chchang/hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix typo

Browse Source
This commit is contained in:
Eric Chang
2021-08-26 14:05:03 +08:00
parent 8ba4ae8ff7
commit 1293fd23e0
164 changed files with 601 additions and 616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

229
public/post/auto-fetch-wildcard-ssl-certs-acme-dns-lego/index.html
View File

@@ -13,7 +13,7 @@
"articleSection" : "post",
"name" : "auto fetch Wildcard ssl certs with lego \x2b acme-dns ( Domain Register : Namecheap)",
"headline" : "auto fetch Wildcard ssl certs with lego \x2b acme-dns ( Domain Register : Namecheap)",
"description" : "\x3ch3 id=\x22auto-fetch--wildcard-ssl-certs-with-lego--acme-dns--domain-register--namecheap\x22\x3eauto fetch Wildcard ssl certs with lego \x2b acme-dns ( Domain Register : Namecheap)\x3c\/h3\x3e\n\x3cp\x3e自從用了 \x3ca href=\x22https:\/\/github.com\/artyom\/leproxy\x22\x3eleproxy\x3c\/a\x3e 之後其實就很少在管ssl 憑證的問題,反正\x3ca href=\x22https:\/\/github.com\/artyom\/leproxy\x22\x3eleproxy \x3c\/a\x3e都會自動處理好\x3c\/p\x3e\n\x3cp\x3e不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。\x3c\/p\x3e\n\x3cp\x3e一般來說如果是其他DNS 供應商大部分都會提供API那就還好。 BUT !! (對然生就是離不開這個BUT \x26hellip;) 我們的域名是老闆在 iwantmyname 買的,一開始是給 webfaction 代管後來webfaction 被godaddy 買走,就轉到 namecheap 去(我也不知道為什麼不在godaddy 就好)。\x3c\/p\x3e",
"description" : "\x3cp\x3e自從用了 \x3ca href=\x22https:\/\/github.com\/artyom\/leproxy\x22\x3eleproxy\x3c\/a\x3e 之後其實就很少在管ssl 憑證的問題,反正\x3ca href=\x22https:\/\/github.com\/artyom\/leproxy\x22\x3eleproxy \x3c\/a\x3e都會自動處理好\x3c\/p\x3e\n\x3cp\x3e不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。\x3c\/p\x3e\n\x3cp\x3e一般來說如果是其他DNS 供應商大部分都會提供API那就還好。 BUT !! (對然生就是離不開這個BUT \x26hellip;) 我們的域名是老闆在 iwantmyname 買的,一開始是給 webfaction 代管後來webfaction 被godaddy 買走,就轉到 namecheap 去(我也不知道為什麼不在godaddy 就好)。\x3c\/p\x3e",
"inLanguage" : "en",
"author" : "Eric Chang",
"creator" : "Eric Chang",
@@ -24,7 +24,7 @@
"datePublished": "2021-08-26 12:08:43 \x2b0800 CST",
"dateModified" : "2021-08-26 12:08:43 \x2b0800 CST",
"url" : "https:\/\/h.cowbay.org\/post\/auto-fetch-wildcard-ssl-certs-acme-dns-lego\/",
"wordCount" : "744",
"wordCount" : "730",
"image" : "https://h.cowbay.orghttps://h.cowbay.org/images/post-default-8.jpg"",
"keywords" : [ ""acme"",""acme-dns"",""lego"",""ssl"","Blog" ]
}
@@ -45,9 +45,9 @@
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">
<link href="https://h.cowbay.org/css/style.css?v=1629952272" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/style.css?v=1629957884" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1629952272" rel="stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1629957884" rel="stylesheet" type='text/css' media='all'>
<link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
<link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
@@ -304,8 +304,7 @@ if (!doNotTrack) {
<div class="entry-container">
<div class="entry-content">
<article>
<h3 id="auto-fetch--wildcard-ssl-certs-with-lego--acme-dns--domain-register--namecheap">auto fetch Wildcard ssl certs with lego + acme-dns ( Domain Register : Namecheap)</h3>
