letsencrypt证书自动续期问题

王刚毅
2023-12-01

官方建议一天两次

0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"

官方原话
Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

为什么不是90天或者5天,因为哪天重启服务器,这个crontab就会向后又延长90天导致失效
--renew-hook这个选项在证书续期成功的时候会重新载入nginx配置,如果不加就需要手动载入或者手动重启nginx,不然的话虽然续期成功了nginx没加进来也会提示过期


最新发现设置成5天是可以的,通过查看日志文件/var/log/letsencrypt发现,续期命令检测到续期时间小于30天时,会重新请求生成新证书,部分日志文件如下

2017-02-04 04:30:02,138:DEBUG:certbot.main:Root logging level set at 30
2017-02-04 04:30:02,138:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-02-04 04:30:02,138:DEBUG:certbot.main:certbot version: 0.9.3
2017-02-04 04:30:02,138:DEBUG:certbot.main:Arguments: ['--quiet', '--renew-hook', '/etc/init.d/nginx reload']
2017-02-04 04:30:02,138:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-02-04 04:30:02,150:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-03-06 04:03:00 UTC.
2017-02-04 04:30:02,150:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-02-04 04:30:02,153:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-02-04 04:30:02,154:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x1fe8c50>
Prep: True



很多人会遇到的一个问题,crontab是不是执行的问题
建议搞个1分钟打印时间的放crontab里,这是个人感觉最有效的方法
*/1 * * * * echo "$(date)" >>/var/log/datecron.txt

查看
cat /var/log/datecron.txt


crontab 相关命令
cat /var/log/cron #查看crontab日志
crontab -l #查看crontab列表
crontab -e #编辑crontab列表
systemctl status crond.service #查看crontab服务状态
systemctl restart crond.service #重启crontab

certbot renew --quiet和certbot renew区别
前一个命令不输出内容到控制台和生成日志,后一个会输出内容到控制台和生成日志
日志文件在/var/log/letsencrypt/letsencrypt.log
如果证书没有过期,那么证书不会更新
没有过期执行更新命令控制台内容如下
[root@centos7 ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.vvvtimes.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal


The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.vvvtimes.com/fullchain.pem (skipped)
No renewals were attempted.

日志内容如下
[root@centos7 ~]# cat /var/log/letsencrypt/letsencrypt.log
2016-12-06 00:18:48,448:DEBUG:certbot.main:Root logging level set at 20
2016-12-06 00:18:48,449:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-12-06 00:18:48,449:DEBUG:certbot.main:certbot version: 0.9.3
2016-12-06 00:18:48,449:DEBUG:certbot.main:Arguments: []
2016-12-06 00:18:48,449:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-12-06 00:18:48,461:INFO:certbot.renewal:Cert not yet due for renewal
2016-12-06 00:18:48,461:DEBUG:certbot.renewal:no renewal failures

这个日志不是追加的,而是每条命令生成一个,上面的时间是UTC时间


为了能更快的看到效果使用吊销命令试一下( 不用试了,没有用


吊销和安装(这两个命令说明文档太少,不确定下面的命令是否能用)
certbot revoke --cert-path cert.pem
certbot install --key-path privkey.pem --cert-path cert.pem

注意:吊销和安装命令是一对,和续期命令renew没有关系,renew只判断pem的有效期范围,超过范围才会去请求新的证书。官方文档中说吊销和过期使用renew命令都会生成证书,但实际上吊销后使用renew命令并不能生成新的证书


certbot renew --renew-hook "/etc/init.d/nginx reload"
发现吊销之后的原来的证书还能用。。。这算什么吊销。。。


/etc/letsencrypt/live/www.vvvtimes.com/这里有4个pem
cert.pem #公钥
privkey.pem #私钥
chain.pem #中间证书链
fullchain.pem #全证书链

/etc/letsencrypt/live/www.vvvtimes.com/ 这里的pem实际指向 /etc/letsencrypt/archive/www.vvvtimes.com/的pem


把4个pem全吊销了,install和renew都不行,pem也不让删,这个吊销实际上是个残次品
好像还有证书请求频率的限制,暂时不折腾了。


附:证书请求频率限制: https://letsencrypt.org/docs/rate-limits/



 类似资料: