ywdblog / certbot-letencrypt-wildcardcertificates-alydns-au Goto Github PK
View Code? Open in Web Editor NEWcertbot'renewing letencrypt certificate plugin - automatic verification aliyun/tencentyun/godaddy dns
certbot'renewing letencrypt certificate plugin - automatic verification aliyun/tencentyun/godaddy dns
Hi ymdblog,
感谢你能贡献出那么棒的工具给我们使用!
我在使用学习的过程中发现了一个问题, Python 脚本调用 getDomain 方法提取主域名和子域时,在特殊的情况下会提取错误。
如使用 AliDns.getDomain
处理 example.com.cn
时,会返回 ('example', 'com.cn')
。这与预期不符。
在 PHP 脚本中未发现此问题。
Jim Cheung
au.sh: line 18: sleep: command not found
修改为/bin/sleep后OK
是需要添加额外的参数还是怎么样?使用的命令和输出如下:
./certbot-auto certonly -d *.xx.com --manual --preferred-challenges dns --manual-auth-hook "/home/xx/certbot-auto/au.sh python txy add" --manual-cleanup-hook "/home/xx/certbot-auto/au.sh python txy clean"
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for guanmaicfd.com
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
(Y)es/(N)o:
这个计划任务不是每三个月执行一次啊,这是每天执行一次的节奏
续期后,cert.pem,privkey.pem变了,像是申请了一个全新的证书一样。
帮忙看看有什么问题吗?
./certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook "/home/root/ops/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add" --manual-cleanup-hook "/home/root/ops/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean"
比如三级子域名:ni.hao.me.com
。
最后会报错:No TXT record found at
.
然后我到阿里后台观察到,你漏了个点。
主机记录
_acme-challenge.nihao
nihao
中间的点没了,导致验证失败。
添加 --dry-run
可以看到 dns 的 _acme-challenge 记录值被更新
去掉 --dry-run
然后加上 --force-renewal
强制更新,显示证书更新成功,但查看 dns 的 _acme-challenge 记录值没有被更新,打印信息也没有脚本调用的记录(加 --dry-run
的有)
你说明上写的是“certbot-auto”,一执行就出问题,正确写法是它们之间有个空格,如下:
certbot -auto
感谢该工具,解决了VPS证书自动续期的问题。
不过有个小问题,我的通配符域名是位于三级域名下,例如*.abc.github.com
,这样直接使用php脚本会有问题,因为腾讯云的接口默认domain只识别二级域名。需要在脚本入口处做一些处理,把传入的前两个参数做一下拼接以适应腾讯云的接口即可。
$global_domain = $argv[1];
$global_subdomain = $argv[2];
$list = explode(".",$argv[1]);
$n = count($list);
if ($n>2) {
$global_domain = $list[$n-2].".".$list[$n-1];
$global_subdomain = $argv[2];
for($i=0; $i<$n-2;$i++) {
$global_subdomain = $global_subdomain.".".$list[$i];
}
}
以上是我自己做的修改部分,在后续引用时,使用两个global变量就可以了。我自己测试可以正常更新解析,但是对php比较陌生,不知道写法上是否有纰漏,如果没有问题我再提pr。
我日志记录下来的数组是这样的
$argv[1];//域名
$argv[2];//CREATE_DOMAIN
$argv[3];//CERTBOT_VALIDATION
不知道是不是我哪里操作不对
dnspod国际版目前脚本支持的很少,不知道大佬可否能增加一下支持呢?不胜感激!
下面是国际版API的官方文档https://www.dnspod.com/docs/index.html
git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au.git
Cloning into 'certbot-letencrypt-wildcardcertificates-alydns-au'...
fatal: unable to access 'https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au.git/': Problem with the SSL CA cert (path? access rights?)
请查看一下
PHP Parse error: syntax error, unexpected '[' in /root/software/certbot-letencrypt-wildcardcertificates-alydns-au/txydns.php on line 206
请问php的版本是不是有要求
简单看了下文档和代码,好像删除dns记录时没有限制只删txt类型的,担心会不会把有用的A记录给误删?
