泛域名配置方法
<h1 id="泛域名配置方法">泛域名配置方法</h1><p>如果使用阿里免费证书,需要配置CNAME,只能认证单域名,且连接很不稳定,所以还是决定做一个letsencrypt证书的泛域名配置。该文用于配置免费泛域名认证证书,编写本文是因为痛苦的折腾了好久,记录整个过程,避免以后掉坑里。</p>
<p>之前参考这个地址:https://www.jianshu.com/p/3ec95bb88ffa,其中的letsencrypt已经迁移到certbot地址https://github.com/certbot/certbot</p>
<h2 id="最终解决方法">最终解决方法:</h2>
<p>https://cloud.tencent.com/developer/article/1500063</p>
<h3 id="下载安装">下载安装</h3>
<p>acme.sh-master.zip</p>
<pre><code class="language-shell">yum install unzip
unzip acme.sh-master.zip
cd acme.sh-master/
./acme.sh --install
</code></pre>
<h3 id="安装认证">安装认证</h3>
<p>配置如下过程是,可以打开阿里云平台上对应域名解析设置页面,acme.sh会自动的将配置信息配置,并进行测试,可以抓住时间截个屏,执行结束后会被自动删除,稍后还需要手动进行配置一遍。</p>
<pre><code class="language-shell">export Ali_Key="XFDFDAFAFAFAFA"
export Ali_Secret="FDASFASFSAFSAFDASFDASFASFASDF"
acme.sh --issue --dns dns_ali -d distill.com.cn -d www.distill.com.cn
Using CA: https://acme-v02.api.letsencrypt.org/directory
Create account key ok.
Registering account: https://acme-v02.api.letsencrypt.org/directory
Registered
ACCOUNT_THUMBPRINT='GcumXzsk5hrnln0WKVcDw4EiijsA8sGq0aD6nJUlk_Y'
Creating domain key
The domain key is here: /root/.acme.sh/distill.com.cn/distill.com.cn.key
Multi domain='DNS:distill.com.cn,DNS:www.distill.com.cn'
Getting domain auth token for each domain
Getting webroot for domain='distill.com.cn'
Getting webroot for domain='www.distill.com.cn'
Adding txt value: YHayV93uHWrajYI-dhfZJC2jtlTn5mmdpgvXWSQulIk for domain:_acme-challenge.distill.com.cn
The txt record is added: Success.
Adding txt value: zcgcyT8QM_S2TFgKFDBZgbHAJmAr8CRQyfO8dRW-YJ4 for domain:_acme-challenge.www.distill.com.cn
The txt record is added: Success.
Let's check each DNS record now. Sleep 20 seconds first.
Checking distill.com.cn for _acme-challenge.distill.com.cn
Domain distill.com.cn '_acme-challenge.distill.com.cn' success.
Checking www.distill.com.cn for _acme-challenge.www.distill.com.cn
Domain www.distill.com.cn '_acme-challenge.www.distill.com.cn' success.
All success, let's return
Verifying: distill.com.cn
Success
Verifying: www.distill.com.cn
Pending
Success
Removing DNS records.
Removing txt: YHayV93uHWrajYI-dhfZJC2jtlTn5mmdpgvXWSQulIk for domain: _acme-challenge.distill.com.cn
Removed: Success
Removing txt: zcgcyT8QM_S2TFgKFDBZgbHAJmAr8CRQyfO8dRW-YJ4 for domain: _acme-challenge.www.distill.com.cn
Removed: Success
Verify finished, start to sign.
Lets finalize the order.
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/94949289/4874363945'
Downloading cert.
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0339143585bd28e423b7f9798e7f120e4cf9'
Cert success.
