GithubHelp home page GithubHelp logo

justjavac / certbot-dns-aliyun Goto Github PK

View Code? Open in Web Editor NEW
167.0 4.0 46.0 26 KB

阿里云 DNS 的 certbot 插件,用来解决阿里云 DNS 不能自动为通配符证书续期的问题

License: MIT License

Shell 100.00%
certbot certbot-dns certbot-plugin certbot-dns-authenticator

certbot-dns-aliyun's Introduction

certbot-dns-aliyun

解决阿里云 DNS 不能自动为通配符证书续期的问题

原理

当我们使用 certbot 申请通配符证书时,需要手动添加 TXT 记录。每个 certbot 申请的证书有效期为 3 个月,虽然 certbot 提供了自动续期命令,但是当我们把自动续期命令配置为定时任务时,我们无法手动添加新的 TXT 记录用于 certbot 验证。

好在 certbot 提供了一个 hook,可以编写一个 Shell 脚本。在续期的时候让脚本调用 DNS 服务商的 API 接口动态添加 TXT 记录,验证完成后再删除此记录。

安装

  1. 安装 aliyun cli 工具

    wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
tar xzvf aliyun-cli-linux-latest-amd64.tgz
sudo cp aliyun /usr/local/bin
rm aliyun

    安装完成后需要配置凭证信息

  2. 安装 certbot-dns-aliyun 插件

    wget https://cdn.jsdelivr.net/gh/justjavac/certbot-dns-aliyun@main/alidns.sh
sudo cp alidns.sh /usr/local/bin
sudo chmod +x /usr/local/bin/alidns.sh
sudo ln -s /usr/local/bin/alidns.sh /usr/local/bin/alidns
rm alidns.sh

  3. 申请证书

    测试是否能正确申请:

    certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run

    正式申请时去掉 --dry-run 参数:

    certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean"

  4. 证书续期

    certbot renew --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run

    如果以上命令没有错误,把 --dry-run 参数去掉。

  5. 自动续期

    添加定时任务 crontab。

    crontab -e

    输入

    1 1 */1 * * root certbot renew --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --deploy-hook "nginx -s reload"

    上面脚本中的 --deploy-hook "nginx -s reload" 表示在续期成功后自动重启 nginx。

certbot-dns-aliyun's People

Contributors

gyf9835 avatar justjavac avatar reesewang avatar rushjun23 avatar xvcoder avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

mamboer dogwars renfei visotc gyf9835 mahaoyang 0ldm0s decentrastates xvcoder biel-greyfoss ofshellohicy droidzf epsycongroo rodzrk cn27001 ppwq2022 mflmn zlaski ccxychuzhong panda-zxs rezartmullara logep brckubo drsanwujiang msterzhang youwen21 anycell yujiaao xiaobopang dooshu sushiduli txwsqk guxuloop 1203746884 tan9710630 yyaxay lvtao1998 jiayifzt edgar7789 rushjun23 michaelxu1983 aikey2022 reesewang evative7 lu604386020 frunoob

certbot-dns-aliyun's Issues

支持三级域名

对于三级域名来说

 ERROR: SDK.ServerError
 ErrorCode: InvalidParameter
 Recommend: https://error-center.aliyun.com/status/search?Keyword=InvalidParameter&source=PopGw
 RequestId: 570B8EF9-8C35-5FFB-927B-61C6CFBAB472
 Message: The parameter value RecordId is invalid.

我在使用时出现报错ERROR: region can't be empty

我使用aliyun configure配置了区域ID但仍然无法执行成功。
`
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for *.xxxx.art
Hook '--manual-auth-hook' for xxx.art ran with error output:
ERROR: region can't be empty

Configuration failed, use aliyun configure to configure it

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: xxx.art
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxx.art - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Hook '--manual-cleanup-hook' for xxx.art reported error code 3
Hook '--manual-cleanup-hook' for xxx.art ran with error output:
ERROR: region can't be empty

Configuration failed, use aliyun configure to configure it
ERROR: region can't be empty

Configuration failed, use aliyun configure to configure it

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
`

多账户多域名可以脚本续期吗

有多个不同的阿里云账户下的多个不同域名如何使用脚本进行续期操作
异常日志
The domain name belongs to other users. Transfer the domain name to the current user and then try the binding and setting actions.

申请三级域名时候报错

Hook '--manual-cleanup-hook' for dns.iikkalord.top reported error code 1
Hook '--manual-cleanup-hook' for dns.iikkalord.top ran with error output:
ERROR: SDK.ServerError
ErrorCode: InvalidDomainName.NoExist
Recommend: https://next.api.aliyun.com/troubleshoot?q=InvalidDomainName.NoExist&product=Alidns
RequestId: EDA5F57C-D98E-5EBA-BEDA-6792AAD98512
Message: The specified domain name does not exist. Refresh the page and try again.
RespHeaders: map[Access-Control-Allow-Origin:[] Connection:[keep-alive] Content-Length:[302] Content-Type:[application/json;charset=utf-8] Date:[Thu, 15 Dec 2022 09:41:17 GMT] X-Acs-Request-Id:[EDA5F57C-D98E-5EBA-BEDA-6792AAD98512] X-Acs-Trace-Id:[f26153bd9085bcc4b2d19a7aa257d4af]]
ERROR: SDK.ServerError
ErrorCode: InvalidParameter
Recommend: https://next.api.aliyun.com/troubleshoot?q=InvalidParameter&product=Alidns
RequestId: D2DE9F32-F13B-54BD-AD7C-5DBD8FA24019
Message: The parameter value RecordId is invalid.
RespHeaders: map[Access-Control-Allow-Origin:[] Connection:[keep-alive] Content-Length:[251] Content-Type:[application/json;charset=utf-8] Date:[Thu, 15 Dec 2022 09:41:17 GMT] X-Acs-Request-Id:[D2DE9F32-F13B-54BD-AD7C-5DBD8FA24019] X-Acs-Trace-Id:[9574d2ffdb527e5931013c20daafec39]]

Some challenges have failed.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.