变量完全不对应?
不难为作者。想关就关吧。。。
tail -100 /var/log/letsencrypt/letsencrypt.log
2019-12-11 00:43:46,343:DEBUG:certbot._internal.main:certbot version: 1.0.0
2019-12-11 00:43:46,344:DEBUG:certbot._internal.main:Arguments: ['--cert-name', '808jie.cn', '--manual-auth-hook', '/root/certbot-letencrypt-wildcardcertificates-alydns-au-master/au.sh php txy add', '--manual-cleanup-hook', '/root/certbot-letencrypt-wildcardcertificates-alydns-au-master/au.sh php txy clean']
2019-12-11 00:43:46,344:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-12-11 00:43:46,372:DEBUG:certbot._internal.log:Root logging level set at 20
2019-12-11 00:43:46,372:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-12-11 00:43:46,445:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli._Default object at 0x7f3f33952d50> and installer <certbot._internal.cli._Default object at 0x7f3f33952d50>
2019-12-11 00:43:46,511:INFO:certbot._internal.renewal:Cert not yet due for renewal
2019-12-11 00:43:46,512:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2019-12-11 00:43:46,512:DEBUG:certbot._internal.renewal:no renewal failures
readme末尾,-deploy-hook
这个命令少了个-
,应该是--deploy-hook
。
还有我发现个问题,我在centos7上终端运行service nginx restart
是可以成功的,但是放在--deploy-hook
后会报错,内容如下:
Renewing an existing certificate
Running deploy-hook command: service nginx restart
Error output from deploy-hook command service:
Redirecting to /bin/systemctl restart nginx.service
随后我把service...
改为systemctl restart nginx
,执行成功,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Running deploy-hook command: systemctl restart nginx
- - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is.......
所以建议在readme里能稍微提醒下。
最后,给你个赞,脚本好用!:+1:
选择hook shell的时候,alydns.py报错 ValueError: need more than 5 values to unpack
debug:
print(sys.argv)
输出的参数只有五个,但是解析7个,是不是缺少certbot_domain和certbot_validation这两个参数???
执行sh后,输出了这样的内容:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
这样会导致没办法往下自动执行了
虞大胆您好:
我是一名业余规则贡献者,由于被 ISP 劫持过多次,所以大量精力投注在给 HTTPS-Everywhere 扩展写规则上,虽然水平很差,但这几年来被吸纳的规则也超过500条了。现在其新浪规则的架构就是我这两年搭好的。
最近又被 ISP 劫持了次,所以再次开始更新规则。期间发现腾讯、搜狐等都有明显进步,而新浪?怎么说呢,麻烦您来参观下:EFForg/https-everywhere#16355
我们要求真不高,不支持也无所谓,但这样极不稳定,每次测试都随机抛出错误,国内外流量反馈完全不一致,实在是太玄学,太可怕了。
看到您8月6号公众号吐槽了 i0.sinaimg.cn 的问题,我去翻了下,这个坑我早就踩过了啊:https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Sinaimg.cn.xml
我实在是不想继续与玄学问题战斗了,不知能否麻烦您内部推动下?
无论如何,多谢!
213行后面一些行用了tab缩进
您好,请问域名在百度智能云,能更新DNS解析么?
可以制作成一个docker镜像吗?这样子可以做到一次制作,多次运行
是我自己写错了域名,我两个域名只差了一个字母,我自己写错了,发现一直续期失败,不好意思,我忘了来回
2019-12-15 17:00:33,201:WARNING:certbot._internal.auth_handler:Challenge failed for domain b.xx.cn
2019-12-15 17:00:33,201:WARNING:certbot._internal.auth_handler:Challenge failed for domain c.xx.cn
2019-12-15 17:00:33,201:WARNING:certbot._internal.auth_handler:Challenge failed for domain p.xx.cn
2019-12-15 17:00:33,202:WARNING:certbot._internal.auth_handler:Challenge failed for domain xx.cn
2019-12-15 17:00:33,203:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
au.sh 脚本中的 "$CRETBOT_DOMAIN" 应该为 "$CRETBOT_DOMAIN"。
看起来像是腾讯云的配置填错了,但是我确认过是正确的,请问该怎么解决呢?
