chchang
/
hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd7c6cd850f'
${ noResults }
hugo_backup/public/auto-fetch-wildcard-ssl-cer.../index.html

778 lines
36 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang="en-us">
<head><meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<script type="application/ld+json">
{
"@context" : "http://schema.org",
"@type" : "BlogPosting",
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "https:\/\/h.cowbay.org"
},
"articleSection" : "",
"name" : "auto fetch Wildcard ssl certs with lego \x2b acme-dns ( Domain Register : Namecheap)",
"headline" : "auto fetch Wildcard ssl certs with lego \x2b acme-dns ( Domain Register : Namecheap)",
"description" : "\x3ch3 id=\x22auto-fetch--wildcard-ssl-certs-with-lego--acme-dns--domain-register--namecheap\x22\x3eauto fetch Wildcard ssl certs with lego \x2b acme-dns ( Domain Register : Namecheap)\x3c\/h3\x3e\n\x3cp\x3e自從用了 \x3ca href=\x22https:\/\/github.com\/artyom\/leproxy\x22\x3eleproxy\x3c\/a\x3e 之後其實就很少在管ssl 憑證的問題,反正\x3ca href=\x22https:\/\/github.com\/artyom\/leproxy\x22\x3eleproxy \x3c\/a\x3e都會自動處理好\x3c\/p\x3e\n\x3cp\x3e不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。\x3c\/p\x3e\n\x3cp\x3e一般來說如果是其他DNS 供應商大部分都會提供API那就還好。 BUT !! (對然生就是離不開這個BUT \x26hellip;) 我們的域名是老闆在 iwantmyname 買的,一開始是給 webfaction 代管後來webfaction 被godaddy 買走,就轉到 namecheap 去(我也不知道為什麼不在godaddy 就好)。\x3c\/p\x3e",
"inLanguage" : "en",
"author" : "Eric Chang",
"creator" : "Eric Chang",
"publisher": "Eric Chang",
"accountablePerson" : "Eric Chang",
"copyrightHolder" : "Eric Chang",
"copyrightYear" : "2021",
"datePublished": "2021-08-26 12:08:43 \x2b0800 CST",
"dateModified" : "2021-08-26 12:08:43 \x2b0800 CST",
"url" : "https:\/\/h.cowbay.org\/auto-fetch-wildcard-ssl-certs-acme-dns-lego\/",
"wordCount" : "744",
"image" : "https://h.cowbay.orghttps://h.cowbay.org/images/post-default-8.jpg"",
"keywords" : [ ""acme"",""acme-dns"",""lego"",""ssl"","Blog" ]
}
</script>
<title>auto fetch Wildcard ssl certs with lego &#43; acme-dns ( Domain Register : Namecheap) </title>
<meta name="description" content="some articles about job,food,passion sisters" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="all,follow">
<meta name="googlebot" content="index,follow,snippet,archive">
<link rel="stylesheet" id="ct-tracks-google-fonts-css" href="https://fonts.googleapis.com/css?family=Raleway%3A400%2C700&amp;subset=latin%2Clatin-ext&amp;ver=4.7.2" type="text/css" media="all">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">
<link href="https://h.cowbay.org/css/style.css?v=1629952235" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1629952235" rel="stylesheet" type='text/css' media='all'>
<link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
<link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-138954876-1', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
</head>
<body class="post-template-default single single-post single-format-standard ct-body singular singular-post not-front standard">
<div id="overflow-container" class="overflow-container">
<a class="skip-content" href="#main">Skip to content</a>
<header id="site-header" class="site-header" role="banner">
<div class='top-navigation'>
<div class='container'>
<div id="menu-secondary" class="menu-container menu-secondary" role="navigation">
<button id="toggle-secondary-navigation" class="toggle-secondary-navigation"><i class="fas fa-plus"></i></button>
<div class="menu">
<ul id="menu-secondary-items" class="menu-secondary-items">