<p>自從用了 <a href="https://github.com/artyom/leproxy">leproxy</a> 之後其實就很少在管ssl 憑證的問題,反正<a href="https://github.com/artyom/leproxy">leproxy </a>都會自動處理好</p>
<p>自從用了 <a href="https://github.com/artyom/leproxy">leproxy</a> 之後其實就很少在管ssl 憑證的問題,反正<a href="https://github.com/artyom/leproxy">leproxy </a>都會自動處理好</p>
<p>不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。</p>
<p>一般來說如果是其他DNS 供應商大部分都會提供API那就還好。 BUT !! (對然生就是離不開這個BUT &hellip;) 我們的域名是老闆在 iwantmyname 買的,一開始是給 webfaction 代管後來webfaction 被godaddy 買走,就轉到 namecheap 去(我也不知道為什麼不在godaddy 就好)。</p>
<p>DNS 管理基本上都是大同小異啦可是namecheap 免費賬戶不提供 API 應該說要使用namecheap 提供的API ,需要滿足以下的條件</p>
@@ -336,90 +335,90 @@ tar zxvf acme-dns_0.8_linux_amd64.tar.gz &amp;&amp; sudo mv acme-dns /usr/local/
<p>本機如果有開firewall ,記得要放行 udp 53</p>
<hr>
<h4 id="設定acme-dns">設定acme-dns</h4>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e">#建立 acme-dns 目錄</span>
<pre><code>#建立 acme-dns 目錄
mkdir -p /etc/acme-dns
mkdir -p /var/lib/acme-dns
<span style="color:#75715e">#建立 acme-dns 設定檔</span>
#建立 acme-dns 設定檔
sudo vim /etc/acme-dns/config.cfg
</code></pre></div><p>config 的內容如下,順便補上一些自己的註解</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e">#/etc/acme-dns/config.cfg</span>
<span style="color:#f92672">[</span>general<span style="color:#f92672">]</span>
<span style="color:#75715e"># DNS interface</span>
<span style="color:#75715e"># 本來預設是只有 :53 在某些VPS 上會出錯,所以改成 0.0.0.0:53</span>
listen <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;0.0.0.0:53&#34;</span>
protocol <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;udp&#34;</span>
<span style="color:#75715e"># domain name to serve the requests off of</span>
<span style="color:#75715e"># 不是要設定的 domain而是這臺機器要負責的sub domain</span>
<span style="color:#75715e"># 總之就是輸入 acme 再加上原本的domain</span>
<span style="color:#75715e"># 不想用 acme 當然也可以</span>
domain <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;acme.abc.com&#34;</span>
<span style="color:#75715e"># zone name server</span>
<span style="color:#75715e"># ns1 再加上原本的 domain</span>
<span style="color:#75715e"># 一樣不想用ns1 也可以,後面記得作對應的修改</span>
nsname <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;ns1.abc.com&#34;</span>
<span style="color:#75715e"># admin email address, where @ is substituted with .</span>
<span style="color:#75715e"># 管理者email , admin + 原本的 domain</span>
nsadmin <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;admin.abc.com&#34;</span>
<span style="color:#75715e"># predefined records served in addition to the TXT</span>
</code></pre><p>config 的內容如下,順便補上一些自己的註解</p>
<pre><code>#/etc/acme-dns/config.cfg
[general]
# DNS interface
# 本來預設是只有 :53 在某些VPS 上會出錯,所以改成 0.0.0.0:53
listen = &quot;0.0.0.0:53&quot;
protocol = &quot;udp&quot;
# domain name to serve the requests off of
# 不是要設定的 domain而是這臺機器要負責的sub domain
# 總之就是輸入 acme 再加上原本的domain
# 不想用 acme 當然也可以
domain = &quot;acme.abc.com&quot;
# zone name server
# ns1 再加上原本的 domain
# 一樣不想用ns1 也可以,後面記得作對應的修改
nsname = &quot;ns1.abc.com&quot;
