docker certbot颁发letsencrypt证书
郁鸿博
webroot方式配置https证书,定时执行续期
| 参数 | 解释 |
|---|---|
| certonly | 创建时使用, 表示采用验证模式,只会获取证书 |
| renew | 更新时使用 |
| –manual | 配置插件,http验证/dns验证 |
| –webroot | http验证 |
| –force-renewal | 强制续签 |
| –preferred-challenges | dnsdns验证, 表示采用DNS验证申请者合法性 |
| –dry-run | 测试执行,不会真正去申请 |
| –manual-auth-hook | 动态验证DNS的脚本服务 |
| –deploy-hook | 后面的参数是证书更新成功之后,要指定执行的命令,这里是重启 nginx, 因为nginx不会自动重新加载证书,reload也不会 |
| -d *.xxx.com | 域名(可以是通配符) |
| -m xxx@xxx.com | 通知邮箱 |
location ~/.well-known/acme-challenge/ {
root /mnt/cert/webroot_acme-challenge;
}
-
执行certbot certonly webroot方式
docker run -it --rm --name certbot \
-v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
-v "/mnt/cert/log/:/var/log/letsencrypt/" \
-v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
certbot/certbot certonly \
--webroot --agree-tos \
--webroot-path=/data/letsencrypt \
-m xxx@xxx.cn -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for www.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.example.com/privkey.pem
This certificate expires on 2022-09-10.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
nginx被访问
18.188.144.19 - - [13/Jun/2022:01:15:33 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.237.56.27 - - [13/Jun/2022:01:15:33 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [13/Jun/2022:01:15:34 +0800] "GET /.well-known/acme-challenge/jg_HRFtupEdbwKXJbYU-SLPRgehDk8T8oyAhxoiPDHI HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
176.107.176.83 - - [13/Jun/2022:01:16:37 +0800] "GET /.git/config HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3"
95.211.187.223 - - [13/Jun/2022:01:17:00 +0800] "GET / HTTP/1.1" 200 1843 "-" "Go-http-client/1.1”
-
查询结果
docker run -it --rm --name certbot \
-v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
certbot/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.example.com
Serial Number: 42667b9821f5721a9733aa071ebf6b3ddfb
Key Type: RSA
Domains: www.example.com
Expiry Date: 2022-09-10 16:15:42+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
查询帮助信息
docker run -it --rm certbot/certbot —help
-
执行续期证书命令
docker run -it --rm --name certbot \
-v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
-v "/mnt/cert/log/:/var/log/letsencrypt/" \
-v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
certbot/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2022-09-10 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
定时任务自动续期
0 3 * * 1 cd /mnt/cert/ && renew.sh && nginx -s reload
- 手动更新证书-日志
# 尝试更新
$ docker run -it --rm --name certbot \
-v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
-v "/mnt/cert/log/:/var/log/letsencrypt/" \
-v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
certbot/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for m.me56.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/m.me56.cn/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 更新
$ docker run -it --rm --name certbot \
> -v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
> -v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
> -v "/mnt/cert/log/:/var/log/letsencrypt/" \
> -v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
> certbot/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/m.me56.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for m.me56.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/www.example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 重复更新
$ docker run -it --rm --name certbot \
-v "/mnt/cert/www.example.com/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/www.example.com/letsencrypt1:/var/lib/letsencrypt" \
-v "/mnt/cert/log/:/var/log/letsencrypt/" \
-v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
certbot/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2022-12-05 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
问题:
docker run -it --rm --name certbot \
-v "/mnt/cert/m.xxx.cn/letsencrypt:/etc/letsencrypt" \
-v "/mnt/cert/m.xxx.cn/letsencrypt1:/var/lib/letsencrypt" \
-v "/mnt/cert/log/:/var/log/letsencrypt/" \
-v /mnt/cert/webroot_acme-challenge:/data/letsencrypt \
certbot/certbot renew
报了以下错误:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for m.xxx.cn
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: m.xxx.cn
Type: unauthorized
Detail: 121.xx.161.xx: Invalid response from https://m.xxx.cn/.well-known/acme-challenge/FCyKJVpjk_6c9ogLkIPzrCLWpWzo_nDmzgMZFZof0ss: "<!DOCTYPE html><html lang=\"\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta http-equiv=\""
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
解决: 需要把.well-known配置加以443端口里
server {
listen 443 ssl http2;
server_name m.xxx.cn;
ssl_certificate xxx.pem;
ssl_certificate_key xxx.pem;
location ^~ /.well-known/acme-challenge/ {
root /mnt/cert/webroot_acme-challenge;
}
类似资料: