泛域名配置方法
如果使用阿里免费证书,需要配置CNAME,只能认证单域名,且连接很不稳定,所以还是决定做一个letsencrypt证书的泛域名配置。该文用于配置免费泛域名认证证书,编写本文是因为痛苦的折腾了好久,记录整个过程,避免以后掉坑里。
最终解决方法:
https://cloud.tencent.com/developer/article/1500063
下载安装
acme.sh-master.zip
yum install unzip
unzip acme.sh-master.zip
cd acme.sh-master/
./acme.sh --install
安装认证
配置如下过程是,可以打开阿里云平台上对应域名解析设置页面,acme.sh会自动的将配置信息配置,并进行测试,可以抓住时间截个屏,执行结束后会被自动删除,稍后还需要手动进行配置一遍。
export Ali_Key="XFDFDAFAFAFAFA"
export Ali_Secret="FDASFASFSAFSAFDASFDASFASFASDF"
acme.sh --issue --dns dns_ali -d distill.com.cn -d www.distill.com.cn
[Wed Aug 26 23:36:34 CST 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Aug 26 23:36:34 CST 2020] Create account key ok.
[Wed Aug 26 23:36:34 CST 2020] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Wed Aug 26 23:36:40 CST 2020] Registered
[Wed Aug 26 23:36:40 CST 2020] ACCOUNT_THUMBPRINT='GcumXzsk5hrnln0WKVcDw4EiijsA8sGq0aD6nJUlk_Y'
[Wed Aug 26 23:36:40 CST 2020] Creating domain key
[Wed Aug 26 23:36:40 CST 2020] The domain key is here: /root/.acme.sh/distill.com.cn/distill.com.cn.key
[Wed Aug 26 23:36:40 CST 2020] Multi domain='DNS:distill.com.cn,DNS:www.distill.com.cn'
[Wed Aug 26 23:36:40 CST 2020] Getting domain auth token for each domain
[Wed Aug 26 23:36:49 CST 2020] Getting webroot for domain='distill.com.cn'
[Wed Aug 26 23:36:49 CST 2020] Getting webroot for domain='www.distill.com.cn'
[Wed Aug 26 23:36:49 CST 2020] Adding txt value: YHayV93uHWrajYI-dhfZJC2jtlTn5mmdpgvXWSQulIk for domain: _acme-challenge.distill.com.cn
[Wed Aug 26 23:36:52 CST 2020] The txt record is added: Success.
[Wed Aug 26 23:36:52 CST 2020] Adding txt value: zcgcyT8QM_S2TFgKFDBZgbHAJmAr8CRQyfO8dRW-YJ4 for domain: _acme-challenge.www.distill.com.cn
[Wed Aug 26 23:36:56 CST 2020] The txt record is added: Success.
[Wed Aug 26 23:36:56 CST 2020] Let's check each DNS record now. Sleep 20 seconds first.
[Wed Aug 26 23:37:17 CST 2020] Checking distill.com.cn for _acme-challenge.distill.com.cn
[Wed Aug 26 23:37:25 CST 2020] Domain distill.com.cn '_acme-challenge.distill.com.cn' success.
[Wed Aug 26 23:37:25 CST 2020] Checking www.distill.com.cn for _acme-challenge.www.distill.com.cn
[Wed Aug 26 23:37:32 CST 2020] Domain www.distill.com.cn '_acme-challenge.www.distill.com.cn' success.
[Wed Aug 26 23:37:32 CST 2020] All success, let's return
[Wed Aug 26 23:37:32 CST 2020] Verifying: distill.com.cn
[Wed Aug 26 23:37:38 CST 2020] Success
[Wed Aug 26 23:37:38 CST 2020] Verifying: www.distill.com.cn
[Wed Aug 26 23:37:45 CST 2020] Pending
[Wed Aug 26 23:37:49 CST 2020] Success
[Wed Aug 26 23:37:49 CST 2020] Removing DNS records.
[Wed Aug 26 23:37:49 CST 2020] Removing txt: YHayV93uHWrajYI-dhfZJC2jtlTn5mmdpgvXWSQulIk for domain: _acme-challenge.distill.com.cn
[Wed Aug 26 23:37:53 CST 2020] Removed: Success
[Wed Aug 26 23:37:53 CST 2020] Removing txt: zcgcyT8QM_S2TFgKFDBZgbHAJmAr8CRQyfO8dRW-YJ4 for domain: _acme-challenge.www.distill.com.cn
[Wed Aug 26 23:37:58 CST 2020] Removed: Success
[Wed Aug 26 23:37:58 CST 2020] Verify finished, start to sign.
[Wed Aug 26 23:37:58 CST 2020] Lets finalize the order.
[Wed Aug 26 23:37:58 CST 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/94949289/4874363945'
[Wed Aug 26 23:38:01 CST 2020] Downloading cert.
