收到提醒:
站点每日情况-存在异常
[xxx小程序](
证书即将过期:12天后过期
证书快过期了哦
是不是自动续签的脚本没生效啊
去看看什么情况
从
登录后:
去找
的后台服务器
然后去看看证书的事情
关于证书,之前的说法是:
【如果需要】更新证书
当证书过期后,去更新
1 2 | cd /root/xxxsource renew_cert.sh |
那去看看:
renew_cert.sh
以及:cron的任务中,是否有这个自动续签
1 2 3 4 5 6 7 8 | root@VM-158-80-ubuntu:~/xxx# cat renew_cert.sh #!/bin/bashcd /root/xxx/python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /root/xxx/challenges/ > signed.crt || exitwget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pemcat signed.crt intermediate.pem > chained.pemnginx -s reload |
renew_cert.sh是个bash脚本,是去续签的
然后去看看定时任务中是否有这个
1 2 3 4 5 6 7 8 | root@VM-158-80-ubuntu:~/xxx# croncron crontab root@VM-158-80-ubuntu:~/xxx# crontab -e*/20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &*/1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&10 0 * * * /usr/local/qcloud/xxx/xxx > /dev/null 2>&1 &~ |
很明显,此处是有:
1 | 0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1 |
的,然后去:
【已解决】Linux中crontab的语法和含义
不过发现,是笔误:
1 2 3 4 | root@VM-158-80-ubuntu:~/xxx# ll /root/xxx/renew_cert.shls: cannot access '/root/xxx/renew_cert.sh': No such file or directoryroot@VM-158-80-ubuntu:~/xxx# ll /root/xxx/renew_cert.sh -rw-r--r-- 1 root root 304 Aug 21 2018 /root/xxx/renew_cert.sh |
所以需要去改为:
1 | 0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1 |
去
crontab -e
去编辑为:
1 2 3 4 5 | # crontab -l*/20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &*/1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&10 0 * * * /usr/local/qcloud/xxx/xxx > /dev/null 2>&1 & |
然后先去手动运行试试效果
1 2 3 4 | # /root/xxx/renew_cert.sh-bash: /root/xxx/renew_cert.sh: Permission deniedroot@VM-158-80-ubuntu:~/xxx# sudo /root/xxx/renew_cert.shsudo: /root/xxx/renew_cert.sh: command not found |
加上sudo sh才行:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # sudo sh /root/xxx/renew_cert.shParsing account key...Parsing CSR...Found domains: xxxGetting directory...Directory found!Registering account...Already registered!Creating new order...Order created!Verifying xxx...xxx verified!Signing certificate...Certificate signed!--2019-08-23 19:43:42-- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pemResolving letsencrypt.org (letsencrypt.org)... x.x.x.x, 2600:xxx::ce0Connecting to letsencrypt.org (letsencrypt.org)|x.x.x.x|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 1647 (1.6K) [application/x-x509-ca-cert]Saving to: ‘STDOUT’- 100%[======================================================================================>] 1.61K --.-KB/s in 0s 2019-08-23 19:43:43 (328 MB/s) - written to stdout [1647/1647]nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7 |
然后此处还要去
【已解决】CentOS中如何查看Let’s Encrypt的ssl证书的过期时间
顺带把此处所有的证书文件都去看看对应过期时间是多少
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | root@VM-158-80-ubuntu:~/xxx# lltotal 64drwxr-xr-x 3 root root 4096 Jun 7 11:07 ./drwx------ 12 root root 4096 Aug 23 19:42 ../-rw-r--r-- 1 root root 3247 Aug 21 2018 account.key-rw-r--r-- 1 root root 11345 Aug 21 2018 acme_tiny.py-rw-r--r-- 1 root root 5559 Aug 23 19:43 chained.pemdrwxr-xr-x 2 root root 4096 Aug 23 19:43 challenges/-rw-r--r-- 1 root root 1622 Aug 21 2018 domain.csr-rw-r--r-- 1 root root 3243 Aug 21 2018 domain.key-rw-r--r-- 1 root root 3614 Aug 21 2018 full_chained.pem-rw-r--r-- 1 root root 1647 Aug 23 19:43 intermediate.pem-rw-r--r-- 1 root root 304 Aug 21 2018 renew_cert.sh-rw-r--r-- 1 root root 1967 Aug 21 2018 root.pemroot@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/intermediate.pem notBefore=Mar 17 16:40:46 2016 GMTnotAfter=Mar 17 16:40:46 2021 GMTroot@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem notBefore=Aug 23 10:43:39 2019 GMTnotAfter=Nov 21 10:43:39 2019 GMTroot@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/full_chained.pem notBefore=Mar 17 16:40:46 2016 GMTnotAfter=Mar 17 16:40:46 2021 GMTroot@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/root.pem notBefore=Jun 4 11:04:38 2015 GMTnotAfter=Jun 4 11:04:38 2035 GMTroot@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/signed.crt notBefore=Aug 23 10:43:39 2019 GMTnotAfter=Nov 21 10:43:39 2019 GMT |
看起来是:
上述命令:
1 | sudo sh /root/xxx/renew_cert.sh |
更新了这几个文件:
- chained.pem
- signed.crt
【后记 20191108】
又提示快要过期了:
别人建议:你可以签一个一年有效期的,会省事些
但是此处发现,貌似此处续签Let’s Encrypt只能一次续签3个月
不支持1年
1 2 3 4 5 6 | root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/intermediate.pemnotBefore=Mar 17 16:40:46 2016 GMTnotAfter=Mar 17 16:40:46 2021 GMTroot@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pemnotBefore=Aug 23 10:43:39 2019 GMTnotAfter=Nov 21 10:43:39 2019 GMT |
此处虽然有:
1 2 3 4 5 | root@VM-158-80-ubuntu:~/xxx# crontab -l*/20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &*/1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&10 0 * * * /usr/local/qcloud/xxx/xxx.sh > /dev/null 2>&1 & |
但是貌似没生效?
所以还是手动执行一次
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | root@VM-158-80-ubuntu:~/xxx# sudo sh /root/xxx/renew_cert.shParsing account key...Parsing CSR...Found domains: xxxGetting directory...Directory found!Registering account...Already registered!Creating new order...Order created!Verifying xxx...xxx verified!Signing certificate...Certificate signed!--2019-11-08 23:07:31-- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pemResolving letsencrypt.org (letsencrypt.org)… x.x.x.x, 2604:a880:2:d0::21e9:c001Connecting to letsencrypt.org (letsencrypt.org)|x.x.x.x|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 1647 (1.6K) [application/x-x509-ca-cert]Saving to: ‘STDOUT’- 100%[======================================================================================>] 1.61K --.-KB/s in 0s 2019-11-08 23:07:35 (81.5 MB/s) - written to stdout [1647/1647]nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7 |
确认已经更新延长过期时间了:
1 2 3 | root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pemnotBefore=Nov 8 14:06:43 2019 GMTnotAfter=Feb 6 14:06:43 2020 GMT |
顺带再去看看:
【已解决】Ubuntu中crontab的脚本任务没有执行
TODO:
虽然已确认cron中任务生效了。
但是也还是去在:
1 | 0 4 1 */2 * |
的最近一次运行的时间:
2019-12-01 04:00:00
之后,去看看ssl证书是否已更新:
1 | openssl x509 -dates -noout < /root/xxx/chained.pem |
如果的确已更新,才说明此处crontab任务的确真的正常运行了。
否则就还是有问题,再去想办法看日志找原因,去解决。
转载请注明:在路上 » 【已解决】小程序的ssl证书即将过期