chchang/hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix typo

Browse Source
This commit is contained in:
Eric Chang
2021-08-26 14:05:03 +08:00
parent 8ba4ae8ff7
commit 1293fd23e0
164 changed files with 601 additions and 616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
content/post/auto-fetch-wildcard-ssl-certs-acme-dns-lego.md
View File

@@ -11,8 +11,6 @@ keywords:
- lego
---
### auto fetch Wildcard ssl certs with lego + acme-dns ( Domain Register : Namecheap)
自從用了 [leproxy](https://github.com/artyom/leproxy) 之後其實就很少在管ssl 憑證的問題,反正[leproxy ](https://github.com/artyom/leproxy)都會自動處理好
不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。
@@ -76,7 +74,7 @@ firewall 上開啟port mapping ,把 UDP 53 轉給這臺跑 lego 的機器
#### 設定acme-dns
```shell
```
#建立 acme-dns 目錄
mkdir -p /etc/acme-dns
mkdir -p /var/lib/acme-dns
@@ -87,7 +85,7 @@ sudo vim /etc/acme-dns/config.cfg
config 的內容如下,順便補上一些自己的註解
```shell
```
#/etc/acme-dns/config.cfg
[general]
# DNS interface
@@ -150,13 +148,13 @@ logformat = "text"
新增 acme-dns.service 的systemd config
```shell
```
sudo vim /etc/systemd/system/acme-dns.service
```
內容如下
```shell
```
# /etc/systemd/system/acme-dns.service
[Unit]
Description=ACMD DNS
@@ -173,7 +171,7 @@ WantedBy=multi-user.target
存檔離開,並啟用 acme-dns service
```shell
```
sudo systemctl daemon-reload
sudo systemctl enable --now acme-dns.service
# 檢查一下狀態是否正常
@@ -214,7 +212,7 @@ https://go-acme.github.io/lego/dns/acme-dns/
```shell
```
# 第一個ACME_DNS_API_BASE是剛剛設定acme-dns API port
# 然後 ACME_DNS_STORAGE_PATH 是lego存放賬戶資料的地方
# 後面就是lego 的指令
@@ -223,7 +221,7 @@ ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego
執行完成後,會在目錄底下產生一個叫 .lego 的目錄,用來存放憑證檔案
```shell
```
2021-08-26 11:55:16 [minion@hqs058 ~]$ ls -la .lego/certificates/
total 28
drwx------ 2 minion sudo 4096 Aug 26 09:35 .
@@ -242,7 +240,7 @@ drwx------ 4 minion sudo 4096 Aug 26 09:33 ..
把最後面的 run 改成 revoke 就可以了!
```shell
```
ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com revoke
2021/08/26 11:59:13 Trying to revoke certificate for domain *.abc.com
2021/08/26 11:59:14 Certificate was revoked.
@@ -252,7 +250,7 @@ ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego
再來跑一次申請新憑證測試看看
```shell
```
ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
2021/08/26 12:00:51 [INFO] [*.abc.com] acme: Obtaining bundled SAN certificate
2021/08/26 12:00:52 [INFO] [*.abc.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/25150773810
@@ -263,7 +261,7 @@ ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego
同樣地會產生新的ssl 憑證
```shell
```
2021-08-26 12:00:53 [minion@hqs058 ~]$ ls -la .lego/certificates/
total 28
drwx------ 2 minion sudo 4096 Aug 26 12:00 .
@@ -279,7 +277,7 @@ drwx------ 5 minion sudo 4096 Aug 26 11:59 ..
後面要更新就把指令最後的 run 改成 renew
```shell
```
ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com renew
2021/08/26 12:04:00 [*.abc.com] The certificate expires in 89 days, the number of days defined to perform the renewal is 30: no renewal.
```