主页 / server / 问题 / 908952
Accepted
lofidevops
Asked: 2018-04-23 22:50:12 +0800 CST

certbot renew --dry-run 会导致误报吗?

  • 772

如果我运行certbot renew --dry-run并且不对我的 Nginx 配置做进一步的更改,我能保证certbot renew90 天后会成功吗?换句话说,结果可能是误报吗?

如果是这样,我是否应该certbot renew --force-renewal进行彻底的测试?

nginx

1 个回答

  1. Best Answer

    --force-renewal如果您满意,您当然可以使用 a 。但是你不能每天都运行它。该--dry-run选项正是出于在那里进行测试的原因。

    见这里:https ://certbot.eff.org/docs/using.html#certbot-command-line-options :

    --dry-run             Perform a test run of the client, obtaining test
                   (invalid) certificates but not saving them to disk.
                    This can currently only be used with the 'certonly'
                    and 'renew' subcommands. Note: Although --dry-run
                    tries to avoid making any persistent changes on a
                    system, it is not completely side-effect free: if used
                    with webserver authenticator plugins like apache and
                    nginx, it makes and then reverts temporary config
                    changes in order to obtain test certificates, and
                    reloads webservers to deploy and then roll back those
                    changes. It also calls --pre-hook and --post-hook
                    commands if they are defined because they may be
                    necessary to accurately simulate renewal. --deploy-
                    hook commands are not called. (default: False)

    这个选项是为了测试你的配置并确保一切都正确配置,但它有一些副作用

    对于续订,您可以renew通过 cron 定期安全地使用该选项:

    renew:
                The 'renew' subcommand will attempt to renew all certificates (or more
                precisely, certificate lineages) you have previously obtained if they are
                close to expiry, and print a summary of the results. By default, 'renew'
                will reuse the options used to create obtain or most recently successfully
                renew each certificate lineage. You can try it with `--dry-run` first. For
                more fine-grained control, you can renew individual lineages with the
               `certonly` subcommand. Hooks are available to run commands before and
                after renewal; see https://certbot.eff.org/docs/using.html#renewal for
                more information on these.

    这将定期运行更新过程,但只会在必要或即将到期时更新证书。

    --force-renewal不是自动更新证书的正确选项,而是手动更新:

    如果您手动更新所有证书, --force-renewal 标志可能会有所帮助;它会导致在考虑更新时忽略证书的到期时间,并尝试更新每个已安装的证书,而不管其年龄。(此表单不适合每天运行,因为每个证书都会每天更新,这将很快遇到证书颁发机构的速率限制。)

    至于保证,它是一个免费和开源的软件,我想没有人会向你保证任何事情。因此,使用它需要您自担风险。

    • 1

相关问题