Certbot安装
https://certbot.eff.org/instructions?ws=nginx&os=pip
防火墙进行出站放通
编辑脚本
sudo vi /usr/local/bin/ufw-letsencrypt.sh
#!/bin/bash
# Let's Encrypt 相关域名
DOMAINS=(
"acme-v02.api.letsencrypt.org"
"acme-staging-v02.api.letsencrypt.org"
# "ocsp.int-x3.letsencrypt.org"
# "certificates.letsencrypt.org"
)
RULE_COMMENT="LETSENCRYPT_$(date +%Y%m%d)"
# 删除旧的 Let's Encrypt 规则
OLD_RULES=$(sudo ufw status numbered | grep "LETSENCRYPT" | awk '{print $NF}')
if [ -n "$OLD_RULES" ]; then
while read -r ip; do
echo "删除旧规则: $ip"
sudo ufw delete allow out to "$ip" 2>/dev/null
done <<< "$OLD_RULES"
fi
# 为每个域名添加规则
for domain in "${DOMAINS[@]}"; do
echo "处理域名: $domain"
IPS=$(getent ahosts "$domain" | awk '{print $1}' | sort -u)
if [ -n "$IPS" ]; then
while read -r ip; do
echo "允许出站访问: $ip ($domain)"
sudo ufw allow out to "$ip" comment "$RULE_COMMENT - $domain"
done <<< "$IPS"
else
echo "警告: 无法解析域名 $domain"
fi
done
echo "Let's Encrypt 规则更新完成"
更新运行权限
sudo chomd +x /usr/local/bin/ufw-letsencrypt.sh
定时运行
sudo crontab -e
0 2 * * 1 /usr/local/bin/ufw-letsencrypt.sh >/dev/null 2>&1