chchang/hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update some content

Browse Source
This commit is contained in:
Eric Chang
2021-10-28 14:15:01 +08:00
parent b8600ab259
commit 27b5a11382
163 changed files with 951 additions and 922 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
public/post/auto-fetch-wildcard-ssl-certs-acme-dns-lego/index.html
View File

@@ -24,7 +24,7 @@
"datePublished": "2021-08-26 12:08:43 \u002b0800 CST",
"dateModified" : "2021-08-26 12:08:43 \u002b0800 CST",
"url" : "https:\/\/h.cowbay.org\/post\/auto-fetch-wildcard-ssl-certs-acme-dns-lego\/",
"wordCount" : "730",
"wordCount" : "920",
"image" : "https://h.cowbay.orghttps://h.cowbay.org/images/post-default-8.jpg"",
"keywords" : [ ""acme"",""acme-dns"",""lego"",""ssl"","Blog" ]
}
@@ -45,9 +45,9 @@
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">
<link href="https://h.cowbay.org/css/style.css?v=1634607506" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/style.css?v=1635401692" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1634607506" rel="stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1635401692" rel="stylesheet" type='text/css' media='all'>
<link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
<link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
@@ -308,7 +308,7 @@ if (!doNotTrack) {
<p>不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。</p>
<p>一般來說如果是其他DNS 供應商大部分都會提供API那就還好。 BUT !! (對然生就是離不開這個BUT &hellip;) 我們的域名是老闆在 iwantmyname 買的,一開始是給 webfaction 代管後來webfaction 被godaddy 買走,就轉到 namecheap 去(我也不知道為什麼不在godaddy 就好)。</p>
<p>DNS 管理基本上都是大同小異啦可是namecheap 免費賬戶不提供 API 應該說要使用namecheap 提供的API ,需要滿足以下的條件</p>
<pre tabindex="0"><code>I want to enable API for my account. Are there any specific requirements?
<pre><code>I want to enable API for my account. Are there any specific requirements?
We have certain requirements for activation to prevent system abuse. In order to have API enabled for your account, you should meet one of the following requirements:
@@ -335,13 +335,13 @@ tar zxvf acme-dns_0.8_linux_amd64.tar.gz &amp;&amp; sudo mv acme-dns /usr/local/
<p>本機如果有開firewall ,記得要放行 udp 53</p>
<hr>
<h4 id="設定acme-dns">設定acme-dns</h4>
<pre tabindex="0"><code>#建立 acme-dns 目錄
<pre><code>#建立 acme-dns 目錄
mkdir -p /etc/acme-dns
mkdir -p /var/lib/acme-dns
#建立 acme-dns 設定檔
sudo vim /etc/acme-dns/config.cfg
</code></pre><p>config 的內容如下,順便補上一些自己的註解</p>
<pre tabindex="0"><code>#/etc/acme-dns/config.cfg
<pre><code>#/etc/acme-dns/config.cfg
[general]
# DNS interface
# 本來預設是只有 :53 在某些VPS 上會出錯,所以改成 0.0.0.0:53
@@ -397,9 +397,9 @@ logformat = &quot;text&quot;
</code></pre><p>編輯完後,存檔離開。</p>
<p>新增 acme-dns.service 的systemd config</p>
<pre tabindex="0"><code>sudo vim /etc/systemd/system/acme-dns.service
<pre><code>sudo vim /etc/systemd/system/acme-dns.service
</code></pre><p>內容如下</p>
<pre tabindex="0"><code># /etc/systemd/system/acme-dns.service
<pre><code># /etc/systemd/system/acme-dns.service
[Unit]
Description=ACMD DNS
After=network.target
@@ -412,7 +412,7 @@ Restart=on-failure
WantedBy=multi-user.target
</code></pre><p>存檔離開,並啟用 acme-dns service</p>
<pre tabindex="0"><code>sudo systemctl daemon-reload
<pre><code>sudo systemctl daemon-reload
sudo systemctl enable --now acme-dns.service
# 檢查一下狀態是否正常
sudo systemctl status acme-dns
@@ -430,12 +430,12 @@ curl http://localhost:9000/health
<h5 id="透過lego-取得憑證">透過lego 取得憑證</h5>
<p>只要確認上面的防火牆設定、acme-dns 設定、以及 DNS 的修改生效之後剩下的lego 指令就很簡單了</p>
<p><a href="https://go-acme.github.io/lego/dns/acme-dns/">https://go-acme.github.io/lego/dns/acme-dns/</a></p>
<pre tabindex="0"><code># 第一個ACME_DNS_API_BASE是剛剛設定acme-dns API port
<pre><code># 第一個ACME_DNS_API_BASE是剛剛設定acme-dns API port
# 然後 ACME_DNS_STORAGE_PATH 是lego存放賬戶資料的地方
# 後面就是lego 的指令
ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
</code></pre><p>執行完成後,會在目錄底下產生一個叫 .lego 的目錄,用來存放憑證檔案</p>
<pre tabindex="0"><code>2021-08-26 11:55:16 [minion@hqs058 ~]$ ls -la .lego/certificates/
<pre><code>2021-08-26 11:55:16 [minion@hqs058 ~]$ ls -la .lego/certificates/
total 28
drwx------ 2 minion sudo 4096 Aug 26 09:35 .
drwx------ 4 minion sudo 4096 Aug 26 09:33 ..
