编写apply_ssl_certificate.py主程序调用执行的核心程序是certbot,certbot 自动检测Nginx的配置,然后申请并配置SSL证书。
[root@dev-rocky9-shanghai-area0 python]# certbot --nginx -d test.ponfey.com #过程中,Certbot会提示输入电子邮件地址用于接收通知,并询问是否同意服务条款,最后确认域名所有权。部署nginx程序
[root@dev-rocky9-shanghai-area0 ~]# dnf install nginx -y 部署certbot程序
[root@dev-rocky9-shanghai-area0 ~]# dnf install certbot python3-certbot-nginx -y 配置 nginx.conf 样例
[root@dev-rocky9-shanghai-area0 ~]# getvalue /etc/nginx/nginx.conf.bak_for_apply_ssl_certificate_240613:server # 重点监听 nginx 80 端口以及域名,certbot程序会申请证书验证服务器根证书信息,如果一切顺利,certbot会自动修改Nginx配置以启用HTTPS,并重启Nginx服务,我的/etc/nginx/nginx.conf配置文件另有用途和其他配置,所以并不会直接使用,而是在使用后备份为 /etc/nginx/nginx.conf.bak_for_apply_ssl_certificate_240613
...
listen 80;
listen [::]:80;
server_name test.ponfey.com;
...apply_ssl_certificate.py 主程序执行请求创建letsencrypt/证书
[root@dev-rocky9-shanghai-area0 python]# python3 apply_ssl_certificate.py
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): richard@ponfey.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for test.ponfey.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.ponfey.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/test.ponfey.com/privkey.pem
This certificate expires on 2024-09-11.
These files will be updated when the certificate renews.
Deploying certificate
Successfully deployed certificate for test.ponfey.com to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://test.ponfey.com
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SSL certificate for test.ponfey.com applied successfully.生成的目录结构
[root@dev-rocky9-shanghai-area0 python]# ll /data/richard/test.ponfey.com/
总用量 16
-rw-r--r-- 1 root root 1285 6月 13 15:01 cert1.pem # 重命名为 test.ponfey.com.pem
-rw-r--r-- 1 root root 1566 6月 13 15:01 chain1.pem
-rw-r--r-- 1 root root 2851 6月 13 15:01 fullchain1.pem
-rw-r--r-- 1 root root 241 6月 13 15:01 privkey1.pem # 重命名为 test.ponfey.com.keyapply_ssl_certificate.py 主程序源码
#!/usr/bin/python3
# certbot 程序日志在 /var/log/letsencrypt/letsencrypt.log
import subprocess
def apply_ssl_certificate(domain):
try:
# 构建Certbot命令
command = f"certbot --nginx -d {domain}"
# 使用subprocess.run执行命令
subprocess.run(command.split(), check=True)
print(f"SSL certificate for {domain} applied successfully.")
except subprocess.CalledProcessError as e:
print(f"Error applying SSL certificate: {e}")
if __name__ == "__main__":
domain = "test.ponfey.com"
apply_ssl_certificate(domain)
