Certbot定时强制更新证书

之前证书过期了没有自动续签,自己设置一个任务强制续签

强制续签证书的命令:

certbot --force-renewal -d zuoridangnian.com

然后添加一个crontab任务

0 6 1 * * /path/script.sh

每月1号强制更新证书

经过我的测试,发现在crontab中直接用certbot命令会失败,具体原因不清楚,所以一定要写到脚本中,然后定时运行脚本,脚本示例:

#!/bin/bash

PATH="/usr/local/bin:/usr/bin:/bin:/snap/bin"

certbot --force-renewal -d zuoridangnian.com

certbot有每周最多 5 张重复证书的限制

速率限制 – Let’s Encrypt – 免费的SSL/TLS证书 (letsencrypt.org)

WordPress错误:[] cURL error 60: SSL certificate problem: unable to get local issuer certificate

原因:SSL证书缺少根证书

如果你是自己上传的证书,那就是只设置了秘钥和域名证书

如果下载的SSL证书有三个文件

ca_bundle.crt 根证书

certificate.crt 域名证书

private.key 秘钥

如果是Apache服务器,则是这样设置

SSLEngine                on
SSLCertificateFile       /etc/ssl/certificate.crt
SSLCertificateKeyFile    /etc/ssl/private.key
SSLCertificateChainFile  /etc/ssl/ca_bundle.crt

如果是Nginx服务器,则要把 certificate.crt 和 ca_bundle.crt 文件合并

cat certificate.crt ca_bundle.crt  certificate.crt

然后这样设置

ssl                  on;
ssl_certificate      /etc/ssl/certificate.crt; 
ssl_certificate_key  /etc/ssl/private.key;
    

Nginx配置SSL踩坑日记

仅以此贴记录一下我在配置Nginx HTTPS时遇到的坑

所有问题的报错信息均来自systemctl status nginx

unknown directive “ssl”

这个问题是由于你在nginx.conf中配置ssl on所致

原因:你没有给nginx安装https ssl模块

解决办法:重新安装一次你的当前版本

举例:我在上一篇文章中直接使用./configure生成的配置信息,你需要回到你的nginx源码解压目录,再次运行,并加上https模块

cd nginx-1.13.8
./configure --with-http_ssl_module
make
cp objs/nginx /usr/local/nginx/sbin/nginx
/usr/local/nginx/sbin/nginx

感谢Nginx如何安装https-ssl证书 – 简书

checking for OpenSSL library … not found

接着,如果你在运行./configure --with-http_ssl_module之后,得到报错信息

checking for OpenSSL library ... not found
./configure: error: SSL modules require the OpenSSL library. You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source with nginx by using --with-openssl= option.

解决办法:安装libssl-dev包(如果你没安装openssl,你需要安装一下)

感谢ubuntu – Can’t compile nginx with SSL support, OpenSSL not found – Server Fault

[emerg]: bind() to 0.0.0.0:80 failed (98: Address already in use)

接着,如果你debug了半天你的nginx,然后重新启动,发现启动不了,查看status信息看到类似如下信息

Feb 11 02:45:44 ubuntu-s-1vcpu-1gb-sfo2-01 nginx[9635]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Feb 11 02:45:45 ubuntu-s-1vcpu-1gb-sfo2-01 nginx[9635]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Feb 11 02:45:45 ubuntu-s-1vcpu-1gb-sfo2-01 nginx[9635]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Feb 11 02:45:45 ubuntu-s-1vcpu-1gb-sfo2-01 nginx[9635]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Feb 11 02:45:45 ubuntu-s-1vcpu-1gb-sfo2-01 nginx[9635]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

原因:你的80/443端口被占用了

解决办法:杀死占用进程

fuser -k 80/tcp
fuser -k 443/tcp

感谢[emerg]: bind() to 0.0.0.0:80 failed (98: Address already in use) – EasyEngine

总结

遇事多google!

感谢google!