计划给自己的所有域名和子域名配置一个通用 HTTPS证书,包含以下 DNS Name:
1 2 3 4 |
DNS Name=*.annhe.net DNS Name=*.tecbbs.com DNS Name=annhe.net DNS Name=tecbbs.com |
新申请证书
使用 certbot-auto 申请通配符证书的方法如下
1 |
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.tecbbs.com,tecbbs.com,*.annhe.net,annhe.net" --manual --preferred-challenges dns-01 certonly |
像这样通配符域名和根域名都申请证书的情况,需要添加两条 TXT 记录
1 2 3 |
# dig _acme-challenge.annhe.net TXT +short "KFUyjyiRzP80s6QCL_zrEeyzyhrXrtLicsmUpN9lifQ" "FGq8ljI24pHy173X3PCQrO3L_B17c9R1fqfTqzAfGvE" |
手工更新证书
使用如下命令,但是需要手工修改 TXT 记录。
1 |
certbot-auto renew |
自动更新证书
certbot-auto 支持 hook,可以在 auth hook 里验证 DNS 记录,调用脚本如下:
1 2 3 4 5 |
#!/bin/bash DIR=$(cd `dirname $0`;pwd) $DIR/certbot-auto renew --manual-auth-hook $DIR/dnspod.sh --post-hook "/etc/init.d/nginx reload" |
auth hook 脚本基于参考资料1 修改,期望支持多 TXT 记录的情况,暂未验证,稀里糊涂就更新成功了,只能等 3 个月后再看有没有 bug 了(2020.8.13已成功验证)。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
#!/bin/bash # # Create: certbot certonly --manual --preferred-challenges dns-01 --email mail@domain.com -d laravel.run -d *.laravel.run --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /path/to/certbot-auth-dnspod.sh # Renew: certbot renew --manual-auth-hook /path/to/certbot-auth-dnspod.sh # # https://www.dnspod.cn/console/user/security API_TOKEN="id,token" USER_AGENT="AnDNS/1.0.0 (admin@annhe.net)" DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') [ -z "$DOMAIN" ] && DOMAIN="$CERTBOT_DOMAIN" if [ -z "$API_TOKEN" ]; then [ -f /etc/dnspod_token_$DOMAIN ] && API_TOKEN=$(cat /etc/dnspod_token_$DOMAIN) fi if [ -z "$API_TOKEN" ]; then [ -f /etc/dnspod_token ] && API_TOKEN=$(cat /etc/dnspod_token) fi if [ -z "$API_TOKEN" ]; then API_TOKEN="$DNSPOD_TOKEN" fi PARAMS="login_token=$API_TOKEN&format=json" echo "\ CERTBOT_DOMAIN: $CERTBOT_DOMAIN DOMAIN: $DOMAIN VALIDATION: $CERTBOT_VALIDATION" #echo "PARAMS: $PARAMS" if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/VALIDATION ]; then VALIDATION_PRE=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/VALIDATION) if [ "$CERTBOT_VALIDATION" = "$VALIDATION_PRE" ]; then echo "Same Validation: $CERTBOT_VALIDATION" exit fi fi RECORDS=$(curl -s -X POST "https://dnsapi.cn/Record.List" \ -H "User-Agent: $USER_AGENT" \ -d "$PARAMS&domain=$CERTBOT_DOMAIN&keyword=_acme-challenge" | jq .records[].id |tr -d '"' |tr '\n' ' ') echo "\ RECORDS: $RECORDS" sleep 3 function SelectRecord() { # param 1: records TMPFILE=/tmp/CERTBOT_WILDCARD_${CERTBOT_DOMAIN}_RECORD_ID IDS="$1" if [ -f $TMPFILE ];then PRE_ID=`cat $TMPFILE` fi SELECTED=`echo $IDS |awk '{print $1}'` if [ "$PRE_ID"x == "$SELECTED"x ];then SELECTED=`echo $IDS |awk '{print $NF}'` fi echo $SELECTED > $TMPFILE echo $SELECTED } if [ -n "$RECORDS" ]; then # 通配符域名,两个 TXT记录的情况(*.domain.com, domain.com) RECORD_ID=`SelectRecord "$RECORDS"` RECORD_ID=$(curl -s -X POST "https://dnsapi.cn/Record.Modify" \ -H "User-Agent: $USER_AGENT" \ -d "$PARAMS&domain=$CERTBOT_DOMAIN&sub_domain=_acme-challenge&record_type=TXT&value=$CERTBOT_VALIDATION&record_line=默认&record_id=$RECORD_ID" |jq .records[0].id |tr -d '"') else RECORD_ID=$(curl -s -X POST "https://dnsapi.cn/Record.Create" \ -H "User-Agent: $USER_AGENT" \ -d "$PARAMS&domain=$CERTBOT_DOMAIN&sub_domain=_acme-challenge&record_type=TXT&value=$CERTBOT_VALIDATION&record_line=默认" |jq .records[0].id |tr -d '"') fi echo "\ RECORD_ID: $RECORD_ID" # Save info for cleanup if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ]; then mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN fi echo $DOMAIN > /tmp/CERTBOT_$CERTBOT_DOMAIN/DOMAIN echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID echo $CERTBOT_VALIDATION > /tmp/CERTBOT_$CERTBOT_DOMAIN/VALIDATION # Sleep to make sure the change has time to propagate over to DNS sleep 25 |
参考资料
1 2 3 |
1. https://www.wzs.cc/blog/free-ssl 2. certbot-auto: https://github.com/certbot/certbot/blob/master/certbot-auto 3. certbot-auto: https://certbot.eff.org/docs/install.html#certbot-auto |
获取
ocsp.int-x3.letsencrypt.org
正确的解析地址,加到/etc/hosts
中dig @8.8.8.8 ocsp.int-x3.letsencrypt.org