bot_ym
/
water-management-system
Прати 6
Волим 0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
智慧水务管理系统 - 精河县供水工程综合管理平台
88 Комити
2 Гране
Дрво: 81ca9d6e74
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '81ca9d6e74'
${ noResults }
water-management-system/deploy/production/nginx/certbot-renew.sh

certbot-renew.sh 4.1KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 
  1. #!/bin/bash

  2. # ============================================================

  3. # Let's Encrypt 证书自动续期脚本

  4. # 

  5. # 首次申请证书:

  6. #   certbot certonly --webroot -w /var/www/certbot \

  7. #     -d your-domain.com -d www.your-domain.com \

  8. #     --email admin@your-domain.com --agree-tos --no-eff-email

  9. #

  10. # 配置 cron 自动续期 (每天凌晨 3 点检查):

  11. #   0 3 * * * /opt/water-management/deploy/production/nginx/certbot-renew.sh >> /var/log/certbot-renew.log 2>&1

  12. # ============================================================

  13. set -euo pipefail

  14. 

  15. # ==================== 配置 ====================

  16. DOMAIN="${DOMAIN:-water.example.com}"

  17. WEBROOT="/var/www/certbot"

  18. EMAIL="${CERTBOT_EMAIL:-admin@example.com}"

  19. NGINX_CONTAINER="${NGINX_CONTAINER:-wm-frontend}"

  20. RENEW_DAYS_BEFORE_EXPIRY=30

  21. 

  22. # ==================== 函数 ====================

  23. 

  24. log() {

  25.     echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"

  26. }

  27. 

  28. # 检查证书是否需要续期

  29. check_cert_expiry() {

  30.     local cert_path="/etc/letsencrypt/live/${DOMAIN}/fullchain.pem"

  31.     

  32.     if [ ! -f "$cert_path" ]; then

  33.         log "⚠️ 证书文件不存在: $cert_path"

  34.         return 1

  35.     fi

  36.     

  37.     local expiry_date

  38.     expiry_date=$(openssl x509 -enddate -noout -in "$cert_path" | cut -d= -f2)

  39.     local expiry_epoch

  40.     expiry_epoch=$(date -d "$expiry_date" +%s)

  41.     local now_epoch

  42.     now_epoch=$(date +%s)

  43.     local days_left=$(( (expiry_epoch - now_epoch) / 86400 ))

  44.     

  45.     log "📅 证书过期时间: $expiry_date (剩余 ${days_left} 天)"

  46.     

  47.     if [ $days_left -le $RENEW_DAYS_BEFORE_EXPIRY ]; then

  48.         log "⚠️ 证书将在 ${days_left} 天内过期,需要续期"

  49.         return 0

  50.     else

  51.         log "✅ 证书有效,无需续期"

  52.         return 1

  53.     fi

  54. }

  55. 

  56. # 首次申请证书

  57. init_cert() {

  58.     log "🔐 首次申请证书..."

  59.     

  60.     # 确保 webroot 目录存在

  61.     mkdir -p "$WEBROOT"

  62.     

  63.     # 使用 webroot 方式申请(不需要停止 Nginx)

  64.     certbot certonly --webroot \

  65.         -w "$WEBROOT" \

  66.         -d "$DOMAIN" \

  67.         --email "$EMAIL" \

  68.         --agree-tos \

  69.         --no-eff-email \

  70.         --non-interactive

  71.     

  72.     if [ $? -eq 0 ]; then

  73.         log "✅ 证书申请成功"

  74.         reload_nginx

  75.     else

  76.         log "❌ 证书申请失败"

  77.         exit 1

  78.     fi

  79. }

  80. 

  81. # 续期证书

  82. renew_cert() {

  83.     log "🔄 开始续期证书..."

  84.     

  85.     certbot renew \

  86.         --webroot \

  87.         -w "$WEBROOT" \

  88.         --non-interactive \

  89.         --quiet

  90.     

  91.     if [ $? -eq 0 ]; then

  92.         log "✅ 证书续期成功"

  93.         reload_nginx

  94.     else

  95.         log "❌ 证书续期失败"

  96.         send_alert "证书续期失败,请手动检查!"

  97.         exit 1

  98.     fi

  99. }

  100. 

  101. # 重载 Nginx

  102. reload_nginx() {

  103.     log "🔄 重载 Nginx 配置..."

  104.     

  105.     if docker exec "$NGINX_CONTAINER" nginx -s reload 2>/dev/null; then

  106.         log "✅ Nginx 重载成功"

  107.     else

  108.         log "⚠️ Docker 方式重载失败,尝试系统方式..."

  109.         systemctl reload nginx 2>/dev/null || nginx -s reload 2>/dev/null || true

  110.     fi

  111. }

  112. 

  113. # 发送告警(企业微信 Webhook)

  114. send_alert() {

  115.     local message="$1"

  116.     local webhook="${WECOM_WEBHOOK:-}"

  117.     

  118.     if [ -z "$webhook" ]; then

  119.         log "⚠️ 未配置企业微信 Webhook,跳过告警"

  120.         return 0

  121.     fi

  122.     

  123.     local payload

  124.     payload=$(cat <<EOF

  125. {

  126.     "msgtype": "text",

  127.     "text": {

  128.         "content": "🚨 证书告警 [${DOMAIN}]\n${message}\n时间: $(date '+%Y-%m-%d %H:%M:%S')"

  129.     }

  130. }

  131. EOF

  132. )

  133.     

  134.     curl -s -X POST "$webhook" \

  135.         -H "Content-Type: application/json" \

  136.         -d "$payload" > /dev/null 2>&1 || true

  137.     

  138.     log "📤 告警已发送"

  139. }

  140. 

  141. # ==================== 主逻辑 ====================

  142. 

  143. log "========================================="

  144. log "Let's Encrypt 证书管理 - ${DOMAIN}"

  145. log "========================================="

  146. 

  147. # 检查证书是否存在

  148. if [ ! -d "/etc/letsencrypt/live/${DOMAIN}" ]; then

  149.     log "📋 证书不存在,执行首次申请"

  150.     init_cert

  151. else

  152.     # 检查是否需要续期

  153.     if check_cert_expiry; then

  154.         renew_cert

  155.     fi

  156. fi

  157. 

  158. log "========================================="

  159. log "执行完毕"

  160. log "========================================="