#!/bin/bash set -e echo "=========================================" echo "方案A: 通配符SSL证书申请 (DNS验证)" echo "=========================================" echo "说明: 使用Let's Encrypt申请通配符证书" echo "优点: 一个证书覆盖所有二级域名" echo "缺点: 需要腾讯云API密钥和DNS插件" echo "" DOMAIN="f.novalon.cn" EMAIL="ops@novalon.cn" SSL_BASE_DIR="/home/novalon/docker-app/novalon-nginx/ssl" if [ -z "$TENCENTCLOUD_SECRET_ID" ] || [ -z "$TENCENTCLOUD_SECRET_KEY" ]; then echo "错误: 需要腾讯云API密钥" echo "" echo "请设置环境变量:" echo "export TENCENTCLOUD_SECRET_ID=your-secret-id" echo "export TENCENTCLOUD_SECRET_KEY=your-secret-key" echo "" echo "获取密钥:" echo "1. 登录腾讯云控制台: https://console.cloud.tencent.com" echo "2. 访问管理 > API密钥管理" echo "3. 创建或查看密钥" exit 1 fi echo "步骤1: 安装certbot和腾讯云DNS插件..." if ! command -v certbot &> /dev/null; then yum install -y certbot fi if ! python3 -c "import certbot_dns_tencentcloud" 2>/dev/null; then pip3 install certbot-dns-tencentcloud fi echo "" echo "步骤2: 创建腾讯云DNS配置文件..." mkdir -p /root/.secrets cat > /root/.secrets/tencentcloud.ini </dev/null | grep -v "certbot.*${DOMAIN}"; echo "0 3 * * * certbot renew --quiet --cert-name ${DOMAIN} --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew-wildcard.log 2>&1") | crontab - echo "" echo "=========================================" echo "通配符证书申请成功!" echo "=========================================" echo "证书路径:" echo " - ${SSL_BASE_DIR}/wildcard/fullchain.pem" echo " - ${SSL_BASE_DIR}/wildcard/privkey.pem" echo "" echo "容器内路径: /etc/nginx/ssl/wildcard/" echo "" echo "覆盖域名:" echo " - *.f.novalon.cn" echo " - f.novalon.cn" echo "" echo "有效期: 90天" echo "自动续期: 每天凌晨3点检查" echo "========================================="