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/ansible">ansible</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/linux">linux</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/proxmox">proxmox</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/ps">ps</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/%E7%A2%8E%E5%BF%B5">碎念</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/%E7%AD%86%E8%A8%98">筆記</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/%E7%BE%A4%E6%9A%89">群暉</a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/%E9%9B%9C%E5%BF%B5">雜念</a>
</li>
</ul>
</div>
</div>
<ul class="social-media-icons">
<li>
<a href="full%20Social%20profile%20url%20in%20facebook" data-animate-hover="pulse" class="facebook" target="_blank">
<i class="fab fa-facebook-square" title="facebook"></i>
<span class="screen-reader-text">facebook</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20googleplus" data-animate-hover="pulse" class="gplus" target="_blank">
<i class="fab fa-google-plus-g" title="googleplus"></i>
<span class="screen-reader-text">googleplus</span>
</a>
</li>
<li>
<a href="chang0206" data-animate-hover="pulse" class="twitter" target="_blank">
<i class="fab fa-twitter-square" title="twitter"></i>
<span class="screen-reader-text">twitter</span>
</a>
</li>
<li>
<a href="chang0206" data-animate-hover="pulse" class="instagram" target="_blank">
<i class="fab fa-instagram" title="instagram"></i>
<span class="screen-reader-text">instagram</span>
</a>
</li>
<li>
<a href="mailto:mc@hotshraingmy.info" data-animate-hover="pulse" class="email">
<i class="fas fa-envelope" title="email"></i>
<span class="screen-reader-text">email</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20linkedin" data-animate-hover="pulse" class="linkedin" target="_blank">
<i class="fab fa-linkedin-in" title="linkedin"></i>
<span class="screen-reader-text">linkedin</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20stackoverflow" data-animate-hover="pulse" class="stackoverflow" target="_blank">
<i class="fab fa-stack-overflow" title="stackoverflow"></i>
<span class="screen-reader-text">stackoverflow</span>
</a>
</li>
<li>
<a href="changchichung" data-animate-hover="pulse" class="github" target="_blank">
<i class="fab fa-github" title="github"></i>
<span class="screen-reader-text">github</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20pinterest" data-animate-hover="pulse" class="pinterest" target="_blank">
<i class="fab fa-pinterest" title="pinterest"></i>
<span class="screen-reader-text">pinterest</span>
</a>
</li>
<li>
<a href="https://h.cowbay.org/index.xml" data-animate-hover="pulse" class="rss" target="_blank">
<i class="fas fa-rss" title="rss"></i>
<span class="screen-reader-text">rss</span>
</a>
</li>
</ul></div>
</div>
<div class="container">
<div id="title-info" class="title-info">
<div id='site-title' class='site-title'>
<a href="/"> MC部落 </a>
</div>
</div>
<button id="toggle-navigation" class="toggle-navigation">
<i class="fas fa-bars"></i>
</button>
<div id="menu-primary-tracks" class="menu-primary-tracks"></div>
<div id="menu-primary" class="menu-container menu-primary" role="navigation">
<p class="site-description">Whats the Worst That Could Happen?</p>
<div class="menu">
<ul id="menu-primary-items" class="menu-primary-items">
<li class='menu-item menu-item-type-custom menu-item-object-custom '>
<a href="https://h.cowbay.org/">Home</a>
</li>
<li class='menu-item menu-item-type-post_type menu-item-object-page '>
<a href="https://h.cowbay.org/about/">About</a>
</li>
<li class='menu-item menu-item-type-post_type menu-item-object-page '>
<a href="https://h.cowbay.org/contact/">Get in touch</a>
</li>
</ul>
</div>
</div>
</div>
</header>
<div id="main" class="main" role="main">
