hmo/Deployments
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

更新acme文档。

Browse Source
This commit is contained in:
Dennis Mo
2021-07-20 12:27:43 +08:00
parent 0e32f9f383
commit 3bfaefcf0b
1 changed files with 82 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
acme/README.md
View File

@@ -52,27 +52,27 @@
场景1 场景1
mkdir -p /srv/certbot/conf/live/dev.woyue.org `mkdir -p /srv/certbot/conf/live/dev.woyue.org`
acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \ `acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \ --key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \ --fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginxdocker_nginx_1" --reloadcmd "docker restart nginx_nginx_1"`
场景2 场景2
mkdir -p /srv/certbot/conf/live/nr.woyue.org `mkdir -p /srv/certbot/conf/live/nr.woyue.org`
acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \ `acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
--key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \ --key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \ --fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_server" --reloadcmd "docker restart nginx_server"`
注意最后的nginxdocker_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数手动重启nginx**。 注意最后的nginx_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数手动重启nginx**。
2. 生成dhparams文件 2. 生成dhparams文件
openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048 `openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048`
## 使用证书 ## 使用证书
@@ -84,7 +84,7 @@ ssl_certificate /etc/letsencrypt/live/nr.woyue.org/fullchain.pem
## 应用实例 ## 应用实例
centos2上的证书强制刷新 1centos2上的证书强制刷新
acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
@@ -92,4 +92,76 @@ acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \ acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
--key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \ --key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \ --fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_server" --reloadcmd "docker restart nginx_server"
2frps服务器上的acme更新与证书刷新
记录时间2021/7/20
访问网址web.dev.woyue.org发现证书过期。
登录服务器通过acme.sh --list查看发现证书renew时间为将近两个月前但Created的时间为将近4个月前。这说明renew没有成功。
执行:
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
中途报错:
[Tue Jul 20 11:32:10 CST 2021] GET
[Tue Jul 20 11:32:10 CST 2021] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'
[Tue Jul 20 11:32:10 CST 2021] timeout=
[Tue Jul 20 11:32:10 CST 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Tue Jul 20 11:32:11 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Jul 20 11:32:11 CST 2021] ret='35'
按上述提示网址查询error code 35:
**CURLE_SSL_CONNECT_ERROR (35)**
A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.
尝试直接访问对应网址:'https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT',无法访问。
这是acme.sh内部制定的网址因此考虑升级acme。
执行
`acme.sh --upgrade`
期间出现提示:
[Tue Jul 20 11:50:46 CST 2021] acme.sh is using ZeroSSL as default CA now.
[Tue Jul 20 11:50:46 CST 2021] Please update your account with an email address first.
[Tue Jul 20 11:50:46 CST 2021] acme.sh --register-account -m my@example.com
[Tue Jul 20 11:50:46 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Tue Jul 20 11:50:46 CST 2021] _on_issue_err
根据提示,需要先注册邮箱:
[root@ngork certbot]# `acme.sh --register-account -m damnedmoon@163.com`
[Tue Jul 20 11:54:05 CST 2021] No EAB credentials found for ZeroSSL, let's get one
[Tue Jul 20 11:54:07 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90
[Tue Jul 20 11:54:10 CST 2021] Registered
[Tue Jul 20 11:54:10 CST 2021] ACCOUNT_THUMBPRINT='8Lcr_kW542VKNC3VCJwbFcuPEaFiunVnzJBxOKJAejM'
再次执行
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
提示成功。执行
`acme.sh --list`
Main_Domain KeyLength SAN_Domains CA Created Renew
dev.woyue.org "" *.dev.woyue.org ZeroSSL.com Tue Jul 20 03:55:38 UTC 2021 Sat Sep 18 03:55:38 UTC 2021
可见,证书已经申请成功。
接下来重新安装证书并重启nginx docker容器
`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_nginx_1"`