# admin email address, where @ is substituted with .
# 管理者email , admin + 原本的 domain
nsadmin = &quot;admin.abc.com&quot;
# predefined records served in addition to the TXT
#
<span style="color:#75715e"># 前面兩筆 A 記錄對應上面的 domain , nsname</span>
<span style="color:#75715e"># 後面則是這臺機器的 WAN IP</span>
<span style="color:#75715e"># 第三筆 是NS 記錄</span>
<span style="color:#75715e"># 這三筆記錄等一下要新增到namecheap 的DNS</span>
records <span style="color:#f92672">=</span> <span style="color:#f92672">[</span>
<span style="color:#e6db74">&#34;acme.abc.com. A 11.22.33.44&#34;</span>,
<span style="color:#e6db74">&#34;ns1.acme.abc.com. A 11.22.33.44&#34;</span>,
<span style="color:#e6db74">&#34;acme.abc.com. NS ns1.abc.com.&#34;</span>,
<span style="color:#f92672">]</span>
debug <span style="color:#f92672">=</span> false
# 前面兩筆 A 記錄對應上面的 domain , nsname
# 後面則是這臺機器的 WAN IP
# 第三筆 是NS 記錄
# 這三筆記錄等一下要新增到namecheap 的DNS
records = [
&quot;acme.abc.com. A 11.22.33.44&quot;,
&quot;ns1.acme.abc.com. A 11.22.33.44&quot;,
&quot;acme.abc.com. NS ns1.abc.com.&quot;,
]
debug = false
<span style="color:#f92672">[</span>database<span style="color:#f92672">]</span>
engine <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;sqlite3&#34;</span>
connection <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/var/lib/acme-dns/acme-dns.db&#34;</span>
[database]
engine = &quot;sqlite3&quot;
connection = &quot;/var/lib/acme-dns/acme-dns.db&quot;
<span style="color:#75715e">### 要記一下port ,等等會用到</span>
<span style="color:#f92672">[</span>api<span style="color:#f92672">]</span>
api_domain <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>
ip <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;127.0.0.1&#34;</span>
disable_registration <span style="color:#f92672">=</span> false
autocert_port <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;80&#34;</span>
port <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;9000&#34;</span>
tls <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;none&#34;</span>
corsorigins <span style="color:#f92672">=</span> <span style="color:#f92672">[</span>
<span style="color:#e6db74">&#34;*&#34;</span>
<span style="color:#f92672">]</span>
use_header <span style="color:#f92672">=</span> false
header_name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;X-Forwarded-For&#34;</span>
### 要記一下port ,等等會用到
[api]
api_domain = &quot;&quot;
ip = &quot;127.0.0.1&quot;
disable_registration = false
autocert_port = &quot;80&quot;
port = &quot;9000&quot;
tls = &quot;none&quot;
corsorigins = [
&quot;*&quot;
]
use_header = false
header_name = &quot;X-Forwarded-For&quot;
<span style="color:#f92672">[</span>logconfig<span style="color:#f92672">]</span>
loglevel <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;debug&#34;</span>
logtype <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;stdout&#34;</span>
logformat <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;text&#34;</span>
[logconfig]
loglevel = &quot;debug&quot;
logtype = &quot;stdout&quot;
logformat = &quot;text&quot;
</code></pre></div><p>編輯完後,存檔離開。</p>
</code></pre><p>編輯完後,存檔離開。</p>
<p>新增 acme-dns.service 的systemd config</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">sudo vim /etc/systemd/system/acme-dns.service
</code></pre></div><p>內容如下</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e"># /etc/systemd/system/acme-dns.service</span>
<span style="color:#f92672">[</span>Unit<span style="color:#f92672">]</span>
Description<span style="color:#f92672">=</span>ACMD DNS
After<span style="color:#f92672">=</span>network.target
<pre><code>sudo vim /etc/systemd/system/acme-dns.service
</code></pre><p>內容如下</p>
<pre><code># /etc/systemd/system/acme-dns.service
[Unit]
Description=ACMD DNS
After=network.target
<span style="color:#f92672">[</span>Service<span style="color:#f92672">]</span>
