Let's Encrypt 免费 SSL 证书续期

Let's Encrypt 默认情况下只提供三个月的有效期，在有效期剩余半个月的时候，Let's Encrypt 会发送邮件给你，提醒你需要做证书的续期操作。

一、验证域名文件剩余有效期：

可以通过以下命令查看证书的剩余有效期限：

# /usr/local/letsencrypt/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: test.com
    Serial Number: 43767e5d8b5768b451f49dc6d2898caf9c4
    Domains: *.test.com test.com
    Expiry Date: 2020-09-09 08:06:12+00:00 (VALID: 6 days)
    Certificate Path: /etc/letsencrypt/live/test.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.com/privkey.pem
  Certificate Name: image.test.net
    Serial Number: 309acc59b6d1526c6f219b3708b92f10c9a
    Domains: *.image.test.net
    Expiry Date: 2020-01-22 10:08:05+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/image.test.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/image.test.net/privkey.pem

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
二、域名续期：

1、直接续期：
Let's Encrypt 有多种验证方式，常用的有 http 和 dns 方式，如果服务器运行在本机的话，可以采用http方式验证，直接执行renew命令

# /usr/local/letsencrypt/certbot-auto renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (test.com) from /etc/letsencrypt/renewal/test.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2、脚本认证方式续期：
上边的报错信息是因为验证域名所有者失败，没有指定 --manual-auth-hook 参数。
由于是在另外一台机器里面申请的证书，无法使用 http 方式，所以之前申请证书用的是 dns 方式，也就是创建 TXT 记录。

如果是用DNSpod的域名解析，可以通过第三方的脚本实现dns自动验证功能，用其它服务商的也会有对应的脚本。
https://github.com/al-one/certbot-auth-dnspod

# /usr/local/letsencrypt/certbot-auto certonly -d *.test.com -d test.com --manual --preferred-challenges dns-01 --email admin@test.net --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook /path/to/certbot-auth-dnspod.sh
或者：
/usr/local/letsencrypt/certbot-auto renew --manual-auth-hook /path/to/certbot-auth-dnspod.sh

3、手动续期：
创建第三方脚本需要用的DNS服务商的令牌服务，这个不太容易实现，所以只能用手动续期的方式实现(就是生成一个新的key文件来覆盖旧的文件)。

# /usr/local/letsencrypt/certbot-auto certonly -d *.test.com -d test.com --manual --preferred-challenges dns --email admin@test.net --server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for test.com
dns-01 challenge for test.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.test.com with the following value:

t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue                           

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.test.com with the following value:

ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

中间要经历2次域名解析验证，按照提示添加域名TXT记录。
打开你的域名提供商，添加一条TXT类型的记录。
主机记录是上面打印出来的 _acme-challenge.test.com 记录值为 t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc 。

填写完毕之后，验证域名TXT记录是否生效：

# dig -t txt _acme-challenge.test.com @8.8.8.8

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t txt _acme-challenge.test.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53987
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.test.com. IN  TXT

;; ANSWER SECTION:
_acme-challenge.test.com. 599 IN TXT "t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc"
_acme-challenge.test.com. 599 IN TXT "ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y"

;; Query time: 1190 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 04 14:14:39 CST 2020
;; MSG SIZE  rcvd: 168

或者：

λ nslookup -qt=txt
默认服务器:  public1.alidns.com
Address:  223.5.5.5

> _acme-challenge.test.com
服务器:  public1.alidns.com
Address:  223.5.5.5

非权威应答:
_acme-challenge.test.com     text =

        "t-75JK_JaXlaZ5IC5b7kWsDJ9weqUo2aL-qlXAdq_Zc"
_acme-challenge.test.com     text =

        "ovibUqBSGf3ayBgYZAzS99ugUAHetyl2fC-bodaEJ2Y"

 
验证TXT生效后，回车继续。

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/test.com/privkey.pem
   Your cert will expire on 2020-09-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

至此域名验证key生成完毕。

三、重启nginx服务使配置生效：
拷贝key文件至/usr/local/nginx/conf/ssl/test.com

重新加载nginx配置文件生效

# /usr/local/nginx/sbin/nginx -s reload

至此证书续期完成。

[THE END]