此方法原理是使用自动续期工具然后将证书自动上传到公网服务器,然后使用脚本下载到飞牛OS里面然后crontab定时执行实现更新操作。
#!/bin/bash
set -e
# 配置需要更新SSL服务的域名
CERT_NAME="nas.123.cn"
# 配置证书在飞牛os上存放的地址
CERT_BASE_DIR="/usr/trim/var/trim_connect/ssls/nas.123.cn"
# 此处设置你的公网服务器储存SSL证书的文件夹地址
CERT_SOURCE_URL="https://2024dream.cn/nas-ssl"
LOG_FILE="/var/log/ssl_update.log"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
# 记录开始时间
echo "[$TIMESTAMP] === SSL证书更新开始 ===" >> "$LOG_FILE"
# 1. 查找证书目录
echo "[$TIMESTAMP] 步骤1: 查找证书目录" >> "$LOG_FILE"
LATEST_DIR=$(find "$CERT_BASE_DIR" -maxdepth 1 -type d -name "[0-9]*" 2>/dev/null | sort -nr | head -1)
if [ -n "$LATEST_DIR" ] && [ -d "$LATEST_DIR" ]; then
FNOS_CERT_PATH="$LATEST_DIR"
echo "[$TIMESTAMP] 使用证书目录: $FNOS_CERT_PATH" >> "$LOG_FILE"
else
echo "[$TIMESTAMP] 错误: 无法找到证书目录" >> "$LOG_FILE"
exit 1
fi
# 2. 创建临时目录并下载证书
echo "[$TIMESTAMP] 步骤2: 下载证书文件" >> "$LOG_FILE"
TMP_DIR="/tmp/ssl_update_$(date +%s)"
mkdir -p "$TMP_DIR"
cd "$TMP_DIR"
echo "[$TIMESTAMP] 临时目录: $TMP_DIR" >> "$LOG_FILE"
# 下载证书文件
if wget --timeout=30 -O "$TMP_DIR/$CERT_NAME.crt" "$CERT_SOURCE_URL/$CERT_NAME.crt"; then
CRT_SIZE=$(wc -c < "$TMP_DIR/$CERT_NAME.crt")
echo "[$TIMESTAMP] 证书下载成功, 大小: $CRT_SIZE 字节" >> "$LOG_FILE"
else
echo "[$TIMESTAMP] 证书下载失败" >> "$LOG_FILE"
exit 1
fi
# 下载密钥文件
if wget --timeout=30 -O "$TMP_DIR/$CERT_NAME.key" "$CERT_SOURCE_URL/$CERT_NAME.key"; then
KEY_SIZE=$(wc -c < "$TMP_DIR/$CERT_NAME.key")
echo "[$TIMESTAMP] 密钥下载成功, 大小: $KEY_SIZE 字节" >> "$LOG_FILE"
else
echo "[$TIMESTAMP] 密钥下载失败" >> "$LOG_FILE"
exit 1
fi
# 3. 验证证书文件
echo "[$TIMESTAMP] 步骤3: 验证证书文件" >> "$LOG_FILE"
# 验证证书格式
if ! openssl x509 -in "$TMP_DIR/$CERT_NAME.crt" -noout >/dev/null 2>&1; then
echo "[$TIMESTAMP] 错误: 证书文件格式无效" >> "$LOG_FILE"
exit 1
fi
# 验证密钥格式
if ! openssl rsa -in "$TMP_DIR/$CERT_NAME.key" -check -noout >/dev/null 2>&1; then
echo "[$TIMESTAMP] 错误: 密钥文件格式无效" >> "$LOG_FILE"
exit 1
fi
# 验证证书和密钥是否匹配
CERT_MODULUS=$(openssl x509 -noout -modulus -in "$TMP_DIR/$CERT_NAME.crt" | openssl md5)
KEY_MODULUS=$(openssl rsa -noout -modulus -in "$TMP_DIR/$CERT_NAME.key" 2>/dev/null | openssl md5)
if [ "$CERT_MODULUS" != "$KEY_MODULUS" ]; then
echo "[$TIMESTAMP] 错误: 证书和密钥不匹配" >> "$LOG_FILE"
exit 1
fi
echo "[$TIMESTAMP] 证书验证通过" >> "$LOG_FILE"
# 4. 从新证书获取信息用于数据库更新
echo "[$TIMESTAMP] 步骤4: 提取证书信息" >> "$LOG_FILE"
NEW_EXPIRY_DATE=$(openssl x509 -enddate -noout -in "$TMP_DIR/$CERT_NAME.crt" | sed "s/^.*=\(.*\)$/\1/")