ExecStart<span style="color:#f92672">=</span>/usr/local/bin/acme-dns
Restart<span style="color:#f92672">=</span>on-failure
[Service]
ExecStart=/usr/local/bin/acme-dns
Restart=on-failure
<span style="color:#f92672">[</span>Install<span style="color:#f92672">]</span>
WantedBy<span style="color:#f92672">=</span>multi-user.target
[Install]
WantedBy=multi-user.target
</code></pre></div><p>存檔離開,並啟用 acme-dns service</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">sudo systemctl daemon-reload
</code></pre><p>存檔離開,並啟用 acme-dns service</p>
<pre><code>sudo systemctl daemon-reload
sudo systemctl enable --now acme-dns.service
<span style="color:#75715e"># 檢查一下狀態是否正常</span>
# 檢查一下狀態是否正常
sudo systemctl status acme-dns
<span style="color:#75715e"># 底下這個指令如果沒有回傳任何訊息,是正常的</span>
# 底下這個指令如果沒有回傳任何訊息,是正常的
curl http://localhost:9000/health
</code></pre></div><h4 id="設定namecheap-dns-記錄">設定namecheap DNS 記錄</h4>
</code></pre><h4 id="設定namecheap-dns-記錄">設定namecheap DNS 記錄</h4>
<p>總共要新增兩筆A 記錄,一筆 NS 記錄 (目前),後面還會需要新增一筆 CNAME</p>
<p>domain</p>
<p><img src="https://raw.githubusercontent.com/changchichung/imagebed/main/20210826113826-image.png" alt="20210826113826-image.png"></p>
@@ -431,51 +430,51 @@ curl http://localhost:9000/health
<h5 id="透過lego-取得憑證">透過lego 取得憑證</h5>
<p>只要確認上面的防火牆設定、acme-dns 設定、以及 DNS 的修改生效之後剩下的lego 指令就很簡單了</p>
<p><a href="https://go-acme.github.io/lego/dns/acme-dns/">https://go-acme.github.io/lego/dns/acme-dns/</a></p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e"># 第一個ACME_DNS_API_BASE是剛剛設定acme-dns API port</span>
<span style="color:#75715e"># 然後 ACME_DNS_STORAGE_PATH 是lego存放賬戶資料的地方</span>
<span style="color:#75715e"># 後面就是lego 的指令</span>
ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
</code></pre></div><p>執行完成後,會在目錄底下產生一個叫 .lego 的目錄,用來存放憑證檔案</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">2021-08-26 11:55:16 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$ ls -la .lego/certificates/
total <span style="color:#ae81ff">28</span>
drwx------ <span style="color:#ae81ff">2</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 09:35 .
drwx------ <span style="color:#ae81ff">4</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 09:33 ..
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">5325</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">3751</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.issuer.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">238</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.json
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">227</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.key
2021-08-26 11:58:22 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$
<pre><code># 第一個ACME_DNS_API_BASE是剛剛設定acme-dns API port
# 然後 ACME_DNS_STORAGE_PATH 是lego存放賬戶資料的地方
# 後面就是lego 的指令
ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
</code></pre><p>執行完成後,會在目錄底下產生一個叫 .lego 的目錄,用來存放憑證檔案</p>
<pre><code>2021-08-26 11:55:16 [minion@hqs058 ~]$ ls -la .lego/certificates/
total 28
drwx------ 2 minion sudo 4096 Aug 26 09:35 .
drwx------ 4 minion sudo 4096 Aug 26 09:33 ..
-rw------- 1 minion sudo 5325 Aug 26 09:35 _.abc.com.crt
-rw------- 1 minion sudo 3751 Aug 26 09:35 _.abc.com.issuer.crt
-rw------- 1 minion sudo 238 Aug 26 09:35 _.abc.com.json
-rw------- 1 minion sudo 227 Aug 26 09:35 _.abc.com.key
2021-08-26 11:58:22 [minion@hqs058 ~]$
</code></pre></div><p>沒錯,就這麼簡單!!</p>
</code></pre><p>沒錯,就這麼簡單!!</p>
<p>甚至於我要撤銷這些憑證也很簡單!!!</p>
<p>把最後面的 run 改成 revoke 就可以了!</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com revoke
2021/08/26 11:59:13 Trying to revoke certificate <span style="color:#66d9ef">for</span> domain *.abc.com
<pre><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com revoke
2021/08/26 11:59:13 Trying to revoke certificate for domain *.abc.com
2021/08/26 11:59:14 Certificate was revoked.