<div id="loop-container" class="loop-container">
<div class="post type-post status-publish format-standard has-post-thumbnail hentry category-design tag-design tag-standard-2 tag-tagalicious tag-travel entry full-without-featured odd excerpt-1">
<div class='featured-image lazy lazy-bg-image' data-background="https://h.cowbay.org/images/post-default-8.jpg">
</div>
<div class="entry-meta">
<span class="date">26 August</span> <span> / </span>
<span class="author">
<a href="https://github.com/changchichung" title="Posts by Eric Chang" rel="author">Eric Chang</a>
</span>
<span class="category">
<span> / </span>
<a href="/categories/%E7%AD%86%E8%A8%98">筆記</a>
</span>
</div>
<div class='entry-header'>
<h1 class='entry-title'> auto fetch Wildcard ssl certs with lego &#43; acme-dns ( Domain Register : Namecheap)</h1>
</div>
<div class="entry-container">
<div class="entry-content">
<article>
<h3 id="auto-fetch--wildcard-ssl-certs-with-lego--acme-dns--domain-register--namecheap">auto fetch Wildcard ssl certs with lego + acme-dns ( Domain Register : Namecheap)</h3>
<p>自從用了 <a href="https://github.com/artyom/leproxy">leproxy</a> 之後其實就很少在管ssl 憑證的問題,反正<a href="https://github.com/artyom/leproxy">leproxy </a>都會自動處理好</p>
<p>不過LAN裡面的機器越來越多每次看到警告說沒有加密的訊息就有點不爽之前用了很多方式去申請全域憑證申請倒是還好沒太多問題。但是一碰到要更新就都無法自動因為都會要求去修改DNS 的 TXT 或者是 CNAME 記錄。</p>
<p>一般來說如果是其他DNS 供應商大部分都會提供API那就還好。 BUT !! (對然生就是離不開這個BUT &hellip;) 我們的域名是老闆在 iwantmyname 買的,一開始是給 webfaction 代管後來webfaction 被godaddy 買走,就轉到 namecheap 去(我也不知道為什麼不在godaddy 就好)。</p>
<p>DNS 管理基本上都是大同小異啦可是namecheap 免費賬戶不提供 API 應該說要使用namecheap 提供的API ,需要滿足以下的條件</p>
<pre><code>I want to enable API for my account. Are there any specific requirements?
We have certain requirements for activation to prevent system abuse. In order to have API enabled for your account, you should meet one of the following requirements:
- have at least 20 domains under your account;
- have at least $50 on your account balance;
- have at least $50 spent within the last 2 years.
</code></pre><p>之前問過老闆可不可以丟個50 鎂在賬戶裡面好讓我可以用API 去修改DNS 來自動取得SSL 憑證同樣地也不知道為什麼連50鎂也不給存&hellip;</p>
<p>於是過了一段每幾個月就憑證過期,需要手動更新的日子&hellip;.想想實在不甘願本來已經想說去買一些一塊美金一年的domain 然後通通移轉到namecheap ,來滿足上面的第一個條件。但是這又要自己花錢(我已經自掏腰包很多了在這邊買LAB設備),最後決定還是用<a href="https://github.com/go-acme/lego">lego</a> + <a href="https://github.com/joohoi/acme-dns">acme-dns</a> 來做</p>
<p>其實前兩年就有玩過 lego ,但是當時應該是功能上還沒完整,這次在找 acme-dns 的文件時發現lego 一直有持續更新,所以這次才決定改用 lego + acme-dns 來達到「自動更新」 SSL 憑證的需求,底下就簡單說明一下設定步驟、內容</p>
<h4 id="取得-lego--acme-dns">取得 lego &amp; acme-dns</h4>
<p>lego 以及acme-dns 都是使用 golang 開發的這也是為什麼我選用這兩個組合的原因之一省去自己編譯還要安裝一堆有的沒的套件兩個套件都有prebuild binary package直接下載回來就可以了</p>
<h5 id="lego">lego</h5>
<p>wget <a href="https://github.com/go-acme/lego/releases/download/v4.4.0/lego_v4.4.0_linux_amd64.tar.gz">https://github.com/go-acme/lego/releases/download/v4.4.0/lego_v4.4.0_linux_amd64.tar.gz</a></p>
<h5 id="acme-dns">acme-dns</h5>
<p>wget <a href="https://github.com/joohoi/acme-dns/releases/download/v0.8/acme-dns_0.8_linux_amd64.tar.gz">https://github.com/joohoi/acme-dns/releases/download/v0.8/acme-dns_0.8_linux_amd64.tar.gz</a></p>
<p>解壓縮後取得執行檔</p>
<p>tar zxvf lego_v4.4.0_linux_amd64.tar.gz &amp;&amp; sudo mv lego /usr/local/bin/
tar zxvf acme-dns_0.8_linux_amd64.tar.gz &amp;&amp; sudo mv acme-dns /usr/local/bin/</p>
<hr>
<h5 id="firewall-設定">Firewall 設定</h5>
<p>firewall 上開啟port mapping ,把 UDP 53 轉給這臺跑 lego 的機器</p>
<p>如果這臺機器上有軟體已經佔用 53 port ,要想辦法先解決。</p>
<p>對,我說的就是那個超級討厭的 systemd-resolved</p>
<p>本機如果有開firewall ,記得要放行 udp 53</p>
<hr>
<h4 id="設定acme-dns">設定acme-dns</h4>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e">#建立 acme-dns 目錄</span>
mkdir -p /etc/acme-dns
