使用Docker申请和自动续期基于阿里云的Let's Enc

发表于

1. 安装和配置Docker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ruby复制代码yum install docker

# 关闭seLinux
setenforce 0
usermod -G root dockerroot
// 配置镜像源
vi /etc/docker/daemon.json
{
"registry-mirrors": ["镜像源地址"],
"log-driver":"json-file",
"log-opts": {"max-size":"100m", "max-file":"2"}
}

systemctl daemon-reload
systemctl restart docker

一定要执行setenforceusermod命令,否则后面申请证书时会报权限错误

2. 编写Dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
bash复制代码# VERSION 1.0
# Author: xxxx

#基础镜像
FROM certbot/certbot

#作者
MAINTAINER xxxx <xxxx@xxxx.com>

RUN pip install --upgrade pip \
    && pip install certbot-apache certbot-dns-aliyun \
    && mkdir -p /project/conf/aliyun \

3. 构建docker镜像

在Dockerfile所在的目录下执行docker build -t aliyun-certbot:v1.0 .命令,构建过程中会出现红色的错误,不用理会,不影响正常使用,最后会出现Successfully built代表镜像构建成功,执行docker images命令进行查看

4. 申请并配置阿里云DNS访问密钥

前往ram.console.aliyun.com 申请子账号并配置AliyunDNSFullAccess权限。然后为子账号配置AccessKey并记录。

5. 创建certbot-dns-aliyun的配置文件credentials.ini

1
2
3
4
bash复制代码cat > /opt/aliyun-dns/credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 上一步申请的AccessKey
certbot_dns_aliyun:dns_aliyun_access_key_secret = 上一步申请的AccessSecret
EOF

6. 申请证书

1
2
3
4
5
6
7
8
9
bash复制代码docker run -it --rm -v /opt/testdomain:/etc/letsencrypt \
                -v /opt/testdomain:/var/log/letsencrypt \
                -v /opt/aliyun-dns:/project/conf/aliyun \
                aliyun-certbot:v1.0 certonly \
                -v \
                -a certbot-dns-aliyun:dns-aliyun \
                --certbot-dns-aliyun:dns-aliyun-credentials /project/conf/aliyun/credentials.ini \
                --register-unsafely-without-email \
                -d *.tomcat.test.abc.com

/opt/testdomain证书和日志存放的地方,/opt/aliyun-dns阿里云DNS配置文件存放地方

注意申请的泛域名证书应是通配符后的直接域名,比如你的域名为8100.tomcat.test.abc.com,如果申请的证书为*.abc.com,配置好后,会提示证书有问题,应该申请的证书为:*.tomcat.test.abc.com

6. 配置apache httpd

/etc/httpd下新建common_conf/ssl_common.conf文件,文件内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
vbnet复制代码SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile "/etc/letsencrypt/live/tomcat.test.abc.com/fullchain.pem"

SSLCertificateKeyFile "/etc/letsencrypt/live/tomcat.test.abc.com/privkey.pem"

SSLCertificateChainFile "/etc/letsencrypt/live/tomcat.test.abc.com/fullchain.pem"

# 反向代理配置,根据需求选择
SSLProxyEngine On
ProxyRequests off
ProxyPreserveHost on
<Proxy *>
	Order allow,deny
	Allow from all
</Proxy>

配置http服务

1
2
3
4
5
6
7
8
9
10
perl复制代码<VirtualHost *:443>
    ServerName 您的域名.tomcat.test.abc.com
     
    Include common_conf/ssl_common.conf
    
    ProxyPass / http://localhost:xxxx/
    ProxyPassReverse / http://localhost:xxxx/
    CustomLog logs/abcsss_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

重启httpd服务

1
复制代码systemctl restart httpd.service

7. 编写自动续期脚本

1
2
3
4
5
6
7
8
9
10
11
12
bash复制代码#!/bin/bash

docker run -it --rm -v /opt/testdomain:/etc/letsencrypt/live \
                -v /opt/testdomain:/var/log/letsencrypt \
                -v /opt/aliyun-dns:/project/conf/aliyun \
                aliyun-certbot:v1.0 renew \
                -v \
                -a certbot-dns-aliyun:dns-aliyun \
                --certbot-dns-aliyun:dns-aliyun-credentials /project/conf/aliyun/credentials.ini \
                --register-unsafely-without-email

echo "SSL续期成功" | mail -s "`date +%Y%m%d`SSL续期" xxxx@qq.com

添加定时任务,每天晚上凌晨1点执行

1
2
3
javascript复制代码crontab -e

0 1 1 * * /opt/certbot/renew.sh > /opt/certbot/renew.log 2>&1

本文转载自: 掘金

开发者博客 – 和开发相关的 这里全都有

0%