春节期间收到了公司服务器上一个域名证书快要过期的提示邮件。 今天第一天开工,正好处理一下。
很奇怪,这个服务器上基于 letsencrypt 生成的免费证书,总是不自动续期。
日志地址
ls /var/log/letsencrypt
查看了一下,都是手动操作的日志,没有自动续期产生的日志。说明计划任务没有自动执行? 而我在另一台自动续期执行正常的服务器上看,自动续期是会产生日志的。 所以,问题的根源,还是命令没有定期执行。
手动续期
先手动解决,然后再排查问题
> certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
--------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.sunzhongwei.com.conf
--------------------------------------------------------------------------------
Renewing an existing certificate for www.sunzhongwei.com
Reloading nginx server after certificate renewal
--------------------------------------------------------------------------------
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/www.sunzhongwei.com/fullchain.pem (success)
需要注意,手动续期时,不要加 dry run (排练,演习的意思)参数。 可以对比加了 dry run 之后的输出,并没有 renew 证书及 reload nginx 的操作。
> certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
--------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.sunzhongwei.com.conf
--------------------------------------------------------------------------------
Simulating renewal of an existing certificate for www.sunzhongwei.com
--------------------------------------------------------------------------------
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/www.sunzhongwei.com/fullchain.pem (success)
确认证书续期成功:
> ls -lah /etc/letsencrypt/live/www.sunzhongwei.com/fullchain.pem
lrwxrwxrwx 1 root root 44 Jan 29 12:19 /etc/letsencrypt/live/www.sunzhongwei.com/fullchain.pem -> ../../archive/www.sunzhongwei.com/fullchain4.pem
从浏览器打开网站,查看证书确实已经更新了。
自动续期是如何执行的
另一台正常的服务器上,也没有找到对应的 crontab 计划任务配置。网上查了一下,才知道 certbot 是基于 systemd 实现的定时任务,而不是 crontab。
例如,证书正常的服务器,可以看到一个 certbot.timer 的条目:
$ systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2023-01-30 00:00:00 CST 10h left Sun 2023-01-29 00:00:01 CST 13h ago logrotate.timer logrotate.service
Mon 2023-01-30 01:28:27 CST 12h left Sun 2023-01-29 12:49:53 CST 13min ago certbot.timer certbot.service
不正常的服务器,没有看到 certbot.timer 的踪影:
$ systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2023-01-29 13:10:00 CST 6min left Sun 2023-01-29 13:00:20 CST 2min 54s ago sysstat-collect.timer sysstat-collect.service
检查 systemd timer 配置
~ ls /lib/systemd/system/ | grep certbot
certbot-renew.service
certbot-renew.timer
> cd /lib/systemd/system
> cat certbot-renew.timer
[Unit]
Description=This is the timer to set the schedule for automated renewals
[Timer]
OnCalendar=--* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true
[Install]
WantedBy=timers.target
> cat certbot-renew.service
[Unit]
Description=This service automatically renews any certbot certificates found
[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
certbot-renew.timer 的配置我看不明白。。。 猜测是 certbot-renew.timer 会执行同名的 service。
没有执行的原因,难道是 timer 没有 enable ?
> systemctl start certbot-renew.timer
> systemctl enable certbot-renew.timer
Created symlink /etc/systemd/system/timers.target.wants/certbot-renew.timer → /usr/lib/systemd/system/certbot-renew.timer.
果然,enable 之后,就能看到 certbot timer 了
> systemctl list-timers --all
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2023-01-30 03:32:56 CST 12h left n/a n/a certbot-renew.timer certbot-renew.service
参考
- systemd timer 的基础操作
- https://stackoverflow.com/questions/48443791/certbot-where-is-packaged-automatic-renewal-cron-job
- https://stackoverflow.com/questions/41535546/how-do-i-schedule-the-lets-encrypt-certbot-to-automatically-renew-my-certificat