mkdir -p /var/lib/acme-dns
<span style="color:#75715e">#建立 acme-dns 設定檔</span>
sudo vim /etc/acme-dns/config.cfg
</code></pre></div><p>config 的內容如下,順便補上一些自己的註解</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e">#/etc/acme-dns/config.cfg</span>
<span style="color:#f92672">[</span>general<span style="color:#f92672">]</span>
<span style="color:#75715e"># DNS interface</span>
<span style="color:#75715e"># 本來預設是只有 :53 在某些VPS 上會出錯,所以改成 0.0.0.0:53</span>
listen <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;0.0.0.0:53&#34;</span>
protocol <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;udp&#34;</span>
<span style="color:#75715e"># domain name to serve the requests off of</span>
<span style="color:#75715e"># 不是要設定的 domain而是這臺機器要負責的sub domain</span>
<span style="color:#75715e"># 總之就是輸入 acme 再加上原本的domain</span>
<span style="color:#75715e"># 不想用 acme 當然也可以</span>
domain <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;acme.abc.com&#34;</span>
<span style="color:#75715e"># zone name server</span>
<span style="color:#75715e"># ns1 再加上原本的 domain</span>
<span style="color:#75715e"># 一樣不想用ns1 也可以,後面記得作對應的修改</span>
nsname <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;ns1.abc.com&#34;</span>
<span style="color:#75715e"># admin email address, where @ is substituted with .</span>
<span style="color:#75715e"># 管理者email , admin + 原本的 domain</span>
nsadmin <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;admin.abc.com&#34;</span>
<span style="color:#75715e"># predefined records served in addition to the TXT</span>
#
<span style="color:#75715e"># 前面兩筆 A 記錄對應上面的 domain , nsname</span>
<span style="color:#75715e"># 後面則是這臺機器的 WAN IP</span>
<span style="color:#75715e"># 第三筆 是NS 記錄</span>
<span style="color:#75715e"># 這三筆記錄等一下要新增到namecheap 的DNS</span>
records <span style="color:#f92672">=</span> <span style="color:#f92672">[</span>
<span style="color:#e6db74">&#34;acme.abc.com. A 11.22.33.44&#34;</span>,
<span style="color:#e6db74">&#34;ns1.acme.abc.com. A 11.22.33.44&#34;</span>,
<span style="color:#e6db74">&#34;acme.abc.com. NS ns1.abc.com.&#34;</span>,
<span style="color:#f92672">]</span>
debug <span style="color:#f92672">=</span> false
<span style="color:#f92672">[</span>database<span style="color:#f92672">]</span>
engine <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;sqlite3&#34;</span>
connection <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/var/lib/acme-dns/acme-dns.db&#34;</span>
<span style="color:#75715e">### 要記一下port ,等等會用到</span>
<span style="color:#f92672">[</span>api<span style="color:#f92672">]</span>
api_domain <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>
ip <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;127.0.0.1&#34;</span>
disable_registration <span style="color:#f92672">=</span> false
autocert_port <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;80&#34;</span>
port <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;9000&#34;</span>
tls <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;none&#34;</span>
corsorigins <span style="color:#f92672">=</span> <span style="color:#f92672">[</span>
<span style="color:#e6db74">&#34;*&#34;</span>
<span style="color:#f92672">]</span>
use_header <span style="color:#f92672">=</span> false
header_name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;X-Forwarded-For&#34;</span>
<span style="color:#f92672">[</span>logconfig<span style="color:#f92672">]</span>
loglevel <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;debug&#34;</span>
logtype <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;stdout&#34;</span>
