回答Let’s Encrypt客户端 certbot-auto

群主:

我用的是: oneinstack包,试过"webroot"和"standalone"两种方式获取证书:均是通过的,
一."webroot"方式获取证书:通过验证/.well-known/acme-challenge来获取证书,当前直接用oneinstack安装包是可以的,没有发现无法访问/.well-known/acme-challenge的现象。
   但有些人说:
  默认虚拟主机里是禁止 . 开头的隐藏文件及目录的,所以访问http://abc.com/.well-known/acme-challenge/**** 这个链接的话返回403错误,所以必须要将对应虚拟主机配置文件里的:

location ~ /\.
{
deny all;
}
这段配置删掉或注释掉或在这段配置前面加上
location ~ /.well-known {
allow all;
}

  我测试是没有遇到这种情况,我想这个方式的前提一定是要已经建立了虚拟主机了,且它已作域名解析通过了才可以,因为certbot是要访问/.well-known/acme-challenge。不解析应该是无法访问网站的。
webroot支持三种:
1.单域名生成证书:
./certbot-auto certonly --webroot --agree-tos --email admin@example.com -w /var/www/example/ -d http://www.example.com
2.多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)
./certbot-auto certonly --webroot --agree-tos --email admin@example.com -w /var/www/example/ -d http://www.example.com -d example.com -d other.example.net -d another.other.example.net
3.多域名多目录生成多个证书:(即一次生成多个域名的多个证书)
./certbot-auto certonly --webroot --agree-tos --email admin@example.com -w /var/www/example/ -d http://www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
  对于oneinstack,应该只有1和2两种情况适合,因为oneinstack一个网站对应一个网站目录,且添加虚拟主机的时候支持添加更多域名功能:注:该功能我还没有测试第二种情况,暂时不清楚添加更多域名的时候这些域名是否能正常获得证书和续期?
  官方是建议用webroot的方式获取证书的。估计是考虑到临时停止webserver会造成其他网站短暂无法访问。
二."standalone"方式获取证书:
官方说明:To obtain a cert using a “standalone” webserver, you can use the standalone plugin by including certonly and --standalone on the command line.
This plugin needs to bind to port 80 or 443 in order to perform domain validation, so you may need to stop your existing webserver. To control
which port the plugin uses, include one of the options shown below on the command line.
所以该方式会临时停止webserver.我也用oneinstack里面测试过了standalone获取证书,也是成功的,至于"so you may need to stop your existing webserver",我是没有主动人为的stop的,估计采用standalone的方式获取证书的时候它会自己停止和重启webserver吧。无需人为干涉。
"standalone"方式获取证书命令:
./certbot-auto certonly --standalone --agree-tos --email admin@example.com -d example.com -d http://www.example.com -d other.example.net
=> 支持多域名获取证书。
三.续费
官方说明:

certbot-auto renew

This will attempt to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options.
所以,之前获取证书的方式会默认被certbot-auto renew使用。我看到最新的oneinstack中的./vhost.sh:
certbot-auto certonly --standalone --agree-tos --email ${Admin_Email} -w ${vhostdir} -d ${domain} ${moredomainame_D} --pre-hook "service ${S} stop" --post-hook "service ${S} start"
if [ -s "/etc/letsencrypt/live/${domain}/cert.pem" ]; then
[ -e "${PATH_SSL}/${domain}.crt" ] && rm -rf ${PATH_SSL}/${domain}.{crt,key}
ln -s /etc/letsencrypt/live/${domain}/fullchain.pem ${PATH_SSL}/${domain}.crt
ln -s /etc/letsencrypt/live/${domain}/privkey.pem ${PATH_SSL}/${domain}.key
if [ -e "${web_install_dir}/sbin/nginx" -a -e "${apache_install_dir}/conf/httpd.conf" ]; then
Cron_Command="/etc/init.d/nginx reload;/etc/init.d/httpd graceful"
elif [ -e "${web_install_dir}/sbin/nginx" -a ! -e "${apache_install_dir}/conf/httpd.conf" ]; then
Cron_Command="/etc/init.d/nginx reload"
elif [ ! -e "${web_install_dir}/sbin/nginx" -a -e "${apache_install_dir}/conf/httpd.conf" ]; then
Cron_Command="/etc/init.d/httpd graceful"
fi
[ "${OS}" == "CentOS" ] && Cron_file=/var/spool/cron/root || Cron_file=/var/spool/cron/crontabs/root
[ -z "$(grep 'certbot-auto renew' ${Cron_file})" ] && echo "0 0 1 * * /usr/local/bin/certbot-auto renew;${Cron_Command}" >> $Cron_file

既然上面获取证书是使用certbot-auto ceronly --standalone,那么certbot-auto renew也应该尝试采用该方法,既然上面的certbot-auto ceronly --standalone有执行--pre-hook "service ${S} stop" --post-hook "service ${S} start",那么现在执行:./certbot-auto renew是否也应该加上:certbot-auto renew --pre-hook "service ${S} stop" --post-hook "service ${S} start"
   注:我用standalone测试过,没有--pre-hook "service ${S} stop" --post-hook "service ${S} start"也能成功获取证书,certbot-auto renew的时候我也没有加上certbot-auto renew,也能续期(注:我是执行强制性续期的),所以我怀疑standalone使用的时候应该是会自动--pre-hook "service ${S} stop" --post-hook "service ${S} start",无需人为操作。至于certbot-auto renew是不是无需加上--pre-hook "service ${S} stop" --post-hook "service ${S} start",我没有测试。我自己估计certbot-auto ceronly --standalone和certbot-auto renew要么都是加上--pre-hook "service ${S} stop" --post-hook "service ${S} start",要么都是不加--pre-hook "service ${S} stop" --post-hook "service ${S} start",请群主再了解一下!
  如上是我经过测试和参考官网的最新指导得出的结论,希望对群主有所帮助,oneinstack中的Let’s Encrypt还是需要再改善改善!谢谢群主,谢谢oneinstack一键安装包!!
 
 
 
 
 
 
 
 
 
 ,