hmo/Deployments
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
798bbdf6fe330c9b7d974b078a7eb355ba86672f
Deployments/acme/README.md

170 lines
6.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## 前期准备
主要是接下来安装acme时的gfw问题。如果是境内服务器则有可能需要如下步骤。
1. 小飞机的局域网内的代理地址。因为get.acme.sh中包含的脚本请求地址可能会被墙
`export http_proxy="172.18.184.139:10082"`
`export https_proxy="172.18.184.139:10082"`
2. 是因为据说在此加入上面的export命令可以实现开机自动开启代理。但没有尝试
`vim /etc/bashrc`
3. 同上
`vim /etc/profile`
## 安装acme
1. 安装acme
`curl https://get.acme.sh | sh`
安装完毕后关闭这个连接的console再重新打开。
2. 将dns api的key和secret存入环境变量。此处为阿里云事前已经给对应SAM子账户分配了FullDnsApiAccess的权限。参见 https://blog.csdn.net/chen249191508/article/details/98088553
`export Ali_Key="key"`
`export Ali_Secret="secret"`
参见保密区域获取真实内容。注意阿里云的控制台中这两个值只在添加SAM子账户的时候出现需要马上自行保存
## 获取证书
1. 申请安装证书。加--debug参数可以显示更多细节
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
2. 安装完毕后,检验是否配置自动任务
`crontab -e`
3. 确认当前证书
`acme.sh --list`
## 安装证书
1. 复制证书:
场景1
`mkdir -p /srv/certbot/conf/live/dev.woyue.org`
`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_nginx_1"`
场景2
`mkdir -p /srv/certbot/conf/live/nr.woyue.org`
`acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
--key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_server"`
注意最后的nginx_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数手动重启nginx**。
2. 生成dhparams文件
`openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048`
## 使用证书
例如要使用上述证书则nginx的docker对应etc/letsencrypt的目录就是/srv/certbot/conf。比如说conf文件里引用的密钥文件路径为
ssl_certificate /etc/letsencrypt/live/nr.woyue.org/fullchain.pem
那么docker mount的路径就应该是-v /srv/certbot/conf:/etc/letsencrypt
## 应用实例
1centos2上的证书强制刷新
acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
然后重新执行上述安装指令并重启nginx
acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
--key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_server"
【2021/10/12】前期就已经重新更新失败。经查依旧是访问某网址时超时的问题。为此保持windows服务器的小飞机开启再强制重新更新成功。因此先持续保留以观察是否能续签成功。
2frps服务器上的acme更新与证书刷新
记录时间2021/7/20
访问网址web.dev.woyue.org发现证书过期。
登录服务器通过acme.sh --list查看发现证书renew时间为将近两个月前但Created的时间为将近4个月前。这说明renew没有成功。
执行:
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
中途报错:
[Tue Jul 20 11:32:10 CST 2021] GET
[Tue Jul 20 11:32:10 CST 2021] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'
[Tue Jul 20 11:32:10 CST 2021] timeout=
[Tue Jul 20 11:32:10 CST 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Tue Jul 20 11:32:11 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Jul 20 11:32:11 CST 2021] ret='35'
按上述提示网址查询error code 35:
**CURLE_SSL_CONNECT_ERROR (35)**
A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.
尝试直接访问对应网址:'https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT',无法访问。
这是acme.sh内部制定的网址因此考虑升级acme。
执行
`acme.sh --upgrade`
期间出现提示:
[Tue Jul 20 11:50:46 CST 2021] acme.sh is using ZeroSSL as default CA now.
[Tue Jul 20 11:50:46 CST 2021] Please update your account with an email address first.
[Tue Jul 20 11:50:46 CST 2021] acme.sh --register-account -m my@example.com
[Tue Jul 20 11:50:46 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Tue Jul 20 11:50:46 CST 2021] _on_issue_err
根据提示,需要先注册邮箱:
[root@ngork certbot]# `acme.sh --register-account -m damnedmoon@163.com`
[Tue Jul 20 11:54:05 CST 2021] No EAB credentials found for ZeroSSL, let's get one
[Tue Jul 20 11:54:07 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90
[Tue Jul 20 11:54:10 CST 2021] Registered
[Tue Jul 20 11:54:10 CST 2021] ACCOUNT_THUMBPRINT='8Lcr_kW542VKNC3VCJwbFcuPEaFiunVnzJBxOKJAejM'
再次执行
`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
提示成功。执行
`acme.sh --list`
Main_Domain KeyLength SAN_Domains CA Created Renew
dev.woyue.org "" *.dev.woyue.org ZeroSSL.com Tue Jul 20 03:55:38 UTC 2021 Sat Sep 18 03:55:38 UTC 2021
可见,证书已经申请成功。
接下来重新安装证书并重启nginx docker容器
`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
--reloadcmd "docker restart nginx_nginx_1"`
Reference in New Issue View Git Blame Copy Permalink