colben/www.colben.cn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
colben 2024-10-30 13:42:32 +08:00
parent c85fb3f381
commit 30a17ff30f
1 changed files with 101 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
content/post/letsencrypt.md
View File

@ -7,7 +7,8 @@ tags: ["letsencrypt", "certbot", "ssl"]
categories: ["web"] categories: ["web"]
--- ---
## 安装 certbot ## 直接部署(不推荐)
### 安装 certbot
- 在 alpine linux 中安装 certbot - 在 alpine linux 中安装 certbot
```bash ```bash
apk add --no-cache certbot openssl apk add --no-cache certbot openssl
@ -18,7 +19,7 @@ categories: ["web"]
certbot register --register-unsafely-without-email --agree-tos certbot register --register-unsafely-without-email --agree-tos
``` ```
## 普通域名证书 ### 申请常规域名证书
- 申请 ssl 证书,有效期 90 天 - 申请 ssl 证书,有效期 90 天
```bash ```bash
certbot certonly -n -d x.x.com --standalone certbot certonly -n -d x.x.com --standalone
@ -38,7 +39,7 @@ categories: ["web"]
openssl dhparam -out /etc/letsencrypt/dhparam.pem 2048 openssl dhparam -out /etc/letsencrypt/dhparam.pem 2048
``` ```
## 通配域名证书 ### 申请通配域名证书
- 申请 ssl 证书,有效期 90 天 - 申请 ssl 证书,有效期 90 天
```bash ```bash
certbot certonly --manual -d '*.x.com' \ certbot certonly --manual -d '*.x.com' \
@ -64,21 +65,113 @@ categories: ["web"]
openssl dhparam -out /etc/letsencrypt/dhparam.pem 2048 openssl dhparam -out /etc/letsencrypt/dhparam.pem 2048
``` ```
## 容器部署
### 申请常规域名证书
- 为域名 x1.xx.com 和 x2.xx.com 申请 ssl 证书,创建 /letsencrypt/docker-compose.yml内容如下
```YAML
version: "3.7"
services:
letsencrypt-common:
image: harbor.colben.cn/general/letsencrypt:latest
container_name: letsencrypt-common
restart: "no"
stop_grace_period: 4s
environment:
DOMAINS: x1.xx.com,x2.xx.com
network_mode: host
volumes:
- type: bind
source: ./common/etc
target: /etc/letsencrypt
- type: bind
source: ./common/log
target: /var/log/letsencrypt
```
- 创建目录
```BASH
mkdir -p /letsencrypt/common/{etc,log}
```
- 手动启动,等待容器停止后,证书申请完成
```BASH
docker-compose up -d
```
- 创建定时任务,在每月的 31 号晚上十一点更新一次
```
0 23 31 * * docker-compose -f /letsencrypt/docker-compose.yml up letsencrypt-common
```
### 申请通配域名证书
- 为域名 \*.xxx.com 和 \*.yyy.com 申请 ssl 证书,创建 /letsencrypt/docker-compose.yml内容如下
```YAML
version: "3.7"
services:
letsencrypt-wildcard:
image: harbor.colben.cn/general/letsencrypt
container_name: letsencrypt-wildcard
restart: "no"
stop_grace_period: 1m
environment:
DOMAINS: "*.xxx.com,*.yyy.com"
network_mode: host
volumes:
- type: bind
source: ./wildcard/etc
target: /etc/letsencrypt
- type: bind
source: ./wildcard/log
target: /var/log/letsencrypt
```
- 创建目录
```BASH
mkdir -p /letsencrypt/wildcard/{etc,log}
```
- 获取通配域名的证书时,需要设置 TXT 解析记录,这里配合脚本实现自动添加和更新
- 调用腾讯云接口设置/更新 TXT 解析记录
```BASH
cp tencent-api.sh /letsencrypt/wildcard/etc/manual-hook.sh
# 修改脚本,替换成自己的阿里云 access key 信息
#ACCESS_KEY_ID='aliyun access key id'
#ACCESS_KEY_SECRET='aliyun access key secret'
```
- 调用阿里云接口设置/更新 TXT 解析记录
```BASH
cp aliyun-api.sh /letsencrypt/wildcard/etc/manual-hook.sh
# 修改脚本,替换成自己的腾讯云 secret 信息
#SECRET_ID='tencent secret id'
#SECRET_KEY='tencent secret key'
```
- 手动启动,等待容器停止后,证书申请完成
```
docker-compose up -d
```
- 创建定时任务,并在每月的 31 号晚上十点更新一次
```
0 22 31 * * docker-compose -f /letsencrypt/docker-compose.yml up letsencrypt-wildcard
```
## 使用证书 ## 使用证书
- nginx 配置 ssl - nginx 配置 ssl
``` ```
server { server {
listen 443 ssl; listen 443 ssl http2;
server_name x.x.x; server_name x.x.x; # 替换成自己的域名
ssl_certificate /etc/letsencrypt/live/x.x.x/fullchain.pem; ssl_certificate /letsencrypt/xxxx/etc/live/xxxx/fullchain.pem; # 替换实际目录
ssl_certificate_key /etc/letsencrypt/live/x.x.x/privkey.pem; ssl_certificate_key /letsencrypt/xxxx/etc/live/xxxx/privkey.pem; # 替换实际目录
ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m; ssl_session_timeout 1440m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_dhparam /etc/letsencrypt/dhparam.pem; ssl_dhparam /letsencrypt/xxxx/etc/dhparam.pem; # 替换实际目录
location / { location / {
return 404; return 404;
} }