今天用浏览器打开网页提示不安全,原来是域名的ssl证书到期了,之前一直用的是Let’s Encrypt的免费证书(请参考文章“Linux系统下配置nginx启用Let’s encrypt的免费SSL证书”),只有3个月的使用期,到期后要手动续期的,之前一直有收到邮件提示,但没管它,现在出现红色警告了,必须马上更新证书才行,具体步骤如下:
SSH进服务器,执行如下命令:
root@itkylin:~# /webdirectory/letsencrypt/certbot-auto renew –quiet –no-self-upgrade
这时,若提示如下错误信息:
Attempting to renew cert (www.itkylin.com) from /etc/letsencrypt/renewal/www.itkylin.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.itkylin.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)
暂时停止nginx监听80、443端口:
root@itkylin:~# service nginx stop
重新执行更新命令:
root@itkylin:~# /webdirectory/letsencrypt/certbot-auto renew –quiet –no-self-upgrade
重新启动nginx服务:
root@itkylin:~# service nginx start
OK,打开浏览器输入网址打开网页,小绿伞又出来了,查看信息三个月后到期,为了防止下次又忘记续期,可以写个小脚本定时执行:
三个月早忘了这事了,所以还是写个脚本放crontab让它自动更新吧:
root@itkylin:~#chmod +x /webdirectory/letsencrypt/certbot-auto root@itkylin:~#vi /webdirectory/letsencrypt/sslrenew.sh #!/bin/sh /webdirectory/letsencrypt/certbot-auto renew –quiet –no-self-upgrade :wq! root@itkylin:~#chmod +x /webdirectory/letsencrypt/sslrenew.sh
Certbot只有在证书到期前一个月才会进行更新,如果证书还没到期,它是不会进行更新的。所以设定让服务器每周日凌晨01:05分开始自动更新。
root@itkylin:~#vi /etc/crontab 05 1 * * 0 /webdirectory/letsencrypt/sslrenew.sh
:wq!