如何启动证书续订,只需从 /shared/ssl 删除旧证书?
我认为每次重建时都会这样做,所以无需删除任何内容。
1 个赞
证书是昨天颁发的,所以通常需要在 LE 脚本中使用 --force。我现在已经重命名了旧证书,正在测试重建。
Apparently this does not work, I do not get the second domain entered: https://ssl-tools.net/webservers/rpg-foren.com
It also doesn’t look like everything is replaced correctly, the ecc file is missing the subdomain:
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")"]]
}
########################################################
# RSA cert
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Try to issue the cert again if something goes wrong
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
--keypath /shared/ssl/rpg-foren.com.key \
--reloadcmd "sv reload nginx"
########################################################
# ECDSA cert
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Try to issue the cert again if something goes wrong
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d rpg-foren.com \
--fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
--keypath /shared/ssl/rpg-foren.com_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
I have just executed the following manually, now the certificates fit:
/shared/letsencrypt/acme.sh --issue --force -d rpg-foren.com -d www.rpg-foren.com --keylength 4096 -w /var/www/discourse/public --server letsencrypt
/shared/letsencrypt/acme.sh --issue --force -d rpg-foren.com -d www.rpg-foren.com --keylength ec-256 -w /var/www/discourse/public --server letsencrypt
/shared/letsencrypt/acme.sh --installcert -d rpg-foren.com -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer --keypath /shared/ssl/rpg-foren.com.key --reloadcmd "sv reload nginx"
/shared/letsencrypt/acme.sh --installcert -d rpg-foren.com -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer --keypath /shared/ssl/rpg-foren.com_ecc.key --reloadcmd "sv reload nginx"
this is my rewrite for forwarding:
# tell letsencrypt what additional certs to get
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--fullchainpath/
to: "-d www.rpg-foren.com --fullchainpath"
- file:
path: /etc/nginx/conf.d/discourse_redirect.conf
contents: |
server {
listen 80;
listen 443 ssl;
server_name www.rpg-foren.com;
return 301 $scheme://rpg-foren.com$request_uri;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_certificate /shared/ssl/rpg-foren.com.cer;
ssl_certificate /shared/ssl/rpg-foren.com_ecc.cer;
ssl_certificate_key /shared/ssl/rpg-foren.com.key;
ssl_certificate_key /shared/ssl/rpg-foren.com_ecc.key;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;
}
Is it possible that a replace command is only executed once?
Apparently此项无效,我未获得输入的第二个域名:https://ssl-tools.net/webservers/rpg-foren.com
看起来所有内容也未正确替换,ecc 文件缺少子域名:
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")"]]
}
########################################################
# RSA cert
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Try to issue the cert again if something goes wrong
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
--keypath /shared/ssl/rpg-foren.com.key \
--reloadcmd "sv reload nginx"
########################################################
# ECDSA cert
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Try to issue the cert again if something goes wrong
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d rpg-foren.com \
--fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
--keypath /shared/ssl/rpg-foren.com_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
I have just executed the following manually, now the certificates fit:
/shared/letsencrypt/acme.sh --issue --force -d rpg-foren.com -d www.rpg-foren.com --keylength 4096 -w /var/www/discourse/public --server letsencrypt
/shared/letsencrypt/acme.sh --issue --force -d rpg-foren.com -d www.rpg-foren.com --keylength ec-256 -w /var/www/discourse/public --server letsencrypt
/shared/letsencrypt/acme.sh --installcert -d rpg-foren.com -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer --keypath /shared/ssl/rpg-foren.com.key --reloadcmd "sv reload nginx"
/shared/letsencrypt/acme.sh --installcert -d rpg-foren.com -d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer --keypath /shared/ssl/rpg-foren.com_ecc.key --reloadcmd "sv reload nginx"
this is my rewrite for forwarding:
# tell letsencrypt what additional certs to get
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--fullchainpath/
to: "-d www.rpg-foren.com --fullchainpath"
- file:
path: /etc/nginx/conf.d/discourse_redirect.conf
contents: |
server {
listen 80;
listen 443 ssl;
server_name www.rpg-foren.com;
return 301 $scheme://rpg-foren.com$request_uri;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_certificate /shared/ssl/rpg-foren.com.cer;
ssl_certificate /shared/ssl/rpg-foren.com_ecc.cer;
ssl_certificate_key /shared/ssl/rpg-foren.com.key;
ssl_certificate_key /shared/ssl/rpg-foren.com_ecc.key;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;
}
Is it possible that a replace command is only executed once?
证书现在看起来有效了?