@@ -448,20 +448,20 @@ drwx------ 4 minion sudo 4096 Aug 26 09:33 ..
</code></pre><p>沒錯,就這麼簡單!!</p>
<p>甚至於我要撤銷這些憑證也很簡單!!!</p>
<p>把最後面的 run 改成 revoke 就可以了!</p>
<pre tabindex="0"><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com revoke
<pre><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com revoke
2021/08/26 11:59:13 Trying to revoke certificate for domain *.abc.com
2021/08/26 11:59:14 Certificate was revoked.
2021/08/26 11:59:14 Certificate was archived for domain: *.abc.com
</code></pre><p>再來跑一次申請新憑證測試看看</p>
<pre tabindex="0"><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
<pre><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
2021/08/26 12:00:51 [INFO] [*.abc.com] acme: Obtaining bundled SAN certificate
2021/08/26 12:00:52 [INFO] [*.abc.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/25150773810
2021/08/26 12:00:52 [INFO] [*.abc.com] acme: authorization already valid; skipping challenge
2021/08/26 12:00:52 [INFO] [*.abc.com] acme: Validations succeeded; requesting certificates
2021/08/26 12:00:53 [INFO] [*.abc.com] Server responded with a certificate.
</code></pre><p>同樣地會產生新的ssl 憑證</p>
<pre tabindex="0"><code>2021-08-26 12:00:53 [minion@hqs058 ~]$ ls -la .lego/certificates/
<pre><code>2021-08-26 12:00:53 [minion@hqs058 ~]$ ls -la .lego/certificates/
total 28
drwx------ 2 minion sudo 4096 Aug 26 12:00 .
drwx------ 5 minion sudo 4096 Aug 26 11:59 ..
@@ -472,12 +472,41 @@ drwx------ 5 minion sudo 4096 Aug 26 11:59 ..
2021-08-26 12:02:37 [minion@hqs058 ~]$
</code></pre><p>超方便的啊!!!!</p>
<p>後面要更新就把指令最後的 run 改成 renew</p>
<pre tabindex="0"><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com renew
<pre><code>ACME_DNS_API_BASE=http://localhost:9000 ACME_DNS_STORAGE_PATH=/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com renew
2021/08/26 12:04:00 [*.abc.com] The certificate expires in 89 days, the number of days defined to perform the renewal is 30: no renewal.
</code></pre><p>因為是剛剛才要到的憑證,當然是不能更新啦&hellip;</p>
<p>把這個指令寫到 crontab ,以後時間到了就會自動更新憑證</p>
<p>後續再搭配 ansible 來抓新的憑證,派送到其他伺服器去</p>
<p>終於可以不用再為ssl 憑證煩惱了!!!</p>
<h3 id="更新-renew-過程">更新 renew 過程</h3>
<p>剛剛在巡機器(人家是巡田水,我在巡機器&hellip; )</p>
<p>剛好看到這台reverse proxy ,然後算算時間也差不多了</p>
<p>就順手跑了一次更新也順利update 了</p>
<p>之後應該就是用這種方式繼續下去吧,除非有更簡便的方法,不然不想再搞這個憑證的問題了!</p>
<pre><code>2021/10/28 13:53:36 [INFO] [*.abc.com] acme: Trying renewal with 645 hours remaining
2021/10/28 13:53:36 [INFO] [*.abc.com] acme: Obtaining bundled SAN certificate
2021/10/28 13:53:37 [INFO] [*.abc.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/43963334430
2021/10/28 13:53:37 [INFO] [*.abc.com] acme: use dns-01 solver
2021/10/28 13:53:37 [INFO] [*.abc.com] acme: Preparing to solve DNS-01
2021/10/28 13:53:37 [INFO] [*.abc.com] acme: Trying to solve DNS-01
2021/10/28 13:53:37 [INFO] [*.abc.com] acme: Checking DNS record propagation using [8.8.8.8:53 192.168.0.10:53 168.95.1.1:53 127.0.0.53:53]
2021/10/28 13:53:39 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2021/10/28 13:53:47 [INFO] [*.abc.com] The server validated our request
2021/10/28 13:53:47 [INFO] [*.abc.com] acme: Cleaning DNS-01 challenge
2021/10/28 13:53:47 [INFO] [*.abc.com] acme: Validations succeeded; requesting certificates
2021/10/28 13:53:48 [INFO] [*.abc.com] Server responded with a certificate.
</code></pre><p>看一下憑證的狀況,沒什麼問題,日期也更新了</p>
<pre><code>2021-10-28 14:09:06 [mini@s058 ~]$ ls -lart ~/.lego/certificates/
total 28
drwx------ 5 minion sudo 4096 Aug 26 11:59 ..
drwx------ 2 minion sudo 4096 Aug 26 12:00 .
-rw------- 1 minion sudo 227 Oct 28 13:53 _.abc.com.key
-rw------- 1 minion sudo 238 Oct 28 13:53 _.abc.com.json
-rw------- 1 minion sudo 3751 Oct 28 13:53 _.abc.com.issuer.crt
-rw------- 1 minion sudo 5325 Oct 28 13:53 _.abc.com.crt
2021-10-28 14:10:12 [mini@s058 ~]$
</code></pre>
</article>
</div>
@@ -770,7 +799,7 @@ title="pinterest icon"></i>
</div>
<script src="https://h.cowbay.org/js/jquery.min.js"></script>
<script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1634607506"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1635401692"></script>
</body>
</html>