张翔
ebaa7f3c50
ci/woodpecker/manual/woodpecker Pipeline was successful
- 移除未使用的YAML锚点定义 - 替换commands字段中的锚点引用为实际值 - 移除有问题的通知步骤 - 修复测试文件中的问题 - 添加新的测试用例和配置文件
93 lines
2.9 KiB
Bash
93 lines
2.9 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
echo "========================================="
|
|
echo "方案A: 通配符SSL证书申请 (DNS验证)"
|
|
echo "========================================="
|
|
echo "说明: 使用Let's Encrypt申请通配符证书"
|
|
echo "优点: 一个证书覆盖所有二级域名"
|
|
echo "缺点: 需要腾讯云API密钥和DNS插件"
|
|
echo ""
|
|
|
|
DOMAIN="f.novalon.cn"
|
|
EMAIL="ops@novalon.cn"
|
|
SSL_BASE_DIR="/home/novalon/docker-app/novalon-nginx/ssl"
|
|
|
|
if [ -z "$TENCENTCLOUD_SECRET_ID" ] || [ -z "$TENCENTCLOUD_SECRET_KEY" ]; then
|
|
echo "错误: 需要腾讯云API密钥"
|
|
echo ""
|
|
echo "请设置环境变量:"
|
|
echo "export TENCENTCLOUD_SECRET_ID=your-secret-id"
|
|
echo "export TENCENTCLOUD_SECRET_KEY=your-secret-key"
|
|
echo ""
|
|
echo "获取密钥:"
|
|
echo "1. 登录腾讯云控制台: https://console.cloud.tencent.com"
|
|
echo "2. 访问管理 > API密钥管理"
|
|
echo "3. 创建或查看密钥"
|
|
exit 1
|
|
fi
|
|
|
|
echo "步骤1: 安装certbot和腾讯云DNS插件..."
|
|
if ! command -v certbot &> /dev/null; then
|
|
yum install -y certbot
|
|
fi
|
|
|
|
if ! python3 -c "import certbot_dns_tencentcloud" 2>/dev/null; then
|
|
pip3 install certbot-dns-tencentcloud
|
|
fi
|
|
|
|
echo ""
|
|
echo "步骤2: 创建腾讯云DNS配置文件..."
|
|
mkdir -p /root/.secrets
|
|
cat > /root/.secrets/tencentcloud.ini <<EOF
|
|
dns_tencentcloud_secret_id = ${TENCENTCLOUD_SECRET_ID}
|
|
dns_tencentcloud_secret_key = ${TENCENTCLOUD_SECRET_KEY}
|
|
EOF
|
|
chmod 600 /root/.secrets/tencentcloud.ini
|
|
|
|
echo ""
|
|
echo "步骤3: 申请通配符证书..."
|
|
certbot certonly \
|
|
--authenticator dns-tencentcloud \
|
|
--dns-tencentcloud-credentials /root/.secrets/tencentcloud.ini \
|
|
--dns-tencentcloud-cleanup-interval 120 \
|
|
--server https://acme-v02.api.letsencrypt.org/directory \
|
|
--email ${EMAIL} \
|
|
--agree-tos \
|
|
--no-eff-email \
|
|
-d "*.${DOMAIN}" \
|
|
-d "${DOMAIN}"
|
|
|
|
echo ""
|
|
echo "步骤4: 复制证书到nginx SSL目录..."
|
|
mkdir -p ${SSL_BASE_DIR}/wildcard
|
|
|
|
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ${SSL_BASE_DIR}/wildcard/
|
|
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem ${SSL_BASE_DIR}/wildcard/
|
|
|
|
chmod 644 ${SSL_BASE_DIR}/wildcard/fullchain.pem
|
|
chmod 600 ${SSL_BASE_DIR}/wildcard/privkey.pem
|
|
|
|
echo ""
|
|
echo "步骤5: 设置自动续期..."
|
|
(crontab -l 2>/dev/null | grep -v "certbot.*${DOMAIN}"; echo "0 3 * * * certbot renew --quiet --cert-name ${DOMAIN} --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew-wildcard.log 2>&1") | crontab -
|
|
|
|
echo ""
|
|
echo "========================================="
|
|
echo "通配符证书申请成功!"
|
|
echo "========================================="
|
|
echo "证书路径:"
|
|
echo " - ${SSL_BASE_DIR}/wildcard/fullchain.pem"
|
|
echo " - ${SSL_BASE_DIR}/wildcard/privkey.pem"
|
|
echo ""
|
|
echo "容器内路径: /etc/nginx/ssl/wildcard/"
|
|
echo ""
|
|
echo "覆盖域名:"
|
|
echo " - *.f.novalon.cn"
|
|
echo " - f.novalon.cn"
|
|
echo ""
|
|
echo "有效期: 90天"
|
|
echo "自动续期: 每天凌晨3点检查"
|
|
echo "========================================="
|