更新acme文档。

2021-07-20 12:27:43 +08:00
parent 0e32f9f383
commit 3bfaefcf0b
1 changed files with 82 additions and 10 deletions
--- a/acme/README.md
+++ b/acme/README.md
@@ -52,27 +52,27 @@

   场景1：

-   mkdir -p /srv/certbot/conf/live/dev.woyue.org
+   `mkdir -p /srv/certbot/conf/live/dev.woyue.org`

-   acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
+   `acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
   --key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
   --fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
-   --reloadcmd "docker restart nginxdocker_nginx_1"
+   --reloadcmd "docker restart nginx_nginx_1"`

   场景2：

-   mkdir -p /srv/certbot/conf/live/nr.woyue.org
+   `mkdir -p /srv/certbot/conf/live/nr.woyue.org`

-   acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
+   `acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
   --key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
   --fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
-   --reloadcmd "docker restart nginx_server"
+   --reloadcmd "docker restart nginx_server"`

-   注意，最后的nginxdocker_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数，手动重启nginx**。
+   注意，最后的nginx_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数，手动重启nginx**。

 2. 生成：dhparams文件

-   openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048
+   `openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048`

 ## 使用证书

@@ -84,7 +84,7 @@ ssl_certificate /etc/letsencrypt/live/nr.woyue.org/fullchain.pem

 ## 应用实例

-centos2上的证书强制刷新：
+（1）centos2上的证书强制刷新：

 acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org

@@ -93,3 +93,75 @@ acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
   --key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
   --fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
   --reloadcmd "docker restart nginx_server"
+
+（2）frps服务器上的acme更新与证书刷新
+
+记录时间：2021/7/20
+
+访问网址web.dev.woyue.org，发现证书过期。
+
+登录服务器，通过acme.sh --list查看，发现证书renew时间为将近两个月前，但Created的时间为将近4个月前。这说明renew没有成功。
+
+执行：
+
+`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
+
+中途报错：
+
+[Tue Jul 20 11:32:10 CST 2021] GET
+[Tue Jul 20 11:32:10 CST 2021] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'
+[Tue Jul 20 11:32:10 CST 2021] timeout=
+[Tue Jul 20 11:32:10 CST 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
+[Tue Jul 20 11:32:11 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
+[Tue Jul 20 11:32:11 CST 2021] ret='35'
+
+按上述提示网址查询error code 35:
+
+**CURLE_SSL_CONNECT_ERROR (35)**
+
+A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.
+
+尝试直接访问对应网址：'https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'，无法访问。
+
+这是acme.sh内部制定的网址，因此考虑升级acme。
+
+执行
+
+`acme.sh --upgrade`
+
+期间出现提示：
+
+[Tue Jul 20 11:50:46 CST 2021] acme.sh is using ZeroSSL as default CA now.
+[Tue Jul 20 11:50:46 CST 2021] Please update your account with an email address first.
+[Tue Jul 20 11:50:46 CST 2021] acme.sh --register-account -m my@example.com
+[Tue Jul 20 11:50:46 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
+[Tue Jul 20 11:50:46 CST 2021] _on_issue_err
+
+根据提示，需要先注册邮箱：
+
+[root@ngork certbot]# `acme.sh --register-account -m damnedmoon@163.com`
+[Tue Jul 20 11:54:05 CST 2021] No EAB credentials found for ZeroSSL, let's get one
+[Tue Jul 20 11:54:07 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90
+[Tue Jul 20 11:54:10 CST 2021] Registered
+[Tue Jul 20 11:54:10 CST 2021] ACCOUNT_THUMBPRINT='8Lcr_kW542VKNC3VCJwbFcuPEaFiunVnzJBxOKJAejM'
+
+再次执行
+
+`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
+
+提示成功。执行
+
+`acme.sh --list`
+
+Main_Domain    KeyLength  SAN_Domains      CA           Created                       Renew
+dev.woyue.org  ""         *.dev.woyue.org  ZeroSSL.com  Tue Jul 20 03:55:38 UTC 2021  Sat Sep 18 03:55:38 UTC 2021
+
+可见，证书已经申请成功。
+
+接下来，重新安装证书并重启nginx docker容器：
+
+`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
+--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
+--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
+--reloadcmd "docker restart nginx_nginx_1"`
+