logformat <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;text&#34;</span>
</code></pre></div><p>編輯完後,存檔離開。</p>
<p>新增 acme-dns.service 的systemd config</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">sudo vim /etc/systemd/system/acme-dns.service
</code></pre></div><p>內容如下</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e"># /etc/systemd/system/acme-dns.service</span>
<span style="color:#f92672">[</span>Unit<span style="color:#f92672">]</span>
Description<span style="color:#f92672">=</span>ACMD DNS
After<span style="color:#f92672">=</span>network.target
<span style="color:#f92672">[</span>Service<span style="color:#f92672">]</span>
ExecStart<span style="color:#f92672">=</span>/usr/local/bin/acme-dns
Restart<span style="color:#f92672">=</span>on-failure
<span style="color:#f92672">[</span>Install<span style="color:#f92672">]</span>
WantedBy<span style="color:#f92672">=</span>multi-user.target
</code></pre></div><p>存檔離開,並啟用 acme-dns service</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">sudo systemctl daemon-reload
sudo systemctl enable --now acme-dns.service
<span style="color:#75715e"># 檢查一下狀態是否正常</span>
sudo systemctl status acme-dns
<span style="color:#75715e"># 底下這個指令如果沒有回傳任何訊息,是正常的</span>
curl http://localhost:9000/health
</code></pre></div><h4 id="設定namecheap-dns-記錄">設定namecheap DNS 記錄</h4>
<p>總共要新增兩筆A 記錄,一筆 NS 記錄 (目前),後面還會需要新增一筆 CNAME</p>
<p>domain</p>
<p><img src="https://raw.githubusercontent.com/changchichung/imagebed/main/20210826113826-image.png" alt="20210826113826-image.png"></p>
<p>nsname</p>
<p><img src="https://raw.githubusercontent.com/changchichung/imagebed/main/20210826113946-image.png" alt="20210826113946-image.png"></p>
<p>NS record</p>
<p><img src="https://raw.githubusercontent.com/changchichung/imagebed/main/20210826114027-image.png" alt="20210826114027-image.png"></p>
<p>然後休息個五分鐘十分鐘的讓子彈飛一下等DNS生效</p>
<h5 id="透過lego-取得憑證">透過lego 取得憑證</h5>
<p>只要確認上面的防火牆設定、acme-dns 設定、以及 DNS 的修改生效之後剩下的lego 指令就很簡單了</p>
<p><a href="https://go-acme.github.io/lego/dns/acme-dns/">https://go-acme.github.io/lego/dns/acme-dns/</a></p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#75715e"># 第一個ACME_DNS_API_BASE是剛剛設定acme-dns API port</span>
<span style="color:#75715e"># 然後 ACME_DNS_STORAGE_PATH 是lego存放賬戶資料的地方</span>
<span style="color:#75715e"># 後面就是lego 的指令</span>
ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
</code></pre></div><p>執行完成後,會在目錄底下產生一個叫 .lego 的目錄,用來存放憑證檔案</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">2021-08-26 11:55:16 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$ ls -la .lego/certificates/
total <span style="color:#ae81ff">28</span>
drwx------ <span style="color:#ae81ff">2</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 09:35 .
drwx------ <span style="color:#ae81ff">4</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 09:33 ..
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">5325</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">3751</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.issuer.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">238</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.json
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">227</span> Aug <span style="color:#ae81ff">26</span> 09:35 _.abc.com.key
2021-08-26 11:58:22 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$
</code></pre></div><p>沒錯,就這麼簡單!!</p>
<p>甚至於我要撤銷這些憑證也很簡單!!!</p>
<p>把最後面的 run 改成 revoke 就可以了!</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com revoke
2021/08/26 11:59:13 Trying to revoke certificate <span style="color:#66d9ef">for</span> domain *.abc.com
2021/08/26 11:59:14 Certificate was revoked.
