168 lines
5.8 KiB
Markdown
168 lines
5.8 KiB
Markdown
## 前期准备
|
||
|
||
主要是接下来安装acme时的gfw问题。如果是境内服务器,则有可能需要如下步骤。
|
||
|
||
1. 小飞机的局域网内的代理地址。因为get.acme.sh中包含的脚本请求地址可能会被墙
|
||
|
||
`export http_proxy="172.18.184.139:10082"`
|
||
|
||
`export https_proxy="172.18.184.139:10082"`
|
||
|
||
2. 是因为据说在此加入上面的export命令可以实现开机自动开启代理。但没有尝试
|
||
|
||
`vim /etc/bashrc`
|
||
|
||
3. 同上
|
||
|
||
`vim /etc/profile`
|
||
|
||
## 安装acme
|
||
|
||
1. 安装acme
|
||
|
||
`curl https://get.acme.sh | sh`
|
||
|
||
安装完毕后,关闭这个连接的console再重新打开。
|
||
|
||
2. 将dns api的key和secret存入环境变量。此处为阿里云,事前已经给对应SAM子账户分配了FullDnsApiAccess的权限。参见: https://blog.csdn.net/chen249191508/article/details/98088553
|
||
|
||
`export Ali_Key="key"`
|
||
|
||
`export Ali_Secret="secret"`
|
||
|
||
参见保密区域获取真实内容。注意,阿里云的控制台中,这两个值只在添加SAM子账户的时候出现,需要马上自行保存
|
||
|
||
## 获取证书
|
||
|
||
1. 申请安装证书。加--debug参数可以显示更多细节
|
||
|
||
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
|
||
|
||
2. 安装完毕后,检验是否配置自动任务
|
||
|
||
`crontab -e`
|
||
|
||
3. 确认当前证书
|
||
|
||
`acme.sh --list`
|
||
|
||
## 安装证书
|
||
|
||
1. 复制证书:
|
||
|
||
场景1:
|
||
|
||
`mkdir -p /srv/certbot/conf/live/dev.woyue.org`
|
||
|
||
`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
|
||
--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
|
||
--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
|
||
--reloadcmd "docker restart nginx_nginx_1"`
|
||
|
||
场景2:
|
||
|
||
`mkdir -p /srv/certbot/conf/live/nr.woyue.org`
|
||
|
||
`acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
|
||
--key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
|
||
--fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
|
||
--reloadcmd "docker restart nginx_server"`
|
||
|
||
注意,最后的nginx_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数,手动重启nginx**。
|
||
|
||
2. 生成:dhparams文件
|
||
|
||
`openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048`
|
||
|
||
## 使用证书
|
||
|
||
例如,要使用上述证书,则nginx的docker对应etc/letsencrypt的目录就是/srv/certbot/conf。比如说,conf文件里引用的密钥文件路径为:
|
||
|
||
ssl_certificate /etc/letsencrypt/live/nr.woyue.org/fullchain.pem
|
||
|
||
那么,docker mount的路径就应该是:-v /srv/certbot/conf:/etc/letsencrypt
|
||
|
||
## 应用实例
|
||
|
||
(1)centos2上的证书强制刷新:
|
||
|
||
acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
|
||
|
||
然后,重新执行上述安装指令并重启nginx
|
||
acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
|
||
--key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
|
||
--fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
|
||
--reloadcmd "docker restart nginx_server"
|
||
|
||
(2)frps服务器上的acme更新与证书刷新
|
||
|
||
记录时间:2021/7/20
|
||
|
||
访问网址web.dev.woyue.org,发现证书过期。
|
||
|
||
登录服务器,通过acme.sh --list查看,发现证书renew时间为将近两个月前,但Created的时间为将近4个月前。这说明renew没有成功。
|
||
|
||
执行:
|
||
|
||
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
|
||
|
||
中途报错:
|
||
|
||
[Tue Jul 20 11:32:10 CST 2021] GET
|
||
[Tue Jul 20 11:32:10 CST 2021] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'
|
||
[Tue Jul 20 11:32:10 CST 2021] timeout=
|
||
[Tue Jul 20 11:32:10 CST 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
|
||
[Tue Jul 20 11:32:11 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
|
||
[Tue Jul 20 11:32:11 CST 2021] ret='35'
|
||
|
||
按上述提示网址查询error code 35:
|
||
|
||
**CURLE_SSL_CONNECT_ERROR (35)**
|
||
|
||
A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.
|
||
|
||
尝试直接访问对应网址:'https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT',无法访问。
|
||
|
||
这是acme.sh内部制定的网址,因此考虑升级acme。
|
||
|
||
执行
|
||
|
||
`acme.sh --upgrade`
|
||
|
||
期间出现提示:
|
||
|
||
[Tue Jul 20 11:50:46 CST 2021] acme.sh is using ZeroSSL as default CA now.
|
||
[Tue Jul 20 11:50:46 CST 2021] Please update your account with an email address first.
|
||
[Tue Jul 20 11:50:46 CST 2021] acme.sh --register-account -m my@example.com
|
||
[Tue Jul 20 11:50:46 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
|
||
[Tue Jul 20 11:50:46 CST 2021] _on_issue_err
|
||
|
||
根据提示,需要先注册邮箱:
|
||
|
||
[root@ngork certbot]# `acme.sh --register-account -m damnedmoon@163.com`
|
||
[Tue Jul 20 11:54:05 CST 2021] No EAB credentials found for ZeroSSL, let's get one
|
||
[Tue Jul 20 11:54:07 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90
|
||
[Tue Jul 20 11:54:10 CST 2021] Registered
|
||
[Tue Jul 20 11:54:10 CST 2021] ACCOUNT_THUMBPRINT='8Lcr_kW542VKNC3VCJwbFcuPEaFiunVnzJBxOKJAejM'
|
||
|
||
再次执行
|
||
|
||
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
|
||
|
||
提示成功。执行
|
||
|
||
`acme.sh --list`
|
||
|
||
Main_Domain KeyLength SAN_Domains CA Created Renew
|
||
dev.woyue.org "" *.dev.woyue.org ZeroSSL.com Tue Jul 20 03:55:38 UTC 2021 Sat Sep 18 03:55:38 UTC 2021
|
||
|
||
可见,证书已经申请成功。
|
||
|
||
接下来,重新安装证书并重启nginx docker容器:
|
||
|
||
`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
|
||
--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
|
||
--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
|
||
--reloadcmd "docker restart nginx_nginx_1"`
|
||
|