我的开源首先下载 certbot-auto 脚本:
1wget https://dl.eff.org/certbot-auto
2chmod a+x certbot-auto
然后使用 pip 安装 aliyun-python-sdk-alidns,同时新建如下脚本,并将 access_key_id 和 access_key_secret 换掉:
1import os
2from aliyunsdkcore.client import AcsClient
3from aliyunsdkalidns.request.v20150109 import AddDomainRecordRequest
4
5access_key_id = 'access_key_id'
6access_key_secret = 'access_key_secret'
7
8domain = os.environ["CERTBOT_DOMAIN"]
9value = os.environ["CERTBOT_VALIDATION"]
10
11print("--------------->domain=" + domain)
12print("--------------->value=" + value)
13
14client = AcsClient(access_key_id, access_key_secret)
15request = AddDomainRecordRequest.AddDomainRecordRequest()
16request.set_DomainName(domain)
17request.set_RR('_acme-challenge')
18request.set_Type('TXT')
19request.set_Value(value)
20response = client.do_action_with_exception(request)
21
22print(response)
执行下面的脚本创建证书:
1./certbot-auto certonly -d huwenqiang.cn -d *.huwenqiang.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook ./dns.py
执行下面的命令就可以自动续期:
1./certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook ./dns.py
可以使用 crontab 新建定时任务实现自动刷新并重启 nginx 服务器:
10 0 15 */3 * /certbot/certbot-auto renew && /usr/sbin/nginx -s reload
附:nginx 配置文件
1server {
2 listen 443 ssl http2;
3 server_name www.huwenqiang.cn;
4 ssl_certificate /etc/letsencrypt/live/huwenqiang.cn/fullchain.pem;
5 ssl_certificate_key /etc/letsencrypt/live/huwenqiang.cn/privkey.pem;
6 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
7 ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
8 ssl_prefer_server_ciphers on;
9
10 gzip on;
11 gzip_min_length 1k;
12 gzip_buffers 4 16k;
13 gzip_comp_level 2;
14 gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
15 gzip_vary off;
16 gzip_disable "MSIE [1-6]\.";
17
18 location / {
19 proxy_pass http://solo:8080;
20 }
21
22 error_page 500 502 503 504 /50x.html;
23 location = /50x.html {
24 root /usr/share/nginx/html;
25 }
26}
27
28server {
29 listen 80;
30 server_name www.huwenqiang.cn;
31 return 301 https://www.huwenqiang.cn$request_uri;
32}