第10部分 - 配置证书续订

Owned by Nathan Bode
Last updated: Jul 22, 2019 by Guan Yin

Expand all   Collapse all

Languages
  • 创建zenupdate服务和计时器单元,在续订证书时添加一个挂钩以重新启动zend
  • 停止并禁用默认的certbot.timer
  • 启动zenupdate.service
  • 检查服务的状态
  • 启动并启用zenupdate.timer
  • 检查定时器和列表系统定时器的状态

DescriptionCommand
1

创建一个zenupdate.service单元文件以使用--deploy-hook运行certbot续订,以便在证书续订时重新启动zend

创建自定义续订服务和计时器的原因是为了防止在更新系统时更新certbot覆盖自己的默认服务和计时器单元,复制并粘贴整个文本

echo \
"[Unit]
Description=zenupdate.service

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew --deploy-hook 'systemctl restart zend'
PrivateTmp=true" | sudo tee /lib/systemd/system/zenupdate.service
2

创建一个zenupdate.timer单元,计划每天06:00 UTC运行,复制并粘贴整个文本

echo \
"[Unit]
Description=Run zenupdate unit daily @ 06:00:00 (UTC)

[Timer]
OnCalendar=*-*-* 06:00:00
Unit=zenupdate.service
Persistent=true

[Install]
WantedBy=timers.target" | sudo tee /lib/systemd/system/zenupdate.timer
3

停止并禁用certbot.timer标准

sudo systemctl stop certbot.timer
sudo systemctl disable certbot.timer
4测试zenupdate.service以确保它正常工作
sudo systemctl start zenupdate.service
5

检查服务状态,确保日志输出中未列出任何故障,按CTRL + c退出状态

sudo systemctl status zenupdate.service


Example Output

zenops@node01:~$ sudo systemctl status zenupdate.service
● zenupdate.service
Loaded: loaded (/lib/systemd/system/zenupdate.service; static; vendor preset: enabled)
Active: inactive (dead) since Thu 2018-06-14 00:07:32 CEST; 19s ago

Jun 14 00:07:31 zsec01 systemd[1]: Starting zenupdate.service...
Jun 14 00:07:32 zsec01 systemd[1]: Started zenupdate.service.

6如果从步骤7开始状态检查是正常的,请启动zenupdate.timer并启用它
sudo systemctl start zenupdate.timer
sudo systemctl enable zenupdate.timer
7检查计时器状态,特别是它在活动(等待)状态下显示的状态,按CTRL + c退出状态
sudo systemctl status zenupdate.timer
Example Output

zenops@node01:~$ sudo systemctl status zenupdate.timer
zenupdate.timer - Run zenupdate unit daily @ 06:00:00 (UTC)
Loaded: loaded (/lib/systemd/system/zenupdate.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2018-06-13 19:45:01 CEST; 4h 36min ago

Jun 13 19:45:01 node01 systemd[1]: Started Run zenupdate unit daily @ 06:00:00 (UTC).

8验证计时器是否已启用,您应该看到zenupdate.timer的行,使用CTRL + c退出列表
sudo systemctl list-timers
Example Output

zenops@node01:~$ sudo systemctl list-timers
NEXT.....................................................LEFT.......LAST..........................................................PASSED............................UNIT..........................................................ACTIVATES
Thu 2018-06-14 05:39:15 CEST 11h left..Wed 2018-06-13 08:12:43 CEST....9h ago.............................apt-daily.timer.......................................apt-daily.service
Thu 2018-06-14 06:00:00 CEST 12h left..n/a.............................................................n/a....................................zenupdate.timer...........................zenupdate.service
Thu 2018-06-14 06:18:28 CEST 12h left..Wed 2018-06-13 06:48:03 CEST....10h ago..........................apt-daily-upgrade.timer.....................apt-daily-upgrade.service
Thu 2018-06-14 17:32:10 CEST 23h left..Wed 2018-06-13 17:32:10 CEST....14min ago.....................systemd-tmpfiles-clean.timer..........systemd-tmpfiles-clean.service

4 timers listed.
Pass --all to see loaded but inactive timers, too.

第9部分

第10部分/共11部分 - 配置证书续订

第11部分



© 2019 Horizen. All rights reserved.