收到提醒:
站点每日情况-存在异常
[xxx小程序](
证书即将过期:12天后过期
证书快过期了哦
是不是自动续签的脚本没生效啊
去看看什么情况
从
登录后:
去找
的后台服务器
然后去看看证书的事情
关于证书,之前的说法是:
【如果需要】更新证书
当证书过期后,去更新
cd /root/xxx source renew_cert.sh
那去看看:
renew_cert.sh
以及:cron的任务中,是否有这个自动续签
root@VM-158-80-ubuntu:~/xxx# cat renew_cert.sh #!/bin/bash cd /root/xxx/ python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /root/xxx/challenges/ > signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem nginx -s reload
renew_cert.sh是个bash脚本,是去续签的
然后去看看定时任务中是否有这个
root@VM-158-80-ubuntu:~/xxx# cron cron crontab root@VM-158-80-ubuntu:~/xxx# crontab -e */20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null & */1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 & 0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1 0 0 * * * /usr/local/qcloud/xxx/xxx > /dev/null 2>&1 & ~
很明显,此处是有:
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
的,然后去:
【已解决】Linux中crontab的语法和含义
不过发现,是笔误:
root@VM-158-80-ubuntu:~/xxx# ll /root/xxx/renew_cert.sh ls: cannot access '/root/xxx/renew_cert.sh': No such file or directory root@VM-158-80-ubuntu:~/xxx# ll /root/xxx/renew_cert.sh -rw-r--r-- 1 root root 304 Aug 21 2018 /root/xxx/renew_cert.sh
所以需要去改为:
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
去
crontab -e
去编辑为:
# crontab -l */20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null & */1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 & 0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1 0 0 * * * /usr/local/qcloud/xxx/xxx > /dev/null 2>&1 &
然后先去手动运行试试效果
# /root/xxx/renew_cert.sh -bash: /root/xxx/renew_cert.sh: Permission denied root@VM-158-80-ubuntu:~/xxx# sudo /root/xxx/renew_cert.sh sudo: /root/xxx/renew_cert.sh: command not found
加上sudo sh才行:
# sudo sh /root/xxx/renew_cert.sh Parsing account key... Parsing CSR... Found domains: xxx Getting directory... Directory found! Registering account... Already registered! Creating new order... Order created! Verifying xxx... xxx verified! Signing certificate... Certificate signed! --2019-08-23 19:43:42-- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem Resolving letsencrypt.org (letsencrypt.org)... x.x.x.x, 2600:xxx::ce0 Connecting to letsencrypt.org (letsencrypt.org)|x.x.x.x|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1647 (1.6K) [application/x-x509-ca-cert] Saving to: ‘STDOUT’ - 100%[======================================================================================>] 1.61K --.-KB/s in 0s 2019-08-23 19:43:43 (328 MB/s) - written to stdout [1647/1647] nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
然后此处还要去
【已解决】CentOS中如何查看Let’s Encrypt的ssl证书的过期时间
顺带把此处所有的证书文件都去看看对应过期时间是多少
root@VM-158-80-ubuntu:~/xxx# ll total 64 drwxr-xr-x 3 root root 4096 Jun 7 11:07 ./ drwx------ 12 root root 4096 Aug 23 19:42 ../ -rw-r--r-- 1 root root 3247 Aug 21 2018 account.key -rw-r--r-- 1 root root 11345 Aug 21 2018 acme_tiny.py -rw-r--r-- 1 root root 5559 Aug 23 19:43 chained.pem drwxr-xr-x 2 root root 4096 Aug 23 19:43 challenges/ -rw-r--r-- 1 root root 1622 Aug 21 2018 domain.csr -rw-r--r-- 1 root root 3243 Aug 21 2018 domain.key -rw-r--r-- 1 root root 3614 Aug 21 2018 full_chained.pem -rw-r--r-- 1 root root 1647 Aug 23 19:43 intermediate.pem -rw-r--r-- 1 root root 304 Aug 21 2018 renew_cert.sh -rw-r--r-- 1 root root 1967 Aug 21 2018 root.pem root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/intermediate.pem notBefore=Mar 17 16:40:46 2016 GMT notAfter=Mar 17 16:40:46 2021 GMT root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem notBefore=Aug 23 10:43:39 2019 GMT notAfter=Nov 21 10:43:39 2019 GMT root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/full_chained.pem notBefore=Mar 17 16:40:46 2016 GMT notAfter=Mar 17 16:40:46 2021 GMT root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/root.pem notBefore=Jun 4 11:04:38 2015 GMT notAfter=Jun 4 11:04:38 2035 GMT root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/signed.crt notBefore=Aug 23 10:43:39 2019 GMT notAfter=Nov 21 10:43:39 2019 GMT
看起来是:
上述命令:
sudo sh /root/xxx/renew_cert.sh
更新了这几个文件:
- chained.pem
- signed.crt
【后记 20191108】
又提示快要过期了:
别人建议:你可以签一个一年有效期的,会省事些
但是此处发现,貌似此处续签Let’s Encrypt只能一次续签3个月
不支持1年
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/intermediate.pem notBefore=Mar 17 16:40:46 2016 GMT notAfter=Mar 17 16:40:46 2021 GMT root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem notBefore=Aug 23 10:43:39 2019 GMT notAfter=Nov 21 10:43:39 2019 GMT
此处虽然有:
root@VM-158-80-ubuntu:~/xxx# crontab -l */20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null & */1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 & 0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1 0 0 * * * /usr/local/qcloud/xxx/xxx.sh > /dev/null 2>&1 &
但是貌似没生效?
所以还是手动执行一次
root@VM-158-80-ubuntu:~/xxx# sudo sh /root/xxx/renew_cert.sh Parsing account key... Parsing CSR... Found domains: xxx Getting directory... Directory found! Registering account... Already registered! Creating new order... Order created! Verifying xxx... xxx verified! Signing certificate... Certificate signed! --2019-11-08 23:07:31-- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem Resolving letsencrypt.org (letsencrypt.org)… x.x.x.x, 2604:a880:2:d0::21e9:c001 Connecting to letsencrypt.org (letsencrypt.org)|x.x.x.x|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1647 (1.6K) [application/x-x509-ca-cert] Saving to: ‘STDOUT’ - 100%[======================================================================================>] 1.61K --.-KB/s in 0s 2019-11-08 23:07:35 (81.5 MB/s) - written to stdout [1647/1647] nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
确认已经更新延长过期时间了:
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem notBefore=Nov 8 14:06:43 2019 GMT notAfter=Feb 6 14:06:43 2020 GMT
顺带再去看看:
【已解决】Ubuntu中crontab的脚本任务没有执行
TODO:
虽然已确认cron中任务生效了。
但是也还是去在:
0 4 1 */2 *
的最近一次运行的时间:
2019-12-01 04:00:00
之后,去看看ssl证书是否已更新:
openssl x509 -dates -noout < /root/xxx/chained.pem
如果的确已更新,才说明此处crontab任务的确真的正常运行了。
否则就还是有问题,再去想办法看日志找原因,去解决。
转载请注明:在路上 » 【已解决】小程序的ssl证书即将过期