没有 hostloc 帐号,所以不能回复,贴上自己写的自动更新 ssl 证书脚本,以便帮助有需要的人。 ps:
#!/bin/bash
# Automatically update certs for Synology DSM6
# 1. Migrate your domain to Cloudflare, and create an A type record.
# 2. Generate a token with zone view authority and dns edit authority.
# 3. Install acme.sh on DSM6, no need crontabs: ./acme.sh --install --force -m [email protected]
# 4. Put this script into user defined task scheduler, executes per one month or two.
# 5. Make sure this script will be exectuted once immediately by your schedule task, or just execute it once mannually.
# Modify these as your own.
# See https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials
export CF_Account_ID="xxx"
export CF_Zone_ID="xxx"
export CF_Token="xxx"
DOMAIN_RECORD='example.com'
ACME_HOME=$HOME/.acme.sh
ACME_SH=$ACME_HOME/acme.sh
if ! command -v "$ACME_SH" &>/dev/null; then
echo "Please install acme.sh."
exit 1
fi
DOMAIN_CERT_HOME="$ACME_HOME/$DOMAIN_RECORD"
TARGET_DIRS=(
"/usr/syno/etc/certificate/_archive/$(head -n1 /usr/syno/etc/certificate/_archive/DEFAULT | xargs echo -n)"
'/usr/syno/etc/certificate/system/default'
'/usr/syno/etc/certificate/smbftpd/ftpd'
'/usr/local/etc/certificate/CardDAVServer/carddav'
'/usr/local/etc/certificate/SynologyDrive/SynologyDrive'
'/usr/local/etc/certificate/WebDAVServer/webdav'
)
issue_or_renew() {
cert_issued=0
domains=()
while IFS='' read -r line; do domains+=("$line"); done < <($ACME_SH --list | awk '{print $1}')
for domain in "${domains[@]}"; do
if [ "$domain" = "$DOMAIN_RECORD" ]; then
cert_issued=1
break
fi
done
if [ "$cert_issued" -eq 0 ]; then
rm -rf "$DOMAIN_CERT_HOME"
# Issue certs via zerossl, or via letsencrypt you'd have to update ca-certificates on DSM6.
# Since DSM6 does not support ecc, rsa(-k) should be specified, or system default certs will be overridden by DSM6 when reboots.
$ACME_SH --issue --server zerossl --dns dns_cf -d $DOMAIN_RECORD -k 2048
else
$ACME_SH --renew --force -d $DOMAIN_RECORD
fi
}
copy_certs() {
echo "Copying certs...."
for dir in "${TARGET_DIRS[@]}"; do
install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.cer" "$dir/cert.pem"
install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.key" "$dir/privkey.pem"
install -m 400 "$DOMAIN_CERT_HOME/fullchain.cer" "$dir/fullchain.pem"
done
echo "Certs copy completed."
}
restart_services() {
echo "Restarting services...."
nginx -s reload
/var/packages/WebDAVServer/scripts/start-stop-status stop
/var/packages/CardDAVServer/scripts/start-stop-status stop
sleep 20
/var/packages/WebDAVServer/scripts/start-stop-status start
/var/packages/CardDAVServer/scripts/start-stop-status start
/var/packages/SynologyDrive/scripts/start-stop-status restart
echo "Services restart completed."
}
echo '--------------------------------------'
issue_or_renew
copy_certs
restart_services
1
Masoud2023 2023-08-30 09:16:29 +08:00
你自己代码里密钥没删
|
2
Masoud2023 2023-08-30 09:16:55 +08:00 1
10 分钟还没过,赶紧编辑掉,过了就去后台重新生成
|
3
yinaqu OP @Masoud2023 已删。cf 的密钥也删了,谢谢
|
4
wander555 2023-08-30 09:44:34 +08:00
用 npm ,方便点,也自带续费
|
5
Junichi 2023-08-30 10:32:07 +08:00
|
6
skiy 2023-08-30 13:02:19 +08:00
用 acme.sh 别名方式续签,域名在不同的 DNS 都可以集中到一个
https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode#1-first-set-domain-cname 用 acme.sh 自带的 --install-cert 命令行,可以直接安装到不同的目录 用 acme.sh 自带的 --reloadcmd 命令行,可以在证书更新后执行相关命令或脚本(只需要封装一下 restart_services 这个就行) https://github.com/acmesh-official/acme.sh/wiki/Using-pre-hook-post-hook-renew-hook-reloadcmd ```bash # 比如 acme.sh --install-cert --ecc -d a.com --key-file /usr/local/nginx/conf/ssl/a.com.key --fullchain-file /usr/local/nginx/conf/ssl/a.com.fullchain.cer --reloadcmd "systemctl reload nginx" ``` 还可以加个续签通知: https://github.com/acmesh-official/acme.sh/wiki/notify |
7
emberzhang 2023-08-30 13:06:54 +08:00
https://github.com/certd/certd 最近用这个,感觉还挺方便
|
8
yinaqu OP @Junichi 这个写的还不错。他只重启了 nginx 和 apache ,我倒不是很清楚是不是只重启 apache 就可以把 webdav 和 sync 什么的全部重启了
|
9
yinaqu OP @skiy 这个`install-cert`貌似并不能安装到多个目录去吧,reloadcmd 就是个钩子而已,没有把我的重启命令那么长一截放他钩子里
|
10
yinaqu OP @emberzhang 好东西, 我以前也是没怎么去发掘这些就自己写了个,这个支持自定义服务重启吗
|
11
emberzhang 2023-08-31 08:48:24 +08:00
@yinaqu 每个 “上传证书到主机” 任务后面增加一个“执行远程主机脚本命令”就行了
|