syno-acme icon indicating copy to clipboard operation
syno-acme copied to clipboard

Published 20 hours ago verified publisher icon andyzhshg

群晖更新Let's Encrypt域名证书出现code:60错误的根源,及解决方法

Open iihong opened this issue 3 years ago • 4 comments

最近由于群晖系统内置CA机构根证书过期的原因,导致更新Let's Encrypt域名证书时无法建立SSL连接,出现code:60错误 解决方法只需要将群辉内置CA机构根证书进行升级即可解决

感谢 KennanChan 在另一个问题中,提出了问题的关键“群晖系统内置根证书过期,无法建立SSL连接,升级根证书”,现整理升级根证书方法如下

方法一:

直接一条SSH命令更新 CA 库

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

如果无法链接 https://curl.se/ca/cacert.pem 时,请选用方法二手动翻墙下载并更新

方法二:

1、下载CA机构根证书 下载地址 https://curl.se/ca/cacert.pem 如无法下载请翻墙

2、将 cacert.pem 文件上传到群辉某个目录

3、执行以下2条SSH命令更新 CA 库 请替换以下 /volume1/nas/cacert.pem 为你的文件路径地址

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak
cp /volume1/nas/cacert.pem /etc/ssl/certs/ca-certificates.crt

以上方法可以利用 Putty 或 “任务计划 新增 触发的任务 用户定义的脚本” 来执行SSH命令备份和更新根证书

iihong avatar Dec 15 '21 03:12 iihong

通过学习,对 syno-acme 工具做了点优化,方法支持 v0.2.1和v0.3.0,详细调整如下:

一、在 config 配置文件中,增加 证书服务商的设置项 和 注册邮箱 新版 acme.sh v3.0.0+ 中将证书服务商默认为 ZeroSSL ,所以增加配置选项,可选择 zerossl 或 letsencrypt

# 证书服务商 zerossl 和 letsencrypt
export CERT_SERVER=letsencrypt

# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="[email protected]"

通过设置 CERT_SERVER 为 zerossl 或 letsencrypt 来决定证书服务商 设置为 zerossl 时:必须设置 ACCOUNT_EMAIL,并以 ZeroSSL 提供证书服务更新 设置为 letsencrypt 时:以 Let's Encrypt 提供证书服务更新,如果出现code:60错误,无法建立SSL连接,请升级群辉内置CA机构根证书

二、在 cert-up.sh 文件中修改 installAcme () {} 方法,并增加 versionLt () {} 方法 解决重复下载安装的问题,并增加自动效验acme.sh新版,有新版则自动升级acme.sh

versionLt () { test "$(echo "$@" | tr " " "\n" | sort -rV | head -n 1)" != "$1"; }
installAcme () {
  ALLOW_INSTALL=false
  ACME_SH_FILE=${ACME_BIN_PATH}/acme.sh
  ACME_SH_NEW_VERSION=$(wget -qO- -t1 -T2 "https://api.github.com/repos/acmesh-official/acme.sh/releases/latest" | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
  ACME_SH_ADDRESS=https://mirror.ghproxy.com/https://github.com/acmesh-official/acme.sh/archive/${ACME_SH_NEW_VERSION}.tar.gz
  if [ -z "${ACME_SH_NEW_VERSION}" ]; then
    echo 'unable to get new version number'
    return 0
  fi
  if [ ! -f "${ACME_SH_FILE}" ]; then
    ALLOW_INSTALL=true
    echo 'acme not installed, start install'
  else
    ACME_SH_VERSION=$(cat ${ACME_SH_FILE} | grep "VER=*" | head -n 1 | awk -F "=" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g')
    if versionLt ${ACME_SH_VERSION} ${ACME_SH_NEW_VERSION}; then
      ALLOW_INSTALL=true
      echo 'acme has a new version, start updating'
    else
      echo 'skip acme installation'
    fi
  fi
  if [ ${ALLOW_INSTALL} == true ]; then
    echo 'in progress...'
    mkdir -p ${TEMP_PATH}
    cd ${TEMP_PATH}
    echo 'begin downloading acme.sh tool...'
    # ACME_SH_ADDRESS=`curl -L https://cdn.jsdelivr.net/gh/andyzhshg/syno-acme@master/acme.sh.address`
    SRC_TAR_NAME=acme.sh.tar.gz
    curl -L -o ${SRC_TAR_NAME} ${ACME_SH_ADDRESS}
    SRC_NAME=`tar -tzf ${SRC_TAR_NAME} | head -1 | cut -f1 -d"/"`
    tar zxvf ${SRC_TAR_NAME}
    echo 'begin installing acme.sh tool...'
    cd ${SRC_NAME}
    ./acme.sh --install --nocron --home ${ACME_BIN_PATH}
    echo 'done installAcme'
    rm -rf ${TEMP_PATH}
  fi
  return 0
}

三、在 cert-up.sh 文件中修改 generateCrt () {} 方法 增加 ZeroSSL 账户自动注册代码,在 ... acme.sh --force --log --issue 后面增加 --server ${CERT_SERVER}

generateCrt () {
  echo 'begin generateCrt'
  cd ${BASE_ROOT}
  source ./config
  # add register zerossl account
  if [ ${CERT_SERVER} == 'zerossl' ]; then
    echo 'register zerossl account'
    ${ACME_BIN_PATH}/acme.sh  --register-account  -m ${ACCOUNT_EMAIL} --server zerossl
  fi
  echo 'begin updating default cert by acme.sh tool'
  source ${ACME_BIN_PATH}/acme.sh.env
  # ${ACME_BIN_PATH}/acme.sh --force --log --issue --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
  ${ACME_BIN_PATH}/acme.sh --force --log --issue --server ${CERT_SERVER} --dns ${DNS} --dnssleep ${DNS_SLEEP} -d "${DOMAIN}" -d "*.${DOMAIN}"
  ${ACME_BIN_PATH}/acme.sh --force --installcert -d ${DOMAIN} -d *.${DOMAIN} \
    --certpath ${CRT_PATH}/cert.pem \
    --key-file ${CRT_PATH}/privkey.pem \
    --fullchain-file ${CRT_PATH}/fullchain.pem

  if [ -s "${CRT_PATH}/cert.pem" ]; then
    echo 'done generateCrt'
    return 0
  else
    echo '[ERR] fail to generateCrt'
    echo "begin revert"
    revertCrt
    exit 1;
  fi
}

四、设置好定时任务更新任务,同时运行一次,即可自动完成证书更新

iihong avatar Dec 15 '21 03:12 iihong

实测解决~感谢大佬们!收下伸手党的膝盖

gechaoye avatar Jan 04 '22 06:01 gechaoye

感谢大佬,终于解决了这个问题了

xingyu42 avatar May 30 '22 17:05 xingyu42

使用curl命令的时候, sudo /bin/bash -c "$(curl https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
出现:curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt 大佬知道这个怎么解决吗

freestyledash avatar Jan 22 '24 10:01 freestyledash