Certbot自动续订漏洞 [英] Certbot automatic renewal vulnerabilities
问题描述
我有certbot包括在与客户的几个安装中使用自动续订。
I have certbot including automatic renewal in use in several installations with clients.
现在我一直在这里阅读:
Now I have been reading here:
这里
https://community.letsencrypt.org/ t /解决方案 - 客户端与当前选择的身份验证者 - 不支持 - 任何组合的挑战 - 将满足-ca / 49983
此处
https:// github。 com / certbot / certbot / issues / 5405
以及:
https://社区.letsencrypt.org / t / important-你需要知道什么关于tls-sni-validation-issues / 50811
每个人似乎在说一些略微不同的东西
everyone seems to be saying something slightly different
并且没有给出明确的解释。
and no clear explanation is given.
我一直在读certbot安装的标准描述
I've been reading in the standard description of the certbot installation
续订文档指向:
https://certbot.eff.org/docs/using.html#renewal
但是:旧的易受攻击的 tls-sni-01
方法仍然列出
but: the old vulnerable tls-sni-01
method is still listed
我试着总结一下:
在减轻现有服务器现有问题的指南中:
In the guides to mitigate existing issues on existing servers:
他们推荐st op并在续订时启动服务器。
但是......这不好。如果某个配置中断,并且当我睡着时服务器停止启动怎么办?服务器将不可用。或者更坏的事情。我不是一个专家,但服务器或多或少随机启动和停止,似乎不是一个好的解决方案。我错了吗?
they recommend stop and starting the server on renewal. But... this is not good. What if some config breaks, and the server gets stop started when I am asleep? The server would be unavailable. Or something worse. I am not an devops expert but having the server more or less randomly start and stop, doesn't seem like a good solution. Am I wrong about this?
作为替代方案,我看到仅不使用 tls-sni的webroot插件-01
。 https://certbot.eff.org/docs/using.html#webroot
As alternative, I see only the webroot plugin that does not use tls-sni-01
. https://certbot.eff.org/docs/using.html#webroot
这对我来说似乎是唯一的方式,这似乎是可靠的。
that seems to be the only way to me, that seems reliable.
我错过了什么吗?我们基本上被告知使用webroot插件吗?
Am I missing something? are we basically told to use the webroot plugin?
因为所有其他人都使用tls-sni-01,不是自动化的(你可以手动做但是ehrm,我实际上不希望)或要求你没有正在运行的服务器(独立)。
as all others do use tls-sni-01, are not automated (you can do it manually but ehrm, I actually don't want to) or require you to not have a running server already (standalone).
这是未来的服务器。我猜现有的域名续订将继续使用旧的 tls-sni-01
,这就是他们似乎在说的。
That is for future servers. I guess existing domain renewals will continue to work with the old tls-sni-01
, that is what they seem to be saying.
推荐答案
因为我没有得到答案,我将不得不假设它是什么,例如尽可能使用webroot插件。
so as I got no answers, I will have to assume that's what it is, e.g. use webroot plugin when possible.
我实际发现的是:
命令 certbot renew
转到文件夹 / etc / letsencrypt / renewal
并检查那里的配置文件。这些配置文件是在您上次从命令行触发认证过程时创建的。所以,如果你做的最后一件事是独立使用,那么你会发现那里的独立配置(你想要远离它)
the command certbot renew
goes to the folder /etc/letsencrypt/renewal
and checks the config files there. Those config files get created by the last time you triggered the certification process from command line. So if the last thing you did was use standalone, you will find standalone config there (you want to migrate away from that)
好了所以现在你第一次运行webroot插件:
ok so now you run the first time the webroot plugin:
certbot certonly --webroot -w /var/www/html/www.mypage.com/public-d www.mypage .com -d mypage.com
见这里
这最终可以在 / etc / letsencrypt / renewal
中创建一个新条目,或者覆盖旧的现有条目。只要确保删除独立的,如果它没有覆盖但是创建一个新文件,你只想让webroot在那里
this can, eventually, create a new entry in /etc/letsencrypt/renewal
or overwrite the old existing one. Just be sure to delete the standalone one in case it did not overwrite but create a new file, you want only to have the webroot one there
现在运行 crontab -e
最终必须是root用户
now run crontab -e
eventually have to be root user
添加
53 14 * * * certbot renew --post-hookservice nginx reload
这将每天运行14:53并重新加载配置并尝试续订证书
this will run each day at 14:53 and reload the config and try to renew the certificates
这篇关于Certbot自动续订漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!