cerbot 比較方便
各種申請Tool: https://letsencrypt.org/docs/client-options/
- Certbot (建議使用)
- Acme
- Caddy
- Dehydrated
申請限制Rate Limit
- Names/Certificate:單一 certificate 限制 100 個 hostname
- Certificates/Domain:每個 domain 每個禮拜最多 20 個 certificate,但 renew 不計算在 quota 內 (需要憑證內的 hostname 與之前完全一樣)
- Certificates/FQDNset:相同 hostname 的憑證每個禮拜最多發出五個
- Docker:https://hub.docker.com/r/staticfloat/nginx-certbot/
- https://certbot.eff.org/
- Document: https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins
- Ubuntu+nginx
基本使用
- 全自動 (自備 HTTP 伺服器) certbot
- 半自動(自備 HTTP 伺服器,不調整 HTTP 伺服器設定)certbot certonly
- webroot (自備 HTTP 伺服器,自行設定 acme-challenge 部分)certbot certonly --webroot
- 手動(自備 HTTP 伺服器 、其他主機)certbot certonly --manual
- DNS 套件 certbot certonly --dns-PLUGIN
- Standalone(Certbot 提供獨立 HTTP 伺服器部分)certbot certonly --standalone
https://hub.docker.com/r/staticfloat/nginx-certbot/
/scripts/run_certbot.sh
Helper function to ask certbot for the given domain(s). Must have defined the. EMAIL environment variable, to register the proper support email address.
. ./util.sh get_certificate demo.kttech.ga char0x00@gmail.com)
Given a domain name, return true if a renewal is required (last renewal ran over a week ago or never happened yet), otherwise return false.
echo "$(. ./util.sh is_renewal_required demo.kttech.ga)"
https://github.com/acmesh-official/acme.sh
https://my.freenom.com/clientarea.php
acme.sh --issue -d localhost --standalone
./acme.sh --renew -d localhost
--yes-I-know-dns-manual-mode-enough-go-ahead-please
curl https://get.acme.sh | sh -s email=char0x00@gmail.com
acme.sh --issue -d example.com -w /home/wwwroot/example.com
or
acme.sh --issue -d example.com -w /var/www/html
Example:
/home/ubuntu/.acme.sh/acme.sh --issue -d testapi.petdev.info -w /home/ubuntu/pawbo-api/src/assets/
類似nginx https://github.com/caddyserver/caddy 教學: https://junyussh.github.io/p/caddy-web-server/
brew install caddy
cinfig file
{
"email" kimi0230@gmail.com
}
localhost {
reverse_proxy /crwn-clothing/* 127.0.0.1:3000
encode gzip
file_server
log {
output file access.log {
roll_keep_for 5s
}
}
}
localhost:7788 {
reverse_proxy /* 127.0.0.1:5566
file_server
}
caddy adapt --config /path/to/Caddyfile caddy reload
caddy run
check caddy server http://localhost:2019/
you can see browser show 404 page not found
...
教學: https://tinyl.io/4vsD (阿仁) https://github.com/dehydrated-io/dehydrated
apt-get install curl
$ # refer: https://github.com/lukas2511/dehydrated/releases
curl -LO https://github.com/lukas2511/dehydrated/archive/v0.4.0.tar.gz
tar -zxv -f v0.4.0.tar.gz
cd dehydrated-0.4.0/
curl -LO https://raw.githubusercontent.com/lukas2511/dehydrated/master/dehydrated
mkdir /etc/dehydrated/
cp dehydrated /etc/dehydrated/
chmod a+x /etc/dehydrated/dehydrated
mkdir -p /var/www/dehydrated/
location /.well-known/acme-challenge/ { alias /var/www/dehydrated/; }
/etc/dehydrated/dehydrated --register --accept-terms
注意子網域名稱不可以有 "."
/etc/dehydrated/dehydrated -c -d test-api.pawbo.com
成功後產生的檔案都在 /etc/dehydrated/certs/letsencrypt.tw/
成功的話會有類似的輸出:
# INFO: Using main config file /etc/dehydrated/config.sh
Processing letsencrypt.tw
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for letsencrypt.tw...
+ Responding to challenge for letsencrypt.tw...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
ssl_certificate /etc/dehydrated/certs/josera.pawbo.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/josera.pawbo.com/privkey.pem;
service nginx reload
接下來設定 /etc/cron.d/dehydrated-letsencrypt_tw (因為 /etc/cron.d/ 裡面的檔名不能有 . 這個符號,用 _ 取代),讓 cron 每天自動檢查並更新:
vi /etc/crobtab
0 4 1 * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d spring-test.pawbo.com; /usr/sbin/service nginx reload ) > /tmp/dehydrated-spring-test.pawbo.com.log 2>&1
( /etc/dehydrated/dehydrated -c -d test-pawbolive.pawbo.com; /usr/sbin/service nginx reload ) > /tmp/dehydrated-test-pawbolive.pawbo.com.log 2>&1
/etc/dehydrated/certbot-auto renew --dry-run /etc/dehydrated/certbot-auto renew --quiet --no-self-upgrade --post-hook "systemctl restart nginx"
cd /etc/nginx/sites-available/
vi test-api.pawbo.com
修改如下:
location /.well-known/acme-challenge/ {
alias /var/www/dehydrated/;
}
#rewrite ^(.*)$ https://$host$1 permanent;
#ssl_certificate /etc/dehydrated/certs/jenkins.pawbo.com/fullchain.pem;
#ssl_certificate_key /etc/dehydrated/certs/jenkins.pawbo.com/privkey.pem;
重啟 nginx
systemctl restart nginx
cd /etc/dehydrated/certs/ 刪除網址目錄
重新要憑證
/etc/dehydrated/dehydrated -c -d test-api.pawbo.com
cd /etc/nginx/sites-enabled/
vi test-api.pawbo.com
再把檔案回復如下:
#location /.well-known/acme-challenge/ {
# alias /var/www/dehydrated/;
#}
rewrite ^(.*)$ https://$host$1 permanent;
ssl_certificate /etc/dehydrated/certs/jenkins.pawbo.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/jenkins.pawbo.com/privkey.pem;
systemctl restart nginx
https://www.maxlist.xyz/2020/01/19/docker-nginx/
sudo vi /etc/hosts
127.0.0.1 kk.test.caddy
dscacheutil -flushcache