之前是使用Certbot來更新我這個網誌的Let’s encrypt certificate,運作上也還算正常,但自動更新cert這邊常常更新不了(這部分感覺應該是我設定上的問題)…
後來在公司上, DK有提到了dehydrated這個輕量化的Let’s enrypt 設定工具,實際上去快速看了一下它的repoistory以後,真的覺得對於一般的Linux 環境使用上蠻友善的(因為它所需要的工具通常都是Linux 系統預設的工具)。
快速掃完以後,直接進入正題關於設定上的相關指令… (這邊直接參考 DK 的 wiki上的設定)
安裝Dehydrated
# using a temporary directory to download the dehydrated
cd ~/tmp
wget "https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated"
chmod +x dehydrated
sudo mv dehydrated /usr/local/bin/
Dehydrated環境設定
# create directories that dehydrated will need
sudo mkdir -p /etc/dehydrated /var/www/dehydrated
#change to the dehydrated dir
cd /etc/dehydrated
# setup the config
echo 'OCSP_MUST_STAPLE=yes' | sudo tee -a config
echo 'KEYSIZE=2048' | sudo tee -a config
echo 'WELLKNOWN=/var/www/dehydrated' | sudo tee -a config
# setup the domain file
echo 'blog.gechen.org' | sudo tee -a domains.txt
設定Nginx
這邊的範例主要是透過Nginx來當做之後dehydrated 執行時,用來回應Let’s encrypt 的challenge…
下面就直接貼Nginx 的對應domain的範例設定檔
server {
listen 80;
server_name blog.gechen.org;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name blog.gechen.org;
index index.php;
ssl_certificate /etc/dehydrated/certs/blog.gechen.org/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/blog.gechen.org/privkey.pem;
# ... skip some configs
# this part is for dehydrated
location /.well-known/acme-challenge/ {
alias /var/www/dehydrated;
}
}
執行Dehydrated 來更新Let’s encrypt certs
如果是第一次使用 dehydrated
則要額外執行下面指令
sudo dehydrated --register --accept-terms
透過下面的指令來做Let’s encrypt certificate的申請/更新
# the following command will apply/renew certificates for the domains in file: /etc/dehydrated/domains.txt
sudo dehydrated -c
# or we can also directly use command below to apply for specific domain certificate
sudo dehydrated -c -d blog.gechen.org
設定自動更新certificate的cron jobs
這邊直接引用DK 大大的wiki範例來設定 weekly 的憑證更新…
echo -e '#!/bin/bash\nexport PATH=/usr/sbin:/usr/bin:/bin:"${PATH}"\nsleep $(expr $(printf "%d" "0x$(hostname | md5sum | cut -c 1-8)") % 86400); dehydrated -c && ( service nginx reload )' | sudo tee /etc/cron.weekly/dehydrated; sudo chmod 755 /etc/cron.weekly/dehydrated
References: