docker运行acme.sh 安装配置泛域名证书
<p>文档地址:https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker</p><p>首先是启动daemon的命令【以下是例子,停止容器会自动删除】</p>
<div class="highlight">
<div class="cnblogs_code">
<pre>docker run --rm-<span style="color: rgba(0, 0, 0, 1)">itd\
</span>-v <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">$(pwd)/out</span><span style="color: rgba(128, 0, 0, 1)">"</span>:/<span style="color: rgba(0, 0, 0, 1)">acme.sh\
</span>--net=<span style="color: rgba(0, 0, 0, 1)">host \
</span>--name=<span style="color: rgba(0, 0, 0, 1)">acme.sh \
neilpang</span>/acme.sh daemon</pre>
</div>
</div>
<p><strong>这样就会后台挂一个包含acme.sh的容器,并且这个容器会自动走定时任务以便自动续签证书</strong>。这里注意如果你使用了dnsapi(比如说签wildcard之类的场景),别忘了在这里使用<code>-e</code>参数去配置你的环境变量,像这样【以下是个例子,停止容器会自动删除】:</p>
<div class="highlight">
<div class="cnblogs_code">
<pre>docker run --rm-<span style="color: rgba(0, 0, 0, 1)">itd\
</span>-v <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">$(pwd)/out</span><span style="color: rgba(128, 0, 0, 1)">"</span>:/<span style="color: rgba(0, 0, 0, 1)">acme.sh\
</span>-e CF_Email=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">example@example.com</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> \
</span>-e CF_Key=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">asasasasasadasasas</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> \
</span>--net=<span style="color: rgba(0, 0, 0, 1)">host \
</span>--name=<span style="color: rgba(0, 0, 0, 1)">acme.sh \
neilpang</span>/acme.sh daemon</pre>
</div>
<p> </p>
<p><span style="color: rgba(255, 0, 0, 1); font-size: 18px"><strong>实际上安装好docker 后执行以下3步即可【以下才是完整教程】</strong></span></p>
<p><strong>1)</strong>博主使用腾讯云域名如下(<strong>-v,DP_Key,DP_Id配置自行修改</strong>)【以下是腾讯云例子,-e修改参数值】:</p>
<div class="cnblogs_code">
<pre> docker run-<span style="color: rgba(0, 0, 0, 1)">itd\
</span>-v <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/dnmp/services/nginx/ssl/acme</span><span style="color: rgba(128, 0, 0, 1)">"</span>:/<span style="color: rgba(0, 0, 0, 1)">acme.sh\
</span>-e DP_Key=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">xxxxxxxxxxxxxxxx</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> \
</span>-e DP_Id=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">1111</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> \
</span>--net=<span style="color: rgba(0, 0, 0, 1)">host \
</span>--name=<span style="color: rgba(0, 0, 0, 1)">acme.sh \
neilpang</span>/acme.sh daemon</pre>
</div>
</div>
<p>这里有有关于dnsapi模式的详细用法</p>
<p>然后一切没问题返回出来Container ID之后别忘了<code>docker ps</code>看一下容器是否在正常跑。</p>
<p>容器准备好了就可以用<code>docker exec</code>跑各种acme.sh的命令了。</p>
<div class="highlight">
<div class="cnblogs_code">
<pre>dockerexecacme.sh --help</pre>
</div>
</div>
<p><strong>2)</strong>签发泛域名证书【自行修改域名和邮箱地址,参考链接https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA】</p>
<p>请替换成自己的域名,* 是通配符,支持任何一级子域名。</p>
<div class="cnblogs_code">
<pre>docker exec acme.sh --register-account -m aa@qq.com --server zerossl --issue --dns dns_dp -d aa.com -d *.aa.com</pre>
</div>
<p>所生成的证书文件会自动保存到<code>docker run</code>时创建的数据卷中。(比如这里是<code>$(pwd)/out</code>,<code>run</code>命令执行时的根目录中的out文件夹)</p>
<p>证书包中有很多文件,其中域名.key 是秘钥;a.cer 存储的是 CA 证书,域名.cer 是域名证书,fullchain.cer 是前两者的拼接;域名.csr 是证书签名请求。</p>
<p>如:</p>
<p><img src="https://img2020.cnblogs.com/blog/867078/202111/867078-20211124155049082-615380151.png"></p>
<p><strong>3)</strong>Nginx 配置Http和Https共存</p>
<div class="cnblogs_code">
<pre>listen <span style="color: rgba(128, 0, 128, 1)">80</span><span style="color: rgba(0, 0, 0, 1)">; #如果硬性要求全部走https协议,这一行去除
listen </span><span style="color: rgba(128, 0, 128, 1)">443</span><span style="color: rgba(0, 0, 0, 1)"> ssl http2; #如果硬性要求全部走https协议,这里去除ssl
server_name chandao.test.cn;
#ssl on; #如果硬性要求全部走https协议,这里开启ssl on
ssl_certificate </span>/dnmp/services/nginx/ssl/acme/aa.com/<span style="color: rgba(0, 0, 0, 1)">aa.com.cer;
ssl_certificate_key </span>/dnmp/services/nginx/ssl/acme/aa.com/<span style="color: rgba(0, 0, 0, 1)">aa.com.key;
#ssl性能调优
#nginx </span><span style="color: rgba(128, 0, 128, 1)">1.13</span>.0支持了TLSv1.<span style="color: rgba(128, 0, 128, 1)">3</span>,TLSv1.3相比之前的TLSv1.<span style="color: rgba(128, 0, 128, 1)">2</span><span style="color: rgba(0, 0, 0, 1)">、TLSv1.1等性能大幅提升
ssl_protocols TLSv1 TLSv1.</span><span style="color: rgba(128, 0, 128, 1)">1</span> TLSv1.<span style="color: rgba(128, 0, 128, 1)">2</span><span style="color: rgba(0, 0, 0, 1)">;
ssl_ciphers EECDH</span>+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!<span style="color: rgba(0, 0, 0, 1)">MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#使用ssl_session_cache优化https下Nginx的性能
ssl_session_cache builtin:</span><span style="color: rgba(128, 0, 128, 1)">1000</span><span style="color: rgba(0, 0, 0, 1)"> shared:SSL:10m;
#OCSP Stapling 开启。OCSP是用于在线查询证书吊销情况的服务,使用OCSP Stapling能将证书有效状态的信息缓存到服务器,提高 TLS 握手速度
#ssl_stapling on;
#OCSP Stapling 验证开启
#ssl_stapling_verify on;</span></pre>
</div>
<h3><span style="color: rgba(255, 0, 0, 1)">如果报缺失中间证书,则需要把cer文件换成fullchain.cer</span></h3>
<div>
<div>fullchain.cer #服务端完整证书,包含证书链<br>
为某个软件配备证书的时候一定要把整个证书链配置完全,否则有可能会出现证书不被信任的情况。我们只需要知道要用的是fullchain.cer与aa.com.key就行了。</div>
</div>
<h3> </h3>
<p>即:</p>
<div class="cnblogs_code">
<pre>ssl_certificate /dnmp/services/nginx/ssl/acme/aa.com/fullchain.cer;
ssl_certificate /dnmp/services/nginx/ssl/acme/aa.com/aa.com.key;</pre>
</div>
<h3 id="设置-crontab-任务自动续签">设置 crontab 任务自动续签(可不设置)</h3>
<p>运行 <code>crontab -e</code> 来编辑 crontab 文件,添加如下内容,保存即可。</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">10</span> <span style="color: rgba(128, 0, 128, 1)">0</span> * * * docker exec acme.sh --cron # acme.sh为容器名,每天0点10分执行</pre>
</div>
<p> </p><br><br>
来源:https://www.cnblogs.com/-mrl/p/13335360.html
頁:
[1]