最新消息:20210917 已从crifan.com换到crifan.org

【已解决】小程序的ssl证书即将过期

证书 crifan 1117浏览 0评论
收到提醒:
站点每日情况-存在异常
[xxx小程序](
http://xxx/admin/login/?next=/admin/)
证书即将过期:12天后过期
证书快过期了哦
是不是自动续签的脚本没生效啊
去看看什么情况
http://xxx/admin/login/?next=/admin/
登录后:
站点管理 | Django 站点管理员
去找
xxx
的后台服务器
然后去看看证书的事情
关于证书,之前的说法是:
【如果需要】更新证书
当证书过期后,去更新
cd /root/xxx
source renew_cert.sh
那去看看:
renew_cert.sh
以及:cron的任务中,是否有这个自动续签
root@VM-158-80-ubuntu:~/xxx# cat renew_cert.sh 
#!/bin/bash

cd /root/xxx/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /root/xxx/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
nginx -s reload
renew_cert.sh是个bash脚本,是去续签的
然后去看看定时任务中是否有这个
root@VM-158-80-ubuntu:~/xxx# cron
cron     crontab  
root@VM-158-80-ubuntu:~/xxx# crontab -e
*/20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &
*/1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
0 0 * * * /usr/local/qcloud/xxx/xxx > /dev/null 2>&1 &
~                                                                     
很明显,此处是有:
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
的,然后去:
【已解决】Linux中crontab的语法和含义
不过发现,是笔误:
root@VM-158-80-ubuntu:~/xxx# ll /root/xxx/renew_cert.sh
ls: cannot access '/root/xxx/renew_cert.sh': No such file or directory
root@VM-158-80-ubuntu:~/xxx# ll /root/xxx/renew_cert.sh 
-rw-r--r-- 1 root root 304 Aug 21  2018 /root/xxx/renew_cert.sh
所以需要去改为:
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
crontab -e
去编辑为:
# crontab -l
*/20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &
*/1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
0 0 * * * /usr/local/qcloud/xxx/xxx > /dev/null 2>&1 &
然后先去手动运行试试效果
# /root/xxx/renew_cert.sh
-bash: /root/xxx/renew_cert.sh: Permission denied
root@VM-158-80-ubuntu:~/xxx# sudo /root/xxx/renew_cert.sh
sudo: /root/xxx/renew_cert.sh: command not found
加上sudo sh才行:
# sudo sh /root/xxx/renew_cert.sh
Parsing account key...
Parsing CSR...
Found domains: xxx
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying xxx...
xxx verified!
Signing certificate...
Certificate signed!
--2019-08-23 19:43:42--  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
Resolving letsencrypt.org (letsencrypt.org)... x.x.x.x, 2600:xxx::ce0
Connecting to letsencrypt.org (letsencrypt.org)|x.x.x.x|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1647 (1.6K) [application/x-x509-ca-cert]
Saving to: ‘STDOUT’


-                                          100%[======================================================================================>]   1.61K  --.-KB/s    in 0s      


2019-08-23 19:43:43 (328 MB/s) - written to stdout [1647/1647]


nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
然后此处还要去
【已解决】CentOS中如何查看Let’s Encrypt的ssl证书的过期时间
顺带把此处所有的证书文件都去看看对应过期时间是多少
root@VM-158-80-ubuntu:~/xxx# ll
total 64
drwxr-xr-x  3 root root  4096 Jun  7 11:07 ./
drwx------ 12 root root  4096 Aug 23 19:42 ../
-rw-r--r--  1 root root  3247 Aug 21  2018 account.key
-rw-r--r--  1 root root 11345 Aug 21  2018 acme_tiny.py
-rw-r--r--  1 root root  5559 Aug 23 19:43 chained.pem
drwxr-xr-x  2 root root  4096 Aug 23 19:43 challenges/
-rw-r--r--  1 root root  1622 Aug 21  2018 domain.csr
-rw-r--r--  1 root root  3243 Aug 21  2018 domain.key
-rw-r--r--  1 root root  3614 Aug 21  2018 full_chained.pem
-rw-r--r--  1 root root  1647 Aug 23 19:43 intermediate.pem
-rw-r--r--  1 root root   304 Aug 21  2018 renew_cert.sh
-rw-r--r--  1 root root  1967 Aug 21  2018 root.pem

root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/intermediate.pem 
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem 
notBefore=Aug 23 10:43:39 2019 GMT
notAfter=Nov 21 10:43:39 2019 GMT
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/full_chained.pem 
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/root.pem 
notBefore=Jun  4 11:04:38 2015 GMT
notAfter=Jun  4 11:04:38 2035 GMT
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/signed.crt 
notBefore=Aug 23 10:43:39 2019 GMT
notAfter=Nov 21 10:43:39 2019 GMT
看起来是:
上述命令:
sudo sh /root/xxx/renew_cert.sh
更新了这几个文件:
  • chained.pem
  • signed.crt
【后记 20191108】
又提示快要过期了:
别人建议:你可以签一个一年有效期的,会省事些
但是此处发现,貌似此处续签Let’s Encrypt只能一次续签3个月
不支持1年
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/intermediate.pem
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem
notBefore=Aug 23 10:43:39 2019 GMT
notAfter=Nov 21 10:43:39 2019 GMT
此处虽然有:
root@VM-158-80-ubuntu:~/xxx# crontab -l
*/20 * * * * /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &
*/1 * * * * /usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &
0 4 * * 0 /root/xxx/renew_cert.sh >/dev/null 2>&1
0 0 * * * /usr/local/qcloud/xxx/xxx.sh > /dev/null 2>&1 &
但是貌似没生效?
所以还是手动执行一次
root@VM-158-80-ubuntu:~/xxx# sudo sh /root/xxx/renew_cert.sh
Parsing account key...
Parsing CSR...
Found domains: xxx
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying xxx...
xxx verified!
Signing certificate...
Certificate signed!
--2019-11-08 23:07:31--  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
Resolving letsencrypt.org (letsencrypt.org)… x.x.x.x, 2604:a880:2:d0::21e9:c001
Connecting to letsencrypt.org (letsencrypt.org)|x.x.x.x|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1647 (1.6K) [application/x-x509-ca-cert]
Saving to: ‘STDOUT’


-                                          100%[======================================================================================>]   1.61K  --.-KB/s    in 0s      


2019-11-08 23:07:35 (81.5 MB/s) - written to stdout [1647/1647]


nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
确认已经更新延长过期时间了:
root@VM-158-80-ubuntu:~/xxx# openssl x509 -dates -noout < /root/xxx/chained.pem
notBefore=Nov  8 14:06:43 2019 GMT
notAfter=Feb  6 14:06:43 2020 GMT
顺带再去看看:
【已解决】Ubuntu中crontab的脚本任务没有执行
TODO:
虽然已确认cron中任务生效了。
但是也还是去在:
0 4 1 */2 *
的最近一次运行的时间:
2019-12-01 04:00:00
之后,去看看ssl证书是否已更新:
openssl x509 -dates -noout < /root/xxx/chained.pem
如果的确已更新,才说明此处crontab任务的确真的正常运行了。
否则就还是有问题,再去想办法看日志找原因,去解决。

转载请注明:在路上 » 【已解决】小程序的ssl证书即将过期

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
87 queries in 0.194 seconds, using 20.09MB memory