2021/08/26 11:59:14 Certificate was archived <span style="color:#66d9ef">for</span> domain: *.abc.com
</code></pre></div><p>再來跑一次申請新憑證測試看看</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com run
2021/08/26 12:00:51 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> acme: Obtaining bundled SAN certificate
2021/08/26 12:00:52 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/25150773810
2021/08/26 12:00:52 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> acme: authorization already valid; skipping challenge
2021/08/26 12:00:52 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> acme: Validations succeeded; requesting certificates
2021/08/26 12:00:53 <span style="color:#f92672">[</span>INFO<span style="color:#f92672">]</span> <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> Server responded with a certificate.
</code></pre></div><p>同樣地會產生新的ssl 憑證</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">2021-08-26 12:00:53 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$ ls -la .lego/certificates/
total <span style="color:#ae81ff">28</span>
drwx------ <span style="color:#ae81ff">2</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 12:00 .
drwx------ <span style="color:#ae81ff">5</span> minion sudo <span style="color:#ae81ff">4096</span> Aug <span style="color:#ae81ff">26</span> 11:59 ..
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">5325</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">3751</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.issuer.crt
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">238</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.json
-rw------- <span style="color:#ae81ff">1</span> minion sudo <span style="color:#ae81ff">227</span> Aug <span style="color:#ae81ff">26</span> 12:00 _.abc.com.key
2021-08-26 12:02:37 <span style="color:#f92672">[</span>minion@hqs058 ~<span style="color:#f92672">]</span>$
</code></pre></div><p>超方便的啊!!!!</p>
<p>後面要更新就把指令最後的 run 改成 renew</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">ACME_DNS_API_BASE<span style="color:#f92672">=</span>http://localhost:9000 ACME_DNS_STORAGE_PATH<span style="color:#f92672">=</span>/home/minion/.lego-acme-dns-accounts.json lego --email changch@abc.com --dns acme-dns --domains *.abc.com renew
2021/08/26 12:04:00 <span style="color:#f92672">[</span>*.abc.com<span style="color:#f92672">]</span> The certificate expires in <span style="color:#ae81ff">89</span> days, the number of days defined to perform the renewal is 30: no renewal.
</code></pre></div><p>因為是剛剛才要到的憑證,當然是不能更新啦&hellip;</p>
<p>把這個指令寫到 crontab ,以後時間到了就會自動更新憑證</p>
<p>後續再搭配 ansible 來抓新的憑證,派送到其他伺服器去</p>
<p>終於可以不用再為ssl 憑證煩惱了!!!</p>
</article>
</div>
<div class='entry-meta-bottom'>
<div class="entry-categories"><p><span>Categories</span>
<a href="/categories/%E7%AD%86%E8%A8%98" title="View all posts in 筆記">筆記</a>
</p>
</div>
<div class="entry-tags"><p><span>Tags</span>
<a href="/tags/acme" title="View all posts tagged acme">acme</a>
<a href="/tags/acme-dns" title="View all posts tagged acme-dns">acme-dns</a>
<a href="/tags/lego" title="View all posts tagged lego">lego</a>
<a href="/tags/ssl" title="View all posts tagged ssl">ssl</a>
</p></div> </div>
<div class="author-meta">
<div class="author">
<img alt='Eric Chang' src="https://www.gravatar.com/avatar/23f8ed94e007297499ac8df1641b3ff5?s=100&d=identicon" class='avatar avatar-72 photo' height='72' width='72'>
<span>
Written by:<a href="https://github.com/changchichung" title="Posts by Eric Chang" rel="author">Eric Chang</a> </span>
</div>
<div class="bio">
<p>塵世裡一個迷途小書僮</p>
<a class="facebook" target="_blank"
href="full%20Social%20profile%20url%20in%20facebook">
<i class="fab fa-facebook-f"
title="facebook icon"></i>
</a>
<a class="googleplus" target="_blank"
href="full%20profile%20url%20in%20googleplus">
<i class="fab fa-google-plus-g"
title="googleplus icon"></i>
</a>
<a class="twitter" target="_blank"
href="chang0206">
<i class="fab fa-twitter-square"