2021/08/26 11:59:14 Certificate was archived <span style="color:#66d9ef">for</span> domain: *.abc.com
2021/08/26 11:59:14 Certificate was archived for domain: *.abc.com
</code></pre></div><p>再來跑一次申請新憑證測試看看</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
2021/08/26 12:00:51 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> acme: Obtaining bundled SAN certificate
2021/08/26 12:00:52 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/25150773810
2021/08/26 12:00:52 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> acme: authorization already valid; skipping challenge
2021/08/26 12:00:52 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> acme: Validations succeeded; requesting certificates
2021/08/26 12:00:53 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> Server responded with a certificate.
</code></pre></div><p>同樣地會產生新的ssl 憑證</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">2021-08-26 12:00:53 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$ ls -la .lego/certificates/
total <span style="color:#ae81ff">28</span>
drwx------ <span style="color:#ae81ff">2</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 12:00 .
drwx------ <span style="color:#ae81ff">5</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 11:59 ..
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">5325</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">3751</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.issuer.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">238</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.json
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">227</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.key
2021-08-26 12:02:37 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$
</code></pre></div><p>超方便的啊!!!!</p>
</code></pre><p>再來跑一次申請新憑證測試看看</p>
<pre><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
2021/08/26 12:00:51 [INFO] [*.abc.com] acme: Obtaining bundled SAN certificate
2021/08/26 12:00:52 [INFO] [*.abc.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/25150773810
2021/08/26 12:00:52 [INFO] [*.abc.com] acme: authorization already valid; skipping challenge
2021/08/26 12:00:52 [INFO] [*.abc.com] acme: Validations succeeded; requesting certificates
2021/08/26 12:00:53 [INFO] [*.abc.com] Server responded with a certificate.
</code></pre><p>同樣地會產生新的ssl 憑證</p>
<pre><code>2021-08-26 12:00:53 [minion@hqs058 ~]$ ls -la .lego/certificates/
total 28
drwx------ 2 minion sudo 4096 Aug 26 12:00 .
drwx------ 5 minion sudo 4096 Aug 26 11:59 ..
-rw------- 1 minion sudo 5325 Aug 26 12:00 _.abc.com.crt
-rw------- 1 minion sudo 3751 Aug 26 12:00 _.abc.com.issuer.crt
-rw------- 1 minion sudo 238 Aug 26 12:00 _.abc.com.json
-rw------- 1 minion sudo 227 Aug 26 12:00 _.abc.com.key
2021-08-26 12:02:37 [minion@hqs058 ~]$
</code></pre><p>超方便的啊!!!!</p>
<p>後面要更新就把指令最後的 run 改成 renew</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com renew
2021/08/26 12:04:00 <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> The certificate expires in <span style="color:#ae81ff">89</span> days, the number of days defined to perform the renewal is 30: no renewal.
</code></pre></div><p>因為是剛剛才要到的憑證,當然是不能更新啦&hellip;</p>
<pre><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com renew
2021/08/26 12:04:00 [*.abc.com] The certificate expires in 89 days, the number of days defined to perform the renewal is 30: no renewal.
</code></pre><p>因為是剛剛才要到的憑證,當然是不能更新啦&hellip;</p>
<p>把這個指令寫到 crontab ,以後時間到了就會自動更新憑證</p>
<p>後續再搭配 ansible 來抓新的憑證,派送到其他伺服器去</p>
<p>終於可以不用再為ssl 憑證煩惱了!!!</p>
@@ -771,7 +770,7 @@ title="pinterest icon"></i>
</div>
<script src="https://h.cowbay.org/js/jquery.min.js"></script>
<script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1629952272"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1629957884"></script>
</body>
</html>