1. 配置自动更新脚本
- 因为和 80 端口冲突,需要先停止 80 端口的占用
- docker 无法挂载软链接,启动后的 nginx 无法找到 pem 文件,导致 docker 启动失败
bash
#!/bin/bash
set -e
# ===================== 配置 =====================
# 证书域名
DOMAIN="your domin"
# 容器名称(多个容器用空格)
CONTAINERS=("nginx_container")
# nginx 容器挂载证书的目标路径(你在 docker-compose 中使用了这个目录)
TARGET_CERT_DIR="./nginx-certs"
# ===================== 函数封装 =====================
log() {
echo -e "[`date '+%Y-%m-%d %H:%M:%S'`] $1"
}
# ===================== 停止容器释放端口 =====================
log "1️⃣ 停止容器,释放 80 端口..."
for container in "${CONTAINERS[@]}"; do
log "🛑 正在停止 $container ..."
docker stop "$container" || log "⚠️ 容器 $container 已停止或不存在"
done
# ===================== 等待端口释放 =====================
log "2️⃣ 等待端口释放..."
sleep 5
# ===================== 执行 Certbot 更新 =====================
log "3️⃣ 执行证书更新 certbot renew..."
sudo certbot renew
# ===================== 同步证书到挂载目录 =====================
log "4️⃣ 拷贝最新证书到挂载目录($TARGET_CERT_DIR)..."
# 创建目标目录(如不存在)
mkdir -p "$TARGET_CERT_DIR"
# 拷贝证书(使用 sudo 防止权限问题)
sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$TARGET_CERT_DIR/"
sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$TARGET_CERT_DIR/"
# 调整权限(可选)
sudo chmod 644 "$TARGET_CERT_DIR/fullchain.pem"
sudo chmod 600 "$TARGET_CERT_DIR/privkey.pem"
log "✅ 证书已同步至 $TARGET_CERT_DIR"
# ===================== 重启容器 =====================
log "5️⃣ 重启容器..."
for container in "${CONTAINERS[@]}"; do
log "🚀 启动 $container ..."
docker start "$container"
done
log "✅ 所有容器已重启,证书更新完成"
# ===================== 显示有效期检查 =====================
log "📅 当前证书有效期:"
sudo openssl x509 -in "$TARGET_CERT_DIR/fullchain.pem" -noout -dates2. 配置自动更新策略
设置自动定期任务
bash
sudo crontab -e添加一行
javascript
0 3 * * * /home/lighthouse/renew_cert.sh >> /home/lighthouse/cert_renew.log 2>&1每天凌晨 3 点自动检测并续签证书,如有更新则自动同步证书 + 重启 nginx。
3. 检测是否更新成功
bash
cat /home/lighthouse/cert_renew.log