[Wed Aug 26 23:38:01 CST 2020] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0339143585bd28e423b7f9798e7f120e4cf9'
[Wed Aug 26 23:38:04 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFaDCCBFCgAwIBAgISAzkUNYW9KOQjt/l5jn8SDkz5MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MjYxNDM3NTlaFw0y
MDExMjQxNDM3NTlaMBkxFzAVBgNVBAMTDmRpc3RpbGwuY29tLmNuMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Lhf/goT83Zvnwzsc+kOJetn+7OrhuJD
7AkUfL+V4QnxMaLikRYwNRL53QI5IyrrNCK7D7+wIRuuFtImIz3/rLXHJzI5cnkt
U7Ua0P2qLqCs64gAZPWKXwtzqkSCaKh5z2thRF9tFvv4whY5aqZaYuaFwFLKFS/9
QNfxEG76dqcclfe3L/2QZ7fAXS6Asn5aePJSOCye+fmB5DceMkAotHOaaC4CNxBd
j+HKyEhYQck4QOHvLFG2nl+qya8hRscEnKbgO2cKkhhoxD1ahnwNr8/mGEOfmswr
/5jqHIekuehUly+jAyG9l9yQQJiNVOTJckzwJtaE+p8jE1iwajxWmwIDAQABo4IC
dzCCAnMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRGbJA6ljjzkoC3QfTF/tOj7hqp
HDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMC0GA1UdEQQmMCSCDmRpc3RpbGwuY29tLmNughJ3d3cuZGlzdGlsbC5jb20u
Y24wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQC
BIH1BIHyAPAAdgDwlaRZ8gDRgkAQLS+TiI6tS/4dR+OZ4dA0prCoqo6ycwAAAXQr
azOuAAAEAwBHMEUCIDEGdCoxlcuq/tt6NRevT2NaeUYKcytPgQFsbIVc5mP8AiEA
pO4D2bWVDKdE5SJaurh+VMLLFwFndSx/JZoFAt8XnH8AdgCyHgXMi6LNiiBOh2b5
K7mKJSBna9r6cOeySVMt74uQXgAAAXQrazOpAAAEAwBHMEUCIQCKfo5uCKugub8S
iQB4Hlyf1Dl/iJ8o3d+LVnL4lKwenwIgboJu6QPw8gNuhfeC4X9XwKD2aDjQUmeX
y3b6Pysc7jAwDQYJKoZIhvcNAQELBQADggEBAI6epdrgv1qnwH5DfP9/K9Iusdwe
wOZ5Vnw8A8fM2MHPiok1Fz5J9g5P9jdSdgfL2aL0q3/oW1Ik+s/R1Wr07znTWHii
5z5w0AqtF3fw7f8kgZUwGy7Q4Oiql+qgo6vRQsYDtShdkHTkvUcVmesNDHYRP1lZ
NnfqlEZvihkp9pBSsdQFhE5WyhoyyDItrbDevj9sRAn9ny4mLcsj408hXF70vP2+
Yij3rYtfgh7aPDoVpguAHmZf+fB/pTASG9GUZLLo8seRxdO67sTgbt3DqP0eAylH
hkOT8sL6mmzWffm+X27twG7qm0FNquj0bArS0Cy8n4TuvNvUjcYltihKXn8=
-----END CERTIFICATE-----
[Wed Aug 26 23:38:04 CST 2020] Your cert is in /root/.acme.sh/distill.com.cn/distill.com.cn.cer
[Wed Aug 26 23:38:04 CST 2020] Your cert key is in /root/.acme.sh/distill.com.cn/distill.com.cn.key
[Wed Aug 26 23:38:04 CST 2020] The intermediate CA cert is in /root/.acme.sh/distill.com.cn/ca.cer
[Wed Aug 26 23:38:04 CST 2020] And the full chain certs is there: /root/.acme.sh/distill.com.cn/fullchain.cer
安装配置nginx
配置/etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
配置/etc/nginx/conf.d/distill.com.cn.conf
# http(80) -> https(443/ssl)
server {
listen 80;
server_name distill.com.cn;
rewrite ^(.*)$ https://$host$request_uri;
}
# distill.com.cn
server {
listen 443;
server_name distill.com.cn;
include ssl/distill.com.cn.ssl.conf;
location / {
# todo
proxy_pass http://localhost:10088/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
创建/etc/nginx/ssl目录,部署配置密钥文件
./acme.sh --install-cert -d distill.com.cn \
--key-file /etc/nginx/ssl/distill.com.cn.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd 'service nginx force-reload'
vim /etc/nginx/ssl/distill.com.cn.ssl.conf
ssl on;
ssl_certificate ssl/distill.com.cn.cer;
ssl_certificate_key ssl/distill.com.cn.key;
配置docker服务上线注意项
配置daemon.json文件
{
"registry-mirrors": ["https://60nwgi45.mirror.aliyuncs.com"],
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
