admin';?>

首页 / 生活琐记

获取lets encrypt ssl免费证书 脚本

By admin  •  2020-08-05 07:19:23  •  138次点击
永久外链: https://i.otherhill.com/static/eea79ce3d6a811ea8787809b202ce664.html


*/15 * * * * curl -k -X POST https://dnsapi.cn/Record.Ddns -d 'login_email=登录邮箱&login_password=登录密码&format=json&domain_id=域名编号&record_id=记录编号&record_line=默认&sub_domain=子域名'


1.Cloudflare DNS
https://blog.lilydjwg.me/2018/11/24/apply-certificates-with-let-s-encrypt-verified-with-cloudflare-dns.213810.html


2.namesilo.com DNS
https://github.com/ethauvin/namesilo-letsencrypt
~/proj/shell/letsencrypt0.30/authenticator.py
#!/home/lixing/bin/python

#!/usr/bin/env python2

# authenticator.py
#
# Copyright (c) 2019, Erik C. Thauvin (erik@thauvin.net)
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# Neither the name of this project nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USEOF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

import os
import sys
import tempfile
import time
import urllib

import urllib2
import untangle

from config import apikey


domain = 'yourdomain.com'
validation = 'nNTwWjXg4_Hr3papyY3YxrmZUDq4x-X9D6a8JN7oazs'

if "CERTBOT_VALIDATION" in os.environ:
validation = os.environ['CERTBOT_VALIDATION']

tmpdir = os.path.join(tempfile.gettempdir(), "CERTBOT_"+domain)
apikey = 'your key from namesilo.com'

print tmpdir

if "NAMESILO_API" in os.environ:
apikey = os.environ['NAMESILO_API']

url = "https://www.namesilo.com/api/dnsAddRecord?version=1&type=xml&key="+apikey+"&domain="+domain+"&rrtype=TXT&rrhost=_acme-challenge&rrvalue="+validation+"&rrttl=3600"
print validation

if not os.path.exists(tmpdir):
os.mkdir(tmpdir, 0o700)


req = urllib2.Request(
url,
data=None,
headers={
'User-Agent': ('Mozilla/5.0 (X11; CrOS x86_64 11647.154.0) '
'AppleWebKit/537.36 (KHTML, like Gecko) '
'Chrome/73.0.3683.114 Safari/537.36')
}
)

#with urllib2.urlopen(req) as response:
response = urllib2.urlopen(req)
html = response.read()
xml = untangle.parse(str(html))



if xml.namesilo.reply.code.cdata == '300':
f = open(os.path.join(tmpdir, "RECORD_ID"), "w")
print(xml.namesilo.reply.record_id.cdata)
f.write(xml.namesilo.reply.record_id.cdata)
f.close()
else:
print "{}: {} ({})".format(domain,
xml.namesilo.reply.detail.cdata,
xml.namesilo.reply.code.cdata), sys.stderr
sys.exit(1)

# Sleep 16 minutes,至少要16分钟,目的是让Let's encrypt服务器能探测到刚刚设置的TXT域名解析,结果是否匹配,不要自作聪明,最好设大点,否则前功尽弃.
time.sleep(960)

# 以防不测,再加个延时
time.sleep(960)


接下来的是
~/proj/shell/letsencrypt0.30/cleanup.py
#!/home/lixing/bin/python

#!/usr/bin/env python2

# cleanup.py
#
# Copyright (c) 2019, Erik C. Thauvin (erik@thauvin.net)
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# Neither the name of this project nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USEOF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

import os
import sys
import tempfile
import urllib
import urllib2
#import urllib.request
print sys.path
import untangle

from config import apikey

domain = 'yourdamain.com'
tmpdir = os.path.join(tempfile.gettempdir(), "CERTBOT_"+domain)

apikey = 'your key from namesilo.com'
if "NAMESILO_API" in os.environ:
apikey = os.environ['NAMESILO_API']

url = "https://www.namesilo.com/api/dnsDeleteRecord\
?version=1&type=xml&key="+apikey+"&domain="+domain+"&rrid="


def getrequest(record_id):
return urllib2.Request(
url + record_id,
data=None,
headers={
'User-Agent': ('Mozilla/5.0 (X11; CrOS x86_64 11647.154.0) '
'AppleWebKit/537.36 (KHTML, like Gecko) '
'Chrome/73.0.3683.114 Safari/537.36')
}
)


idFile = os.path.join(tmpdir, "RECORD_ID")
if os.path.isfile(idFile):
f = open(idFile, "r")
for line in f:
response = urllib2.urlopen(getrequest(line.rstrip()))
html = response.read()
xml = untangle.parse(str(html))
if xml.namesilo.reply.code.cdata != '300':
print "{}: {} ({})".format(
domain,
xml.namesilo.reply.detail.cdata,
xml.namesilo.reply.code.cdata), sys.stderr
if xml.namesilo.reply.code.cdata != '280':
sys.exit(1)
f.close()
os.remove(idFile)


最后是:
~/proj/shell/letsencrypt0.30/renew_certificate.sh
#!/usr/bin/bash

script_path=~/proj/shell/letsencrypt0.30

echo ${script_path}
${script_path}/certbot-auto certonly --no-self-upgrade --manual --email youremail@google.com \
--agree-tos --manual-public-ip-logging-ok \
--preferred-challenges=dns \
--manual-auth-hook ${script_path}/authenticator.py \
--manual-cleanup-hook ${script_path}/cleanup.py \
-d yourdomain.com

最后执行如下脚本,将生成好的.pem文件,设置好相应权限,并移动到指定位置:
#!/usr/bin/bash
currpath=$(cd "$(dirname "$0")"; pwd)
yourhost=otherhill.com 

sudo cp -r -L /etc/letsencrypt/live/$yourhost $currpath

echo $currpath
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
sudo chown root "$currpath/$yourhost/fullchain.pem"       "$currpath/$yourhost/privkey.pem"
        
sudo chmod 400 "$currpath/$yourhost/fullchain.pem"      "$currpath/$yourhost/privkey.pem"


0 回复 | 直到2022-01-29 19:13添加回复

回复

最新贴子

生成图片 生成二维码 私信给我
生成密码 清空