NEW_NOT_BEFORE=$(openssl x509 -startdate -noout -in "$TMP_DIR/$CERT_NAME.crt" | sed "s/^.*=\(.*\)$/\1/")
NEW_ISSUER=$(openssl x509 -in "$TMP_DIR/$CERT_NAME.crt" -noout -issuer | grep -o "CN = [^,]*" | cut -d= -f2 | tr -d ' ')
NEW_EXPIRY_TIMESTAMP=$(date -d "$NEW_EXPIRY_DATE" +%s%3N)
NEW_VALID_FROM_TS=$(date -d "$NEW_NOT_BEFORE" +%s%3N)
echo "[$TIMESTAMP] 证书信息: 颁发者=$NEW_ISSUER, 有效期=$NEW_EXPIRY_DATE" >> "$LOG_FILE"
# 5. 停止服务
echo "[$TIMESTAMP] 步骤5: 停止相关服务" >> "$LOG_FILE"
systemctl stop webdav.service >> "$LOG_FILE" 2>&1
systemctl stop smbftpd.service >> "$LOG_FILE" 2>&1
systemctl stop trim_nginx.service >> "$LOG_FILE" 2>&1
sleep 3
# 6. 直接覆盖证书文件
echo "[$TIMESTAMP] 步骤6: 覆盖证书文件" >> "$LOG_FILE"
# 直接复制新证书(覆盖旧文件)
cp "$TMP_DIR/$CERT_NAME.crt" "$FNOS_CERT_PATH/$CERT_NAME.crt"
cp "$TMP_DIR/$CERT_NAME.key" "$FNOS_CERT_PATH/$CERT_NAME.key"
# 设置权限
chmod 644 "$FNOS_CERT_PATH/$CERT_NAME.crt"
chmod 600 "$FNOS_CERT_PATH/$CERT_NAME.key"
echo "[$TIMESTAMP] 新证书已覆盖到目标目录" >> "$LOG_FILE"
# 7. 更新数据库
echo "[$TIMESTAMP] 步骤7: 更新数据库" >> "$LOG_FILE"
psql -U postgres -d trim_connect -c "UPDATE cert SET \
issued_by='$NEW_ISSUER', \
valid_from=$NEW_VALID_FROM_TS, \
valid_to=$NEW_EXPIRY_TIMESTAMP, \
status='suc', \
certificate='$FNOS_CERT_PATH/$CERT_NAME.crt', \
private_key='$FNOS_CERT_PATH/$CERT_NAME.key', \
updated_time=$(date +%s%3N) \
WHERE domain='$CERT_NAME';" >> "$LOG_FILE" 2>&1
if [ $? -eq 0 ]; then
echo "[$TIMESTAMP] 数据库更新成功" >> "$LOG_FILE"
else
echo "[$TIMESTAMP] 数据库更新失败" >> "$LOG_FILE"
exit 1
fi
# 8. 重启服务
echo "[$TIMESTAMP] 步骤8: 重启相关服务" >> "$LOG_FILE"
systemctl start webdav.service >> "$LOG_FILE" 2>&1
systemctl start smbftpd.service >> "$LOG_FILE" 2>&1
systemctl start trim_nginx.service >> "$LOG_FILE" 2>&1
echo "[$TIMESTAMP] 所有服务重启完成" >> "$LOG_FILE"
# 9. 验证更新结果
echo "[$TIMESTAMP] 步骤9: 验证更新结果" >> "$LOG_FILE"
# 检查文件是否存在
if [ -f "$FNOS_CERT_PATH/$CERT_NAME.crt" ] && [ -f "$FNOS_CERT_PATH/$CERT_NAME.key" ]; then
echo "[$TIMESTAMP] 证书文件确认存在" >> "$LOG_FILE"
ls -la "$FNOS_CERT_PATH/$CERT_NAME.crt" "$FNOS_CERT_PATH/$CERT_NAME.key" >> "$LOG_FILE" 2>&1
else
echo "[$TIMESTAMP] 警告: 证书文件不存在" >> "$LOG_FILE"
fi
# 10. 清理临时文件
echo "[$TIMESTAMP] 步骤10: 清理临时文件" >> "$LOG_FILE"
rm -rf "$TMP_DIR"
echo "[$TIMESTAMP] 临时目录已清理" >> "$LOG_FILE"
echo "[$TIMESTAMP] === SSL证书更新完成 ===" >> "$LOG_FILE"
echo "----------------------------------------" >> "$LOG_FILE"© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容