主页 / server / 问题 / 1062849
Accepted
Walf
Asked: 2021-05-07 20:31:09 +0800 CST

使用 Let's Encrypt certbot 时,如何仅在证书实际更新时才重新启动/重新加载网络服务?

  • 772

certbot命令提供了两个在自动续订后运行的挂钩,来自文档:

 --post-hook POST_HOOK
                       Command to be run in a shell after attempting to
                       obtain/renew certificates. Can be used to deploy
                       renewed certificates, or to restart any servers that
                       were stopped by --pre-hook. This is only run if an
                       attempt was made to obtain/renew a certificate. If
                       multiple renewed certificates have identical post-
                       hooks, only one will be run. (default: None)
 --deploy-hook DEPLOY_HOOK
                       Command to be run in a shell once for each
                       successfully issued certificate. For this command, the
                       shell variable $RENEWED_LINEAGE will point to the
                       config live subdirectory (for example,
                       "/etc/letsencrypt/live/example.com") containing the
                       new certificates and keys; the shell variable
                       $RENEWED_DOMAINS will contain a space-delimited list
                       of renewed certificate domains (for example,
                       "example.com www.example.com" (default: None)

这个问题在这个(现已关闭的)LE 线程中进行了概述,基本上是关于最大限度地减少对服务的中断。POST_HOOK每次尝试更新时都会执行,即使没有颁发证书,但只有一次。这使得不必要地重新启动服务成为可能。DEPLOY_HOOK为每个成功的证书续订运行。如果一个人使用DEPLOY_HOOK, 并且有多个证书,则每个服务可能会在一次足够的情况下重新启动多次。有关更新挂钩的更多信息,请点击此处。

我使用一种完全不会中断我的服务的发行方法,例如:

certbot certonly --webroot ...

或者

certbot certonly --dns-PROVIDER ...

我只想重新启动/重新加载每个依赖服务一次,并且只有在其证书实际更改的情况下。

certbot lets-encrypt ssl-certificate-renewal

1 个回答

  1. Best Answer

    通过使用两个钩子和一个简单的脚本来保存状态,我能够克服这个限制。例如,要重新加载 nginx,并在他们都使用的证书被更新时重新启动 vsftpd:

    certbot certonly ... \
    --deploy-hook '/usr/local/sbin/read-new-certs-services nginx --restart vsftpd' \
    --post-hook /usr/local/sbin/read-new-certs-services

    脚本/usr/local/sbin/read-new-certs-services是这样的:

    #!/bin/sh

run_base=/run
dir_reloads="$run_base/new-cert-reloads"
dir_restarts="$run_base/new-cert-restarts"

if [ $# -gt 0 ]; then
    some=0
    dir="$dir_reloads"
    while [ $# -gt 0 ]; do
        case $1 in
            -h|--help)
                >&2 cat <<-'EOHELP'
                    Usage:

                      read-new-certs-services [-l|-s] service1 [[-l|-s] service2]
                      or
                      read-new-certs-services

                      When called without arguments, marked services will be reloaded or restarted.

                    Arguments:

                      -h, --help
                        This help.

                      -l, --reload
                        Mark all subsequently listed services for reloading. This is the default.

                      -s, --restart
                        Mark all subsequently listed services for restarting.
                    EOHELP
                exit
                ;;
            -l|--reload)
                dir="$dir_reloads"
                ;;
            -s|--restart)
                dir="$dir_restarts"
                ;;
            *)
                if [ -n "$1" ]; then
                    some=1
                    run_file="$dir/$1"
                    if [ ! -f "$run_file" ] && ! install -D /dev/null "$run_file"; then
                        >&2 echo "Service could not be marked: $run_file"
                        exit 1
                    fi
                fi
                ;;
        esac
        shift
    done
    if [ $some -eq 0 ]; then
        >&2 echo 'No service(s) specified.'
        exit 1
    fi
    exit
fi

if [ -d "$dir_restarts" ]; then
    find "$dir_restarts" -mindepth 1 -printf '%P\t%p\n' | while IFS="$(printf '\t')" read -r svc run_file; do
        systemctl restart "$svc" && rm "$run_file"
        # no need to reload as well if restarting
        run_file="$dir_reloads/$svc"
        if [ -f "$run_file" ]; then
            rm "$run_file"
        fi
    done
fi

if [ -d "$dir_reloads" ]; then
    find "$dir_reloads" -mindepth 1 -printf '%P\t%p\n' | while IFS="$(printf '\t')" read -r svc run_file; do
        systemctl reload "$svc" && rm "$run_file"
    done
fi

    这必须用于每个证书问题,以便他们不会使用冲突的重新启动服务的方法。

    您可以更改现有证书续订以使用此方法,方法是编辑其/etc/letsencrypt/renewal/*.conf文件以包含如下[renewalparams]部分中的钩子:

    renew_hook = /usr/local/sbin/read-new-certs-services nginx -s vsftpd
post_hook = /usr/local/sbin/read-new-certs-services
    • 1

相关问题