我很确定重定向是在链中的其他地方处理的,你不需要做任何事情来让它工作。我可能会从你的 yml 文件中删除那部分。
现在它似乎按预期工作了。
是的,但我手动设置的,而不是通过钩子,因为钩子没有正确设置。
你的意思是从子域 www. 到主域吗?至少不是通过 nginx。那里没有定义任何 url,所以 Web 服务器会响应所有传入的域。
。
对我来说是有效的(见下文)。
我的意思是任何解析到站点的都重定向到主机名。对于任何标准安装,您可以输入 IP 地址,它将重定向到 https://hostname。(见下文)
我刚刚设置了这个,创建了一个新的标准安装,使用 https://dashboard.literatecomputing.com/,另外在上面的 domain2 字段中粘贴了 extrahostname.myforum.us,并在 web_only.yml 的 hooks: 之后立即复制代码粘贴了生成的 after_ssl 钩子(并在脚本构建数据容器时完成的,所以不必在第一次构建完成后重新构建!)。
以下所有都按预期工作:
- http://104.131.101.148
- https://test.myforum.us/
- http://test.myforum.us/
- https://extrahostname.myforum.us/
- http://nocert.myforum.us/
- https://nocert.myforum.us/ (因证书无效而失败,如果您接受则会重定向)
我将在明天或记得的时候删除上述站点。
1 个赞
这意味着子域同时存储在 rsa 和 ecc 安装脚本的 /etc/runit/1.d/letsencrypt 中吗?
如上所示,钩子仅在 rsa 部分存储了子域,但在 ecc 部分没有。
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com
--installcert --ecc \
-d rpg-foren.com \
--fullchainpath
这是 /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d test.myforum.us -d extrahostname.myforum.us --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/test.myforum.us$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
}
########################################################
# RSA cert
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Try to issue the cert again if something goes wrong
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d test.myforum.us \
-d extrahostname.myforum.us --fullchainpath /shared/ssl/test.myforum.us.cer \
--keypath /shared/ssl/test.myforum.us.key \
--reloadcmd "sv reload nginx"
########################################################
# ECDSA cert
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Try to issue the cert again if something goes wrong
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d test.myforum.us \
--fullchainpath /shared/ssl/test.myforum.us_ecc.cer \
--keypath /shared/ssl/test.myforum.us_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
啊。我看到它在 RSA(坏)证书中,但不在 ECC(好)证书中。
好的。现在我明白了。那个 --fullcert 块需要在其中包含 global: true。我正在测试它。
2 个赞
好的。这是新的 /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d test.myforum.us -d extrahostname.myforum.us --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/test.myforum.us$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")"]]
}
########################################################
# RSA 证书
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# 如果出现问题,尝试再次签发证书
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d test.myforum.us \
-d extrahostname.myforum.us --fullchainpath /shared/ssl/test.myforum.us.cer \
--keypath /shared/ssl/test.myforum.us.key \
--reloadcmd "sv reload nginx"
########################################################
# ECDSA 证书
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# 如果出现问题,尝试再次签发证书
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d test.myforum.us \
-d extrahostname.myforum.us --fullchainpath /shared/ssl/test.myforum.us_ecc.cer \
--keypath /shared/ssl/test.myforum.us_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
~
~
现在我有这个,看起来不错? https://ssl-tools.net/webservers/extrahostname.myforum.us
看起来对吗?如果是,我将编辑 OP 以包含 global 指令。
2 个赞
我的想法:
# 告诉 letsencrypt 获取哪些其他证书
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--installcert \\/
to: |
--installcert \
-d www.rpg-foren.com
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--installcert --ecc \\/
to: |
--installcert --ecc \
-d www.rpg-foren.com
我的不行吗?它的代码行数减少了 1/3。
我没有看到你的重写?还是我错过了什么?
我只是想做一个好的重写,让文件最后看起来不错^^
我还没做。我等着看你觉得它是否有效。\n\n这是更改,只需在第二个 replace: 的末尾添加 global: true。\n\n\n - replace:\n filename: \"/etc/runit/1.d/letsencrypt\"\n from: /--fullchainpath/\n to: \"-d =domain2= --fullchainpath\"\n global: true\n\n\n这是全部内容:\n\n\n\n after_ssl:\n # 告诉 letsencrypt 需要获取哪些附加证书\n - replace:\n filename: \"/etc/runit/1.d/letsencrypt\"\n from: /--keylength/\n to: \"-d extrahostname.myforum.us --keylength\"\n - replace:\n filename: \"/etc/runit/1.d/letsencrypt\"\n from: /--fullchainpath/\n to: \"-d extrahostname.myforum.us --fullchainpath\"\n global: true\n\n\n
1 个赞
好的,全局参数是您进行多次替换所需的参数。
从您发布的这些文件中来看,看起来不错,我还没有试过。
是的。抱歉我之前没有足够仔细地听,才没能理解你在说什么。根据我(糟糕的)测试,它“奏效了”,但我没注意到,也不知道如何检查那个 ec-whatever 证书是否真的在那里。感谢你的坚持。
https://ssl-tools.net/webservers/extrahostname.myforum.us 看起来像是拥有了“正确的东西”吗?