title="twitter icon"></i>
</a>
<a class="linkedin" target="_blank"
href="full%20profile%20url%20in%20linkedin">
<i class="fab fa-linkedin"
title="linkedin icon"></i>
</a>
<a class="email" target="_blank"
href="mailto:mc@hotshraingmy.info">
<i class="fas fa-envelope"
title="email icon"></i>
</a>
<a class="instagram" target="_blank"
href="chang0206">
<i class="fab fa-instagram"
title="instagram icon"></i>
</a>
<a class="stackoverflow" target="_blank"
href="full%20profile%20url%20in%20stackoverflow">
<i class="fab fa-stack-overflow"
title="stackoverflow icon"></i>
</a>
<a class="github" target="_blank"
href="changchichung">
<i class="fab fa-github"
title="github icon"></i>
</a>
<a class="pinterest" target="_blank"
href="full%20profile%20url%20in%20pinterest">
<i class="fab fa-pinterest"
title="pinterest icon"></i>
</a>
</div>
</div>
</div>
</div>
<section id="comments" class="comments">
<div id="disqus_thread"></div>
<script type="application/javascript">
var disqus_config = function () {
};
(function() {
if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) {
document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.';
return;
}
var d = document, s = d.createElement('script'); s.async = true;
s.src = '//' + "h-cowbay-org-1" + '.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</section>
</div>
</div>
<footer id="site-footer" class="site-footer" role="contentinfo">
<h1>
<a href=""> MC部落 </a>
</h1>
<p class="site-description">Whats the Worst That Could Happen?</p>
<div id="menu-footer" class="menu-container menu-footer" role="navigation">
<div class="menu">
<ul id="menu-footer-items" class="menu-footer-items">
</ul>
</div> </div>
<ul class="social-media-icons">
<li>
<a class="facebook" target="_blank"
href="full%20Social%20profile%20url%20in%20facebook" >
<i class="fab fa-facebook-f" title="facebook"></i>
<span class="screen-reader-text">facebook</span>
</a>
</li>
<li>
<a class="googleplus" target="_blank"
href="full%20profile%20url%20in%20googleplus" >
<i class="fab fa-google-plus-g" title="googleplus"></i>
<span class="screen-reader-text">googleplus</span>
</a>
</li>
<li>
<a href="chang0206" class="twitter" target="_blank">
<i class="fab fa-twitter-square" title="twitter"></i>
<span class="screen-reader-text">twitter</span>
</a>
</li>
<li>
<a href="chang0206" class="instagram" target="_blank">
<i class="fab fa-instagram" title="instagram"></i>
<span class="screen-reader-text">instagram</span>
</a>
</li>
<li>
<a href="mailto:mc@hotshraingmy.info" class="email">
<i class="fas fa-envelope" title="email"></i>
<span class="screen-reader-text">email</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20linkedin" class="linkedin" target="_blank">
<i class="fab fa-linkedin-in" title="linkedin"></i>
<span class="screen-reader-text">linkedin</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20stackoverflow" class="stackoverflow" target="_blank">
<i class="fab fa-stack-overflow" title="stackoverflow"></i>
<span class="screen-reader-text">stackoverflow</span>
</a>
</li>
<li>
<a href="changchichung" class="github" target="_blank">
<i class="fab fa-github" title="github"></i>
<span class="screen-reader-text">github</span>
</a>
</li>
<li>
<a href="full%20profile%20url%20in%20pinterest" class="pinterest" target="_blank">
<i class="fab fa-pinterest" title="pinterest"></i>
<span class="screen-reader-text">pinterest</span>
</a>
</li>
<li>
<a href="https://h.cowbay.org/index.xml" data-animate-hover="pulse" class="rss" target="_blank">
<i class="fas fa-rss" title="rss"></i>
<span class="screen-reader-text">rss</span>
</a>
</li>
</ul> <div class="design-credit">
<p>© 2018 Göran Svensson</p>
<p>Nederburg Hugo Theme by <a href="https://appernetic.io">Appernetic</a>.</p>
<p>A port of Tracks by Compete Themes.</p>
</div>
</footer>
</div>
<script src="https://h.cowbay.org/js/jquery.min.js"></script>
<script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1629952235"></script>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink