Isalathiso senqaku
yasonjululwa ngexesha lokugqibelaAyiphumelelanga ukufaka isicelo sokufakela i-Let Encrypted Error Message: AutoSSL Issue failedEmva kwengxaki ye-DNS, esi satifikethi sasimahla se-SSL sineengxaki zokusombulula.
Iphaneli yokulawula yeCWPKubonakala ngathi isatifikethi esithi Masi Fihla simiselwe ukuba sihlaziywe ngokuzenzekelayo kwaye sihlaziye isatifikethi phambi kokuba siphelelwe lixesha.Ngokungalindelekanga, izolo, i-Let Encrypt ayizange ihlaziye ngokuzenzekelayo.seoI-traffic yehla ngokukhawuleza, kodwa ngethamsanqa inokufunyanwa emva kokuba isisombululo silungisiwe.
Yintoni iLet's Encrypting?
Masi Fihla liGunya leSiqinisekiso sasimahla, esizenzekelayo nesivulelekileyo esibonelelwa liQela loPhando ngoKhuseleko lwe-Intanethi (ISRG).
Ukubeka nje, i-HTTPS (i-SSL/TLS) inokunikwa amandla kwiwebhusayithi yethu simahla ngoncedo lwesatifikethi esikhutshwe nguLet Encrypt.
Ukukhutshwa/uhlaziyo lwezatifikethi zasimahla zeLet’s Encrypting zenziwa ngokuzenzekela zizikripti.
Oku kulandelayo sisifundo sendlela yokufaka isicelo seSiqinisekiso se-SSL sasimahla▼
Yintoni isiqinisekiso se-Let's Encrypt wildcard?
Phambi kokuba kuvele izatifikethi ze-wildcard, Masi Fihla kuphela sixhasa izatifikethi ezi-2:
- Isatifikethi seDomain enye: Isatifikethi siqulethe umamkeli omnye kuphela.
- Isatifikethi se-SAN: Ekwaziwa njengesiqinisekiso segama lesizinda, isatifikethi sinokubandakanya iinginginya ezininzi (MasiFinyelele umda ngama-20).
Kubasebenzisi ngabanye, kuba akukho mamkeli baninzi kakhulu, akukho ngxaki ngokupheleleyo ngokusebenzisa izatifikethi ze-SAN, kodwa kwiinkampani ezinkulu kukho iingxaki:
- Zininzi ii-subdomains, kwaye kunokuba yimfuneko ukusebenzisa umamkeli omtsha ngokuhamba kwexesha.
- Kukwakho neendawo ezininzi ezibhalisiweyo.
Kumashishini amakhulu, izatifikethi ze-SAN zisenokungazanelisi iimfuno, kwaye bonke ababuki zindwendwe baqulethwe kwisatifikethi esinye, esingenakoneliswa zizatifikethi zeLet Encrypted (umlinganiselo wama-20).
Izatifikethi ze-Wildcard zizatifikethi ezinokuqulatha i-wildcard:
- Umzekelo *.example.com, *.example.cn,Sebenzisa * ukuthelekisa ngokuzenzekelayo zonke ii-subdomains;
- Amashishini amakhulu anokusebenzisa izatifikethi ze-wildcard, kunye nesatifikethi esinye se-SSL sinokubeka ababuki zindwendwe abaninzi.
Umahluko phakathi kwesatifikethi se-wildcard kunye nesatifikethi se-SAN
- Izatifikethi ze-Wildcard-Izatifikethi ze-Wildcard zisetyenziswa ngokubanzi ukukhusela ii-subdomains ezininzi phantsi kwegama le-domain eliqeqeshwe ngokupheleleyo.Inzuzo yolu hlobo lwesatifikethi kukuba ayenzi nje ukulawula izatifikethi lula, kodwa ikunceda ukunciphisa iindleko zakho eziphezulu.Ikhusela i-subdomains yakho yangoku neyexesha elizayo ngamaxesha onke.
- Izatifikethi ze-SAN - Izatifikethi ze-SAN (ezaziwa njengezatifikethi ze-multi-domain) zisetyenziselwa ukukhusela iindawo ezininzi ngesatifikethi esinye.Ziyahluka kwizatifikethi ze-wildcard kuba zixhasa zonkemdasubdomains. I-SAN ixhasa kuphela igama le-domain eliqeqeshwe ngokupheleleyo elifakwe kwisiqinisekiso. Izatifikethi ze-SAN ziyamangalisa kuba xa uzisebenzisa unokukhusela ngaphezulu kwe-100 yamagama ahlukeneyo afanelekileyo afanelekileyo kunye nesatifikethi esinye; nangona kunjalo, isixa sokhuseleko sixhomekeke kugunyaziwe okhupha isatifikethi.
Indlela yokufaka isiceloMasibhaleIzatifikethi ze-Wildcard?
Ukuze kuphunyezwe izatifikethi ze-wildcard, i-Let Encrypt iphucule ukuphunyezwa kwe-ACME protocol, kwaye kuphela i-v2 protocol inokuxhasa izatifikethi ze-wildcard.
Oko kukuthi, nawuphi na umxhasi unokufaka isicelo sesatifikethi se-wildcard ukuba nje ixhasa i-ACME v2.
Khuphela Certbot-Auto
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --version
MasiShicilele uShicilelo lwesatifikethi se-Wildcard
git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au cd certbot-letencrypt-wildcardcertificates-alydns-au chmod 0777 au.sh
Masiguqulele ngokuntsonkothileyo isiqinisekiso se-wildcard sokuphelelwa kwexesha lokuhlaziya iscript
Okushicilelweyo apha yiseva eqokelelwe yafakwa yi nginx okanye ifakwe ngeDocker, iproxy https ngenginx yenginx okanye umamkeli wokulinganisa wokulayisha, yenza ugcino ngokuzenzekelayo isatifikethi se-SSL, kwaye uqalise kwakhona iseva engummeli ye-Nginx.
- Qaphela: Iskripthi ngokwenene sisebenzisa i
./certbot-auto renew
#!/usr/bin/env bash cmd="$HOME/certbot-auto" restartNginxCmd="docker restart ghost_nginx_1" action="renew" auth="$HOME/certbot/au.sh php aly add" cleanup="$HOME/certbot/au.sh php aly clean" deploy="cp -r /etc/letsencrypt/ /home/pi/dnmp/services/nginx/ssl/ && $restartNginxCmd" $cmd $action \ --manual \ --preferred-challenges dns \ --deploy-hook \ "$deploy"\ --manual-auth-hook \ "$auth" \ --manual-cleanup-hook \ "$cleanup"
Ngena kwi icrontab, hlela ifayile▼
/etc/crontab
#证书有效期<30天才会renew,所以crontab可以配置为1天或1周 0 0 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /home/pi/crontab.sh
Ukwakhiwa kwakhona koqwalaselo lweseva ye-CWP
Nanga amanyathelo e-CWP yokwakha kwakhona iseva ye-nginx/apache:
Inyathelo 1: Kwicala lasekhohlo lePhaneli yoLawulo yeCWP, cofa Useto lweWebServer → Khetha iiSeva zeWeb ▼
Isiqendu 2:khetha I-Nginx kunye neVarnish kunye ne-Apache ▼
Isiqendu 3:Cofa iqhosha elithi "Gcina & Yakha kwakhona uqwalaselo" ezantsi ukugcina nokwakha uqwalaselo.
- Hlaziya iwebhusayithi kwaye uya kubona ukuba umhla wokuphelelwa kwesatifikethi se-SSL uhlaziyiwe.
Ukwandiswa kokufunda:
Ndiyathemba Chen Weiliang Blog ( https://www.chenweiliang.com/ ) ekwabelwana ngayo "MasiFihlisile ayizihlaziyi ngokuzenzekelayo?Hlaziya iSibhalo soHlaziyo seSiqinisekiso se-Wildcard" ukuze sikuncede.
Wamkelekile ukwabelana ngekhonkco leli nqaku:https://www.chenweiliang.com/cwl-1199.html
Wamkelekile kwisitishi seTelegram sebhlog kaChen Weiliang ukufumana uhlaziyo lwamva nje!
📚 Esi sikhokelo sinexabiso elikhulu, 🌟Eli lithuba elinqabileyo, ungaliphoswa! ⏰⌛💨
Yabelana kwaye uthanda ukuba uyathanda!
Ukwabelana kwakho kunye nezinto ozithandayo ziyinkuthazo yethu eqhubekayo!