我现在编辑了 OP,你可以试试,然后从上面的表单复制/粘贴。
如果你想在测试网站上自己测试,并且可以给我一个 SSH 密钥,我会让你访问我刚刚设置好的那个。然后你可以在那里用你自己的测试域名进行干净的安装。或者,你也可以直接在你的生产网站上进行,然后祈祷一切顺利。 
你可以在这里找到它:
ls -la /var/discourse/shared/standalone/ssl/
total 24
drwxr-xr-x 2 root root 4096 Sep 24 13:02 .
drwxr-xr-x 15 root root 4096 Sep 23 18:31 ..
-rw-r--r-- 1 root root 3941 Sep 25 07:43 rpg-foren.com.cer
-rw-r--r-- 1 root root 3941 Sep 25 07:43 rpg-foren.com_ecc.cer
-rw------- 1 root root 3243 Sep 25 07:43 rpg-foren.com_ecc.key
-rw------- 1 root root 3243 Sep 25 07:43 rpg-foren.com.key
问题是,我不知道如何单独测试 ecc 和 rsa。
由于创建文件现在符合要求,因此无需进一步测试。
1 个赞
root@test-web-only:/shared/ssl# ls -l
total 16
-rw-r--r-- 1 root root 3953 Sep 25 16:41 test.myforum.us.cer
-rw-r--r-- 1 root root 2877 Sep 25 16:41 test.myforum.us_ecc.cer
-rw------- 1 root root 227 Sep 25 16:41 test.myforum.us_ecc.key
-rw------- 1 root root 3247 Sep 25 16:41 test.myforum.us.key
好的。如果你觉得这样可以,那我就把这个讨论移到一个新话题,希望问题已经解决了。
1 个赞
您可以通过以下方式测试证书:
openssl x509 -in /var/discourse/shared/standalone/ssl/test.myforum.us.cer -noout -text
然后应在 dns 下列出域名:
DNS:rpg-foren.com, DNS:www.rpg-foren.com
1 个赞
root@test:/var/discourse# openssl x509 -in /var/discourse/shared/web-only/ssl/test.myforum.us.cer -noout -text
证书:
数据:
版本:3 (0x2)
序列号:
03:f8:b5:6a:e0:97:53:7f:22:33:81:22:35:b4:3f:73:75:7f
签名算法:sha256WithRSAEncryption
签发者:C = US, O = Let's Encrypt, CN = R10
有效期
开始时间:2024 年 9 月 25 日 14:57:13 GMT
结束时间:2024 年 12 月 24 日 14:57:12 GMT
主体:CN = test.myforum.us
主体公钥信息:
公钥算法:rsaEncryption
公钥:(4096 位)
模数:
00:be:a3:9b:79:78:dd:8f:e2:8f:28:f0:d9:6c:74:
... b0:84:33
指数:65537 (0x10001)
X509v3 扩展:
X509v3 密钥用法:关键
数字签名, 密钥加密
X509v3 扩展密钥用法:
TLS Web 服务器身份验证, TLS Web 客户端身份验证
X509v3 基本约束:关键
CA:FALSE
X509v3 主体密钥标识符:
43:55:B7:D6:54:03:CE:B0:FB:C8:D1:2A:42:F5:B7:C5:60:C7:D8:48
X509v3 颁发者密钥标识符:
BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
颁发者信息访问:
OCSP - URI:http://r10.o.lencr.org
CA 颁发者 - URI:http://r10.i.lencr.org/
X509v3 主体备用名称:
DNS:extrahostname.myforum.us, DNS:test.myforum.us
X509v3 证书策略:
策略:2.23.140.1.2.1
CT 预证书 SCT:
签名证书时间戳:
版本 :v1 (0x0)
日志 ID :DF:E1:56:EB:AA:05:AF:B5:9C:0F:86:71:8D:A8:C0:32:
4E:AE:56:D9:6E:A7:F5:A5:6A:01:D1:C1:3B:BE:52:5C
时间戳 :2024 年 9 月 25 日 15:55:44.143 GMT
扩展:无
签名 :ecdsa-with-SHA256
签名证书时间戳:
版本 :v1 (0x0)
日志 ID :A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:
D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
时间戳 :2024 年 9 月 25 日 15:55:45.945 GMT
扩展:无
签名 :ecdsa-with-SHA256
签名算法:sha256WithRSAEncryption
签名值:
cf:c6:59:d8
并且包括:
X509v3 主体备用名称:
DNS:extrahostname.myforum.us, DNS:test.myforum.us
啊。好的。
openssl x509 -in /var/discourse/shared/web-only/ssl/test.myforum.us_ecc.cer -noout -text
包含:
X509v3 主体备用名称:
DNS:extrahostname.myforum.us, DNS:test.myforum.us
1 个赞