Hook command "/目录/au.sh python aly add" returned error code 126
Error output from au.sh:
Running manual-cleanup-hook command: /root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh php aly clean
Error output from manual-cleanup-hook command au.sh:
/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh: line 1: !/bin/bash: No such file or directory
/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh: line 87: /usr/bin/php: No such file or directory
Running manual-cleanup-hook command: /root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh php aly clean
Error output from manual-cleanup-hook command au.sh:
/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh: line 1: !/bin/bash: No such file or directory
/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh: line 87: /usr/bin/php: No such file or directory
Some challenges have failed.
请问出现这种报错怎么处理啊?是因为缺少什么环境么?
au.sh调用alydns.php代码如下
# 调用 PHP 脚本,自动设置 DNS TXT 记录。
/usr/bin/php $PATH"/alydns.php" $DOMAIN $CREATE_DOMAIN $CERTBOT_VALIDATION >/var/log/certdebug.log
alydns.php脚本中执行删除和添加txt记录代码有bug
原代码:
$obj = new AliDns(accessKeyId, accessSecrec, $argv[2]);
$data = $obj->DescribeDomainRecords();
$data = $data["DomainRecords"]["Record"];
if (is_array($data)) {
foreach ($data as $v) {
if ($v["RR"] == $argv[3]) {
$obj->DeleteDomainRecord($v["RecordId"]);
}
}
}
print_r($obj->AddDomainRecord("TXT", $argv[3],$argv[4]));
$argv接受到的参数为:
array (
0 => '/root/alydns.php',
1 => 'xxx.cn',
2 => '_acme-challenge',
3 => 'OpYwr6QEsYjBr_kU45sWe7MHT73yR5-MOMZoUITgIPc',
)
所以alydns.php中删除和添加txt记录代码应修使用如下$argv元素下标:
$obj = new AliDns(accessKeyId, accessSecrec, $argv[1]);
$data = $obj->DescribeDomainRecords();
$data = $data["DomainRecords"]["Record"];
if (is_array($data)) {
foreach ($data as $v) {
if ($v["RR"] == $argv[2]) {
$obj->DeleteDomainRecord($v["RecordId"]);
}
}
}
print_r($obj->AddDomainRecord("TXT", $argv[2],$argv[3]));
多个不同级域名解析时候,比如 example.com 和 *.example.com ,会出现多次改写域名 txt的解析 ,最后校验不能通过。(因为 通配符域名 *.example.com 实际上是不包括 example.com这个域名在内的,所以我想一起给他打包了,后来发现不行?)不知道有木有解决办法。也不知道默认官方看同一个域名的第几个解析值?
1.我是确定我已经成功执行过一次并且得到正确的证书了,证书包含了 大概如下的example.com 、 .example.com 、.example2.com 三个泛域名。所以不是我别的操作有问题
2.出问题是在我尝试使用certbot-auto 更新证书时候(加了--dry-run),报错说校验失败。更新证书时候,提示说要更新三次域名txt解析,其中有两条是对同一个域名的。
我的证书是*.dev.xxx.com
我的nginx站点域名是:api.v3.dev.xxx.com
所有配置都正确,但是浏览器无法匹配api.v3.dev.xxx.com域名.所以还需要申请*·v3.dev.xxx.com的证书 通配符只能匹配一个层次的主机域名
那请问有没有什么方式能一张证书适应所有的子域名呢? 比如我有以下子域名:
api.dev.xxx.com
api.v3.dev.xxx.com
api.v4.dev.xxx.com
open.devapi.xxx.com
(注意:xxx.com是一致的)
你好,看到你的这个 对 letencrypt 续期 终于有了希望!
对于通配符域名 续期搞了好久 每次都得重头折腾一遍才能行
由于对php不熟 也没有PHP的调试环境 希望能有个腾讯云版本的
我看了下腾讯云的 请求 很相似, 做一次伸手党,额 .....
在这种情况下:
Found the following certs:
Certificate Name: test.com
Domains: *.test.com test.com
.......
好像因为challenges 都是在根域名下,certbot调用了两次脚本,导致后者txt覆盖前者,无法成功。
一直没有找到对应的DNS API
我在centos7阿里云服务器上运行dry-run,结果出错,请看看是什么问题(域名的challenges成功了的):
这是/var/log/letsencrypt/letsencrypt.log日志中的部分:
2019-12-19 14:16:22,820:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/cert/fa19e62fe52dfaf28e0520a261332d43e622 HTTP/1.1" 415 168
2019-12-19 14:16:22,821:DEBUG:acme.client:Received response:
HTTP 415
content-length: 168
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Thu, 19 Dec 2019 06:16:22 GMT
content-type: application/problem+json
replay-nonce: 0001tiiCUTG3mNNunvy9qy2bCAOpQ_d-Ysz1iNbXExa6IE8
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Invalid Content-Type header on POST. Content-Type must be \"application/jose+json\"",
"status": 415
}
2019-12-19 14:16:22,821:DEBUG:acme.client:Error during a POST-as-GET request, your ACME CA may not support it:
urn:ietf:params:acme:error:malformed :: The request message was malformed :: Invalid Content-Type header on POST. Content-Type must be "application/jose+json"
2019-12-19 14:16:22,821:DEBUG:acme.client:Retrying request with GET.
2019-12-19 14:16:22,821:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa19e62fe52dfaf28e0520a261332d43e622.
2019-12-19 14:16:23,029:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/cert/fa19e62fe52dfaf28e0520a261332d43e622 HTTP/1.1" 405 103
2019-12-19 14:16:23,030:DEBUG:acme.client:Received response:
HTTP 405
content-length: 103
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Thu, 19 Dec 2019 06:16:22 GMT
content-type: application/problem+json
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}
2019-12-19 14:16:23,030:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 369, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 301, in obtain_certificate_from_csr
orderr = self.acme.finalize_order(orderr, deadline)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 908, in finalize_order
return self.client.finalize_order(orderr, deadline)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 743, in finalize_order
content_type=DER_CONTENT_TYPE).text
File "/usr/lib/python2.7/site-packages/acme/client.py", line 791, in _post_as_get
return self.net.get(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1152, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1054, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed
2019-12-19 14:16:23,052:ERROR:certbot.log:An unexpected error occurred:
2019-12-19 14:16:23,052:ERROR:certbot.log:The request message was malformed :: Method not allowed
certbot-letencrypt-wildcardcertificates-alydns-au/python-version/au.sh文件中写死了文件路径为alydns27.py,对于在使用python3的情况下,没有判断来执行alydns36.py。
这是个小问题,可以手动改一下代码解决。
如果我的一个证书里面有多个不同的泛域名该怎么办
请问是否支持dnsport???
`[root@VM_0_15_centos certbot]# ./certbot-auto certonly -d *.qinweixian.com --manual --preferred-challenges dns --manual-auth-hook /data/www/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for qinweixian.com
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
(Y)es/(N)o: y
Output from au.sh:
/data/www/certbot-letencrypt-wildcardcertificates-alydns-au/alydns.php
qinweixian.com_acme-challengeRuxxvRN2ss0eOxZBfzgQbDw8xgB9EgZhkBbJdr46Uww
END
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
原因是 文件的格式是dos,修改为unix 就OK了
具体操作步骤:
查看文件格式 用vim 打开出错的文件 按 ESC键 再按shift+冒号 输入 set ff 回车 可以看见 该文件的格式 fileformat=dos
按shift + 冒号 输入 set ff=unix
可以按 shift + 冒号 set ff 查看 fileformat=unix
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.