-----BEGIN CERTIFICATE-----
MIIFaDCCBFCgAwIBAgISAzkUNYW9KOQjt/l5jn8SDkz5MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MjYxNDM3NTlaFw0y
MDExMjQxNDM3NTlaMBkxFzAVBgNVBAMTDmRpc3RpbGwuY29tLmNuMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Lhf/goT83Zvnwzsc+kOJetn+7OrhuJD
7AkUfL+V4QnxMaLikRYwNRL53QI5IyrrNCK7D7+wIRuuFtImIz3/rLXHJzI5cnkt
U7Ua0P2qLqCs64gAZPWKXwtzqkSCaKh5z2thRF9tFvv4whY5aqZaYuaFwFLKFS/9
QNfxEG76dqcclfe3L/2QZ7fAXS6Asn5aePJSOCye+fmB5DceMkAotHOaaC4CNxBd
j+HKyEhYQck4QOHvLFG2nl+qya8hRscEnKbgO2cKkhhoxD1ahnwNr8/mGEOfmswr
/5jqHIekuehUly+jAyG9l9yQQJiNVOTJckzwJtaE+p8jE1iwajxWmwIDAQABo4IC
dzCCAnMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRGbJA6ljjzkoC3QfTF/tOj7hqp
HDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMC0GA1UdEQQmMCSCDmRpc3RpbGwuY29tLmNughJ3d3cuZGlzdGlsbC5jb20u
Y24wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQC
BIH1BIHyAPAAdgDwlaRZ8gDRgkAQLS+TiI6tS/4dR+OZ4dA0prCoqo6ycwAAAXQr
azOuAAAEAwBHMEUCIDEGdCoxlcuq/tt6NRevT2NaeUYKcytPgQFsbIVc5mP8AiEA
pO4D2bWVDKdE5SJaurh+VMLLFwFndSx/JZoFAt8XnH8AdgCyHgXMi6LNiiBOh2b5
K7mKJSBna9r6cOeySVMt74uQXgAAAXQrazOpAAAEAwBHMEUCIQCKfo5uCKugub8S
iQB4Hlyf1Dl/iJ8o3d+LVnL4lKwenwIgboJu6QPw8gNuhfeC4X9XwKD2aDjQUmeX
y3b6Pysc7jAwDQYJKoZIhvcNAQELBQADggEBAI6epdrgv1qnwH5DfP9/K9Iusdwe
wOZ5Vnw8A8fM2MHPiok1Fz5J9g5P9jdSdgfL2aL0q3/oW1Ik+s/R1Wr07znTWHii
5z5w0AqtF3fw7f8kgZUwGy7Q4Oiql+qgo6vRQsYDtShdkHTkvUcVmesNDHYRP1lZ
NnfqlEZvihkp9pBSsdQFhE5WyhoyyDItrbDevj9sRAn9ny4mLcsj408hXF70vP2+
Yij3rYtfgh7aPDoVpguAHmZf+fB/pTASG9GUZLLo8seRxdO67sTgbt3DqP0eAylH
hkOT8sL6mmzWffm+X27twG7qm0FNquj0bArS0Cy8n4TuvNvUjcYltihKXn8=
-----END CERTIFICATE-----
Your cert is in/root/.acme.sh/distill.com.cn/distill.com.cn.cer
Your cert key is in/root/.acme.sh/distill.com.cn/distill.com.cn.key
The intermediate CA cert is in/root/.acme.sh/distill.com.cn/ca.cer
And the full chain certs is there:/root/.acme.sh/distill.com.cn/fullchain.cer
</code></pre>
<p><img src="https://img2022.cnblogs.com/blog/2712276/202207/2712276-20220725164918458-1931946328.png"></p>
<h3 id="安装配置nginx">安装配置nginx</h3>
<p>配置/etc/nginx/nginx.conf</p>
<pre><code class="language-shell"># For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_formatmain'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log/var/log/nginx/access.logmain;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
</code></pre>
<p>配置/etc/nginx/conf.d/distill.com.cn.conf</p>
<pre><code class="language-shell"># http(80) -> https(443/ssl)
server {
listen 80;
server_name distill.com.cn;
rewrite ^(.*)$ https://$host$request_uri;
}
# distill.com.cn
server {
listen 443;
server_name distill.com.cn;
include ssl/distill.com.cn.ssl.conf;
location / {
# todo
proxy_pass http://localhost:10088/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
</code></pre>
<p>创建/etc/nginx/ssl目录,部署配置密钥文件</p>
<pre><code class="language-shell">./acme.sh --install-cert -d distill.com.cn \
--key-file /etc/nginx/ssl/distill.com.cn.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd 'service nginx force-reload'
</code></pre>
<p>vim /etc/nginx/ssl/distill.com.cn.ssl.conf</p>
<pre><code class="language-shell">ssl on;
ssl_certificate ssl/distill.com.cn.cer;
ssl_certificate_key ssl/distill.com.cn.key;
</code></pre>
<h2 id="配置docker服务上线注意项">配置docker服务上线注意项</h2>
<p>配置daemon.json文件</p>
<pre><code class="language-shell">{
"registry-mirrors": ["https://60nwgi45.mirror.aliyuncs.com"],
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
</code></pre><br><br>
来源:https://www.cnblogs.com/lyndonhu/p/16517855.html
頁:
[1]