0
看见 hostloc 上有人求黑群怎么自动更新 ssl 证书
source link: https://www.v2ex.com/t/969365
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
没有 hostloc 帐号,所以不能回复,贴上自己写的自动更新 ssl 证书脚本,以便帮助有需要的人。 ps:
- 这个脚本工作于我的 dsm6.2 ,如果是 dsm7 ,你可能需要更改下证书存放路径和服务重启方式(自己找找相关信息,思路是一样的)
- 由于运营商封 80 端口,所以不能使用 http challenge ,只能使用 dns challeng 。这个脚本使用的是 acme.sh 的 cloudflare 的 api ,如果要改成其它提供商如阿里云,请参考 acme.sh 相关文档,切换应该也很简单
#!/bin/bash
# Automatically update certs for Synology DSM6
# 1. Migrate your domain to Cloudflare, and create an A type record.
# 2. Generate a token with zone view authority and dns edit authority.
# 3. Install acme.sh on DSM6, no need crontabs: ./acme.sh --install --force -m [email protected]
# 4. Put this script into user defined task scheduler, executes per one month or two.
# 5. Make sure this script will be exectuted once immediately by your schedule task, or just execute it once mannually.
# Modify these as your own.
# See https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials
export CF_Account_ID="xxx"
export CF_Zone_ID="xxx"
export CF_Token="xxx"
DOMAIN_RECORD='example.com'
ACME_HOME=$HOME/.acme.sh
ACME_SH=$ACME_HOME/acme.sh
if ! command -v "$ACME_SH" &>/dev/null; then
echo "Please install acme.sh."
exit 1
fi
DOMAIN_CERT_HOME="$ACME_HOME/$DOMAIN_RECORD"
TARGET_DIRS=(
"/usr/syno/etc/certificate/_archive/$(head -n1 /usr/syno/etc/certificate/_archive/DEFAULT | xargs echo -n)"
'/usr/syno/etc/certificate/system/default'
'/usr/syno/etc/certificate/smbftpd/ftpd'
'/usr/local/etc/certificate/CardDAVServer/carddav'
'/usr/local/etc/certificate/SynologyDrive/SynologyDrive'
'/usr/local/etc/certificate/WebDAVServer/webdav'
)
issue_or_renew() {
cert_issued=0
domains=()
while IFS='' read -r line; do domains+=("$line"); done < <($ACME_SH --list | awk '{print $1}')
for domain in "${domains[@]}"; do
if [ "$domain" = "$DOMAIN_RECORD" ]; then
cert_issued=1
break
fi
done
if [ "$cert_issued" -eq 0 ]; then
rm -rf "$DOMAIN_CERT_HOME"
# Issue certs via zerossl, or via letsencrypt you'd have to update ca-certificates on DSM6.
# Since DSM6 does not support ecc, rsa(-k) should be specified, or system default certs will be overridden by DSM6 when reboots.
$ACME_SH --issue --server zerossl --dns dns_cf -d $DOMAIN_RECORD -k 2048
else
$ACME_SH --renew --force -d $DOMAIN_RECORD
fi
}
copy_certs() {
echo "Copying certs...."
for dir in "${TARGET_DIRS[@]}"; do
install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.cer" "$dir/cert.pem"
install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.key" "$dir/privkey.pem"
install -m 400 "$DOMAIN_CERT_HOME/fullchain.cer" "$dir/fullchain.pem"
done
echo "Certs copy completed."
}
restart_services() {
echo "Restarting services...."
nginx -s reload
/var/packages/WebDAVServer/scripts/start-stop-status stop
/var/packages/CardDAVServer/scripts/start-stop-status stop
sleep 20
/var/packages/WebDAVServer/scripts/start-stop-status start
/var/packages/CardDAVServer/scripts/start-stop-status start
/var/packages/SynologyDrive/scripts/start-stop-status restart
echo "Services restart completed."
}
echo '--------------------------------------'
issue_or_renew
copy_certs
restart_services
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK