge for website.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:

j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:

eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/website.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/website.com/privkey.pem
Your cert will expire on 2020-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

(23) Failed writing body

如您所见,我必须手动输入我的 VPS DNS 帐户 2 TXT名为 _acme-challenge.website.com 的字段并包含:
j-iC2Fywptdjn_MX4UQCTzDJ5FiuyyZiosVaZYTZxNA


eO1eVTi4cPTpZYcuAkrqqYpRcPIobayhPawvtLNqBpU

我想知道是否有办法自动注册 TXT字段或者是否有另一种方法可以在 crontab 中启动一个简单的命令或脚本(每 2 个月执行一次)以避免所有这些手动操作?

每次我想更新这些证书(以下 4 个文件)时,所有这些似乎都比较繁重:
$ ls /etc/letsencrypt/live/website.com/
privkey.pem@ fullchain.pem@ chain.pem@ cert.pem@

最佳答案

DNS的注册TXT - 如果您访问以编程方式修改记录,则记录可以自动化 - 因此您拥有 DNS 服务器或您的提供商为您提供 API。

这里有一些:

  • https://cloud.google.com/dns/docs/reference/v1/
  • https://docs.microsoft.com/en-us/rest/api/dns/
  • https://developer.rackspace.com/docs/cloud-dns/v1/
  • https://api.cloudflare.com/
  • 关于ssl - 自动更新 website.com 和 *.website.com 证书的方式,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60960144/

    28 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com