Lets-Encrypt

將我的 LetsEncrypt 證書從一台伺服器移動到另一台伺服器有哪些選擇?

  • March 27, 2019

我有一個通過 Digital Ocean 執行的 ubuntu 伺服器,它有一個通過 LetsEncrypt 獲得的 SSH 證書。

我正在嘗試切換到更便宜的服務,我需要將證書移動到我的新伺服器。我怎樣才能做到這一點?

看起來我可以撤銷目前 DO 伺服器上的證書。然後我可以在我的新伺服器上創建一個新伺服器而沒有任何問題嗎?

其中一些已經說過,但只是給出一個完整的答案。我已經開始在公共服務上使用一些 LE 證書。移動選項幾乎不受限制,更多地取決於您用於請求證書的項目。獲得證書後,您可以將密鑰和證書導出到文件中,以便移動到您喜歡的任何服務。您無需撤銷任何內容即可獲得新證書。由於 LE 證書的短壽命(3 個月)和免費成本,我發現它們被大多數人視為一次性的。

我已經使用 eBekker 項目的 ACMEsharp 建構了一個 powershell 腳本來自動獲取新證書。這就是我到目前為止所擁有的。它目前必須在 Web 伺服器上執行。

https://github.com/ebekker/ACMESharp

## This requires the ACMESharp module from EBekker
#Import-Module AcmeSharp

$dns = "www.example.com"
$webRoot = "C:\inetpub\wwwroot"

$idRef = "$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd_HH-mm")"
$certRef = "cert-$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd")"

Import-Module AcmeSharp
Write-Host "Getting a new challenge"
New-ACMEIdentifier -Dns $dns -Alias $idRef | Out-Null
$challanges = Complete-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Handler manual
$httpChallenge = ($challanges.Challenges | Where-Object {$_.Type -like 'http-01'}).Challenge

Write-Host "Creating challenge folder path"
New-Item -ItemType Directory -Path "$webRoot\$($httpChallenge.FilePath)" | Out-Null

$challengeFilePath = "$webRoot\$($httpChallenge.FilePath)\Default.htm"

if (Test-Path -Path $challengeFilePath) {
   Remove-Item -Path $challengeFilePath -Force
}

Write-Host "Adding Challenge text to the reuqested path"
Add-Content -Path $challengeFilePath -Value $httpChallenge.FileContent -Force | Out-Null

Write-Host "Waitin 15 sec..."
Start-Sleep -Seconds 15

Write-Host "Submitting Challenge"
Submit-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Force | Out-Null

Write-Host "Waiting 15 sec..."
Start-Sleep -Seconds 15

$id = Update-ACMEIdentifier -IdentifierRef $idRef

if ($id.Status -eq "pending") {
   Write-Host "Challenge still pending, waiting 30 sec and retrying"
   Start-Sleep -Seconds 30
   Update-ACMEIdentifier -IdentifierRef $idRef
}

if ($id.Status -ne "valid") {
   throw "Identifier could not be validated."
}
else {
   Write-Host "Challenge appears completed. Building cert"
   New-ACMECertificate -IdentifierRef $idRef -Alias $certRef -Generate | Out-Null
   Submit-ACMECertificate -CertificateRef $certRef | Out-Null
   Start-Sleep -Seconds 15
   Update-ACMECertificate -CertificateRef $certRef

   Get-ACMECertificate -CertificateRef $certRef -ExportKeyPEM C:\SSL\$dns.key.pem -ExportCertificatePEM C:\SSL\$dns.crt.pem -ExportPkcs12 C:\SSL\$dns.pfx 

   #Install Cert 
   #Install-ACMECertificateToIIS -Certificate $certRef
}

引用自:https://serverfault.com/questions/838007