Ingabe i-Let Encrypt ivuselela ngokuzenzakalelayo?Buyekeza iskripthi sokuvuselela isitifiketi se-wildcard

kuxazululwe okokugcinaYehlulekile ukufaka isicelo sokufaka umlayezo wephutha elithi Masibethele: Inkinga ye-AutoSSL YehlulekileNgemuva kwenkinga ye-DNS, lesi sitifiketi samahhala se-SSL sinezinkinga okufanele sizixazulule.

Iphaneli yokulawula ye-CWPEkuqaleni, bekubonakala sengathi isitifiketi Asibethele savuselelwa ngokuzenzakalelayo ngaphambi kokuba siphelelwe yisikhathi. Nokho, izolo, i-Let Encrypt ayizange isivuselele ngokuzenzakalelayo isitifiketi.SEOUkuhamba kwezimoto kwehle kakhulu, kodwa ngenhlanhla kungatholakala ngemuva kokulungiswa kwesixazululo.

Kuyini Asibhale Ngemfihlo?

I-Let Encrypt iyigunya lesitifiketi lamahhala, elizenzakalelayo nelivuliwe (CA) elinikezwa inhlangano engenzi nzuzo ye-Internet Security Research Group (ISRG).

Kalula nje, i-HTTPS (SSL/TLS) inganikwa amandla kuwebhusayithi yethu mahhala ngosizo lwesitifiketi esikhishwe i-Let Encrypt.

Ukukhishwa/ukuvuselelwa kwezitifiketi zamahhala ze-Let's Bethela kuzenzakala ngemibhalo. I-Let's Encrypt incoma ngokusemthethweni ukusebenzisa iklayenti le-Certbot ukuze kukhishwe izitifiketi.

Okulandelayo okokufundisa kokuthi usifaka kanjani isicelo sesitifiketi se-SSL samahhala esithi Masibethele▼

Usifaka kanjani isicelo se-Let's Bethela

Ungasifaka kanjani isicelo se-Let Encrypt?Masibhale Ngemfihlo Isimiso Sesitifiketi Se-SSL & Okokufundisa Kokufaka Iyini i-SSL?Isihloko esedlule sikaChen Weiliang "Uyini umehluko phakathi kwe-http vs https? Kushiwo "Encazelweni Enemininingwane Yenqubo Yokubethela ye-SSL".Ngaphandle kokuthi amasayithi e-ecommerce kufanele athenge i-premium...

Siyini isitifiketi se-Let's Encrypt wildcard?

Ngaphambi kokuthi kuvele izitifiketi ze-wildcard, Masibethele sisekela izitifiketi ezi-2 kuphela:

1. Isitifiketi Sesizinda Esisodwa: Isitifiketi siqukethe umsingathi oyedwa kuphela.
2. Isitifiketi se-SAN: Esaziwa nangokuthi isitifiketi segama lesizinda, isitifiketi singabandakanya abasingathi abaningi (Umkhawulo othi Asibethele ngu-20).

Kubasebenzisi abangabodwana, njengoba bengekho abasingathi abaningi kakhulu, akunankinga nhlobo ukusebenzisa izitifiketi ze-SAN, kodwa ezinkampanini ezinkulu kunezinkinga ezithile:

1. Kunezizinda ezingaphansi eziningi, futhi kungase kudingeke ukuthi usebenzise umsingathi omusha ngokuhamba kwesikhathi.
2. Kukhona nezizinda eziningi ezibhalisiwe.

Emabhizinisini amakhulu, izitifiketi ze-SAN zingase zingahlangabezani nezidingo, futhi bonke ababungazi baqukethwe esitifiketini esisodwa, esingenakwaneliswa ngokusebenzisa izitifiketi ze-Let Encrypt (umkhawulo wama-20).

Izitifiketi ze-Wildcard izitifiketi ezingaqukatha i-wildcard:

• Isibonelo *.example.com, *.example.cn,Sebenzisa * ukufanisa ngokuzenzakalela zonke izizinda ezingaphansi;
• Amabhizinisi amakhulu angasebenzisa nezitifiketi ze-wildcard, futhi isitifiketi esisodwa se-SSL singabeka ababungazi abaningi.

