晚上吃饭的时候收到封邮件内容如下:
Hello,
Action may be required to prevent your Let's Encrypt certificate renewals from
breaking.
If you already received a similar e-mail, this one contains updated information.
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 7 days. Below is a list of names and IP addresses
validated (max of one per account):
[www.xxx.edu.cn](http://www.xxx.edu.cn/)(114.xx.xxx.xx) on 2019-02-11
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th,
2019. Any certificates issued before then will continue to work for 90
days after their issuance date.
You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd like to
test whether your system will work after February 13, you can run against
staging:[https://letsencrypt.org/docs/staging-environment/](https://letsencrypt.org/docs/staging-environment/)
心想坏了,自动更新 https 出问题了
于是根据提示找到官网的这篇文章
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
根据提示一顿操作,发现 cerbot 版本低于 0.28
certbot --version || /path/to/certbot-auto --version- 在续订配置中删除对 tls-sni-01 的任何显式引用:
sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
-
完全更新干运行:
sudo certbot renew --dry-run
如果干运行成功,并且您的 Certbot 版本是 0.28 或更高,那么你很高兴!不需要采取进一步行动来处理 TLS-SNI-01 支持的结束。如果失败,请修复您看到的验证问题,然后重试。
升级 cerbot
sudo yum install python2-certbot-nginx
搞定了 ,还是有点虚 过段时间再看看,被那帮老外说的有点玄乎
最后友情提示 更新的时候不要加--dry-run
certbot renew --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx" --dry-run
之前更新不成功也没有注意到 晕死了
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于