七牛云证书自动续期

Lewis -

生成证书

Certbot Let's Encrypt 证书自动续期

安装七牛sdk

pip install qiniu

创建 certbot-qiniucdn.py

# -*- coding: utf-8 -*-
from qiniu import Auth
import os
import sys
import requests
import datetime

# 多域名配置
domains = [
    {'cert_domain': 'a.example.com', 'cert_domain_local': 'example.com'},
    {'cert_domain': 'b.example.com', 'cert_domain_local': 'example.com'},
    # 添加更多的域名
]

access_key = ''
secret_key = ''

print('QINIU_ACCESS_KEY: ' + access_key)
print('QINIU_SECRET_KEY: ' + secret_key)

# 构建七牛鉴权对象
auth = Auth(access_key, secret_key)

# 遍历处理每个域名
for domain in domains:
    cert_domain = domain['cert_domain']
    cert_domain_local = domain['cert_domain_local']

    print('处理域名: ' + cert_domain)

    # 上传证书
    sslcertUploadUrl = 'http://api.qiniu.com/sslcert'
    sslcert_accesstoken = auth.token_of_request(sslcertUploadUrl)
    print('上传证书 api accesstoken: ' + sslcert_accesstoken)

    sslcertFolder = '/etc/letsencrypt/live/' + cert_domain_local
    try:
        with open(sslcertFolder + '/privkey.pem') as sslcertPriFile:
            sslcertPriStr = sslcertPriFile.read()

        with open(sslcertFolder + '/fullchain.pem') as sslcertChainFile:
            sslcertChainStr = sslcertChainFile.read()
    except FileNotFoundError:
        print('证书文件未找到: {}'.format(sslcertFolder))
        continue

    nowDate = datetime.date.today().strftime("%Y%m%d")
    sslcertData = {
        'name': cert_domain + '-letsencrypt-' + nowDate,
        'common_name': cert_domain,
        'pri': sslcertPriStr,
        'ca': sslcertChainStr
    }
    sslcertHeaders = {
        'Authorization': 'QBox ' + sslcert_accesstoken,
        'Content-Type': 'application/json'
    }
    print('证书JSON数据如下:')
    print(sslcertData)

    sslcertUploadResponse = requests.post(sslcertUploadUrl, json=sslcertData, headers=sslcertHeaders).json()
    print(sslcertUploadResponse)
    
    certID = sslcertUploadResponse.get('certID')
    if certID is None:
        print('证书上传失败!')
        continue

    # 修改 cdn 证书
    cdnHttpsconfUrl = 'http://api.qiniu.com/domain/{}/httpsconf'.format(cert_domain)
    cdn_httpsconf_accesstoken = auth.token_of_request(cdnHttpsconfUrl)
    print('修改证书 api accesstoken: ' + cdn_httpsconf_accesstoken)

    httpsconfData = {
        'certId': certID,
        'forceHttps': False,
        'http2Enable': True
    }
    httpsconfHeaders = {
        'Authorization': 'QBox ' + cdn_httpsconf_accesstoken,
        'Content-Type': 'application/json'
    }
    httpsconfResponse = requests.put(cdnHttpsconfUrl, json=httpsconfData, headers=httpsconfHeaders).json()
    print(httpsconfResponse)
    print('修改 {} 的七牛 CDN SSL 证书完成~'.format(cert_domain))

print('所有域名的 SSL 证书处理完成~')

添加勾子

创建 certbot-qiniucdn.sh

python /usr/certbot-qiniucdn.py

添加到/etc/letsencrypt/renewal/example.com.conf

...
post_hook = /path/certbot-qiniucdn.sh
...