Umehluko phakathi kwesitifiketi se-wildcard nesitifiketi se-SAN

1. Izitifiketi ze-Wildcard - Izitifiketi ze-Wildcard zisetshenziswa kabanzi ukuvikela izizinda ezingaphansi eziningi ngaphansi kwegama lesizinda elifaneleke ngokugcwele.Inzuzo yalolu hlobo lwesitifiketi ukuthi akwenzi nje ukuphatha izitifiketi kube lula, kodwa futhi sikusiza ukuthi wehlise izindleko zakho eziphezulu.Ivikela izizinda zakho ezingaphansi kwamanje nezesikhathi esizayo ngaso sonke isikhathi.
2. Izitifiketi ze-SAN - Izitifiketi ze-SAN (ezaziwa nangokuthi izitifiketi zesizinda esiningi) zisetshenziselwa ukuvikela izizinda eziningi ngesitifiketi esisodwa.Zihlukile ezitifiketini ze-wildcard ngokuthi zeseka zonkeokungenamkhawuloizizinda ezingaphansi. I-SAN isekela kuphela igama lesizinda elifaneleke ngokugcwele elifakwe kusitifiketi. Izitifiketi ze-SAN ziyamangalisa ngoba uma uzisebenzisa ungavikela amagama esizinda afaneleke ngokugcwele angaphezu kwe-100 ngesitifiketi esisodwa, kodwa-ke, inani lokuvikela lincike kugunyaziwe okhipha isitifiketi.

ungasifaka kanjani isiceloMasibhaleIzitifiketi ze-Wildcard?

Ukuze kusetshenziswe izitifiketi ze-wildcard, i-Let Encrypt ithuthukise ukuqaliswa kwephrothokholi ye-ACME, futhi umthetho olandelwayo we-v2 kuphela ongasekela izitifiketi ze-wildcard.

Okusho ukuthi, noma yiliphi iklayenti lingafaka isicelo sesitifiketi se-wildcard inqobo nje uma lisekela i-ACME v2.

Landa i-Certbot-Auto

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --version

Masibethele Isikripthi Sesitifiketi Se-Wildcard

git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
cd certbot-letencrypt-wildcardcertificates-alydns-au
chmod 0777 au.sh

Masibethele iskripthi sokuvuselela isikhathi sokuphelelwa yisikhathi kwesitifiketi se-wildcard

Umbhalo lapha yiseva ehlanganiswe futhi yafakwa yi-nginx noma ifakwe nge-Docker, ummeleli we-https ngommeleli womsingathi noma umsingathi wokulinganisa wokulayisha, yenza isipele ngokuzenzakalelayo isitifiketi se-SSL, futhi uqale kabusha iseva elibamba ye-Nginx.

• Qaphela: Iskripthi empeleni sisebenzisa i- ./certbot-auto renew

#!/usr/bin/env bash

cmd="$HOME/certbot-auto" 
restartNginxCmd="docker restart ghost_nginx_1"
action="renew"
auth="$HOME/certbot/au.sh php aly add"
cleanup="$HOME/certbot/au.sh php aly clean"
deploy="cp -r /etc/letsencrypt/ /home/pi/dnmp/services/nginx/ssl/ && $restartNginxCmd"

$cmd $action \
--manual \
--preferred-challenges dns \
--deploy-hook \
"$deploy"\
--manual-auth-hook \
"$auth" \
--manual-cleanup-hook \
"$cleanup"

Joyina i-crontab, hlela ifayela▼

/etc/crontab

#证书有效期<30天才会renew，所以crontab可以配置为1天或1周
0 0 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /home/pi/crontab.sh

Ukwakhiwa kabusha kweseva ye-CWP

Nazi izinyathelo ze-CWP zokwakha kabusha iseva ye-nginx/apache:

Isinyathelo 1: Ngakwesokunxele sephaneli yokulawula ye-CWP, chofoza Izilungiselelo ze-WebServer → Khetha ama-WebServer ▼

Isinyathelo sesi-2:选择 Nginx & Varnish & Apache ▼

Isinyathelo sesi-3:Chofoza inkinobho ethi "Londoloza futhi Wakhe Kabusha Ukucushwa" ngezansi ukuze ulondoloze futhi wakhe kabusha ukucushwa.

• Vuselela iwebhusayithi futhi uzobona ukuthi usuku lokuphelelwa yisikhathi kwesitifiketi se-SSL lubuyekeziwe.

Ukufunda okunwetshiwe:

I-Linux Crontab isebenzisa imiyalo yomsebenzi weskripthi njalo futhi isetha ukusetshenziswa kwefayela lokumisa

Inqubo ye-cron eyakhelwe ngaphakathi ye-Linux ingasisiza ukuthi sihlangabezane nezidingo zokwenza imisebenzi ehleliwe. Ngokusebenzisa izikripthi ze-cron nezegobolondo, ayikho inkinga ekwenzeni njalo imiyalo yemisebenzi eyinkimbinkimbi kakhulu.Iyini i-Cron?Esivame ukukusebenzisa umyalo we-crontab, okuyi-cron ta...