51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

新增域名ssl 证书自动续费批量处理脚本

安装 cerbot参考 Let's Encrypt 证书申请和续签限制 (ssl 证书): 连接

0-先搞一个 80 测试nginx 配置文件:

准备 well-kown 目录:

mkdir -p /www/uat-dashu.baimei.com 

cat test.conf

server {
        listen 80;
        server_name uat-dashu.baimei.com;
      
    #一键申请SSL证书验证目录相关设置
    location ~ \.well-known{
        allow all;
	root /www/uat-dashu.baimei.com;
    }


}

然后 nginx -s reload 加载一下 test.conf

第一次要手动的生成证书文件:

certbot certonly --webroot -w /www/uat-tugele.dashu.com  -d uat-tugele.dashu.com

正确输出如下:

我们检查证书是否生成:

1查看我们续约的域名

certbot certificates

也可以ls 证书目录:

检查完以后,我们可以准备自动续约的命令了。

记住把 test.conf 给删除

mv test.conf test.conf.bak
nginx -t
nginx -s reload

1- 准备定时脚本:

定时计划:

0 2 * * * root sh /app/scripts/ssl/renewssl.sh  >> /www/renew.log 2>&1

cat renewssl.sh

#!/bin/bash
certbot renew  --quiet --deploy-hook "sh /app/scripts/ssl/ssldeploy-uat-ai.baimei.com.sh"
#certbot renew --quiet --deploy-hook "sh /app/scripts/ssl/ssldeploy-ollama.baimei.com.sh"

echo "Script executed at $(date)" >> /www/renew.log

2-准备-自动申请脚本

修改脚本的 域名,以及 ssl path 路径

cat /app/scripts/ssl/ssldeploy-uat-ai.baimei.com.sh

#!/bin/bash

renewed_domains=$RENEWED_DOMAINS
MYDOMAIN="uat-ai.baimei.com"
#SSLPATH=/opt/ssl_key/$MYDOMAIN
SSLPATH=/etc/nginx/ssl_key/oms/$MYDOMAIN
# 检查是否续约了特定的域名
if [[ $renewed_domains == *"$MYDOMAIN"* ]]; then
    # 对 example.com 做特定的操作
    echo " 续约$MYDOMAIN" >> /www/renew.log

    # Copy the renewed certificate to the desired location
    	
    mkdir -p $SSLPATH
	
    cp -f /etc/letsencrypt/live/$MYDOMAIN/fullchain.pem $SSLPATH/

    cp -f /etc/letsencrypt/live/$MYDOMAIN/privkey.pem $SSLPATH/
   

    # Reload the nginx inside the docker container
     /usr/sbin/nginx -s reload
fi

3- 准备nginx 配置文件

准备 well-kown 目录:

mkdir -p /www/uat-dashu.baimei.com 


server {
       	listen 443 ssl;
       	#listen 80;
	server_name uat-dashu.baimei.com;

         ssl_certificate   /etc/nginx/ssl_key/uat/uat-dashu.baimei.com/fullchain.pem;
         ssl_certificate_key  /etc/nginx/ssl_key/uat/uat-dashu.baimei.com/privkey.pem;

    gzip on;
    gzip_http_version 1.1;
    gzip_min_length 0;
    gzip_buffers 256 64k;
    gzip_comp_level 9;
    gzip_types text/plain application/x-javascript application/javascript text/javascript text/css application/xml application/json text/xml;

    client_header_buffer_size 16k;
    client_max_body_size      100m; # 这个需要有,否则上传大文件会报错.
    proxy_ignore_client_abort  on;
    proxy_buffers 64 4k;




     location ^~ /.well-known {
        allow all;
        root /www/uat-dashu.baimei.com;
    }
        
         location / {
          proxy_pass http://192.168.1.209:31057;
          proxy_set_header Host $proxy_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          
}


    location /stage-api/ {
        proxy_pass http://192.168.1.209:31058/;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        # 主要websocket代理配置, $http_upgrade是指http协议头部Upgrade的值.
        proxy_http_version 1.1;
        proxy_set_header   Upgrade          $http_upgrade;
        proxy_set_header   Connection       "upgrade";
    }

     access_log  /var/log/nginx/uat-dashu.baimei.com.log custom_format; 
    error_log  /var/log/nginx/uat-dashu.baimei.com.error.log;

       error_page 502 503 /50x.html;
       location = /50x.html {
          root /usr/share/nginx/html;
}
}

                                                                                                                                                                                                                                        
server {
        listen 80;
        server_name uat-dashu.baimei.com;
        if ($host != 'uat-dashu.baimei.com') {
        return 403;
         } 
       #return 302 https://$server_name$request_uri;

        rewrite ^/(.*)$ https://$server_name:443/$1 permanent;
}

4- 测试:

第一步: 先强制续约,看看脚本是否生效

certbot renew --force-renewal --quiet --deploy-hook "sh /app/scripts/ssl/ssldeploy-uat-tugele.baimei.com.sh"

检查:

cat /www/renew.log

是否有 "续约。。。"

验证证书目录:

ll /etc/nginx/ssl_key/uat/uat-tugele.baimei.com/

再次验证证书时间的时间:

openssl x509 -in /etc/nginx/ssl_key/uat/uat-tugele.baimei.com/fullchain.pem -noout -startdate -enddate

如果日期没问题,那么我们自动续约的就可以了。

整理脚本,可以投入生产了。

赞(1)
未经允许不得转载:工具盒子 » 新增域名ssl 证书自动续费批量处理脚本