{"rsdb":{"rid":"285538","subhead":"","postdate":"0","aid":"202224","fid":"76","uid":"1","topic":"1","content":"<div class=\"entry\"> \n <div class=\"copyright-area\">\n  \u539f\u6587\u51fa\u5904\uff1a \n  <a>\u6797\u6cfd\u6d69<\/a>\n <\/div> \n <p>\u672c\u6587\u4f7f\u7528 HTTP \u548c DNS \u4e24\u79cd\u6821\u9a8c\u65b9\u5f0f\u5bf9 Docker \u4e0b linuxserver\/letsencrypt \u9879\u76ee\u8fdb\u884c\u4e86\u5b9e\u8df5\u3002\u751f\u6210SpringBoot\u53ef\u7528\u8bc1\u4e66\uff0c\u4f7f\u7528 Nginx \u7684 htpasswd \u6765\u5bf9\u7f51\u7ad9\u8fdb\u884c\u5bc6\u7801\u4fdd\u62a4\uff0c\u5e76\u6d4b\u8bd5\u4f7f\u7528 fail2ban \u9632\u6b62 htpasswd \u88ab\u66b4\u529b\u7834\u89e3\u3002\u5168\u6587\u57fa\u4e8e linuxserver\/letsencrypt \u6587\u6863\u53ca\u5176\u4ed6\u5b98\u65b9\u8d44\u6599\uff0c\u6839\u636e\u4f5c\u8005\u5b9e\u8df5\u8fdb\u884c\u8be6\u7ec6\u89e3\u6790\u548c\u8bb0\u5f55\u3002<\/p> \n <h3>1. \u4ecb\u7ecd<\/h3> \n <h4>1.0 linuxserver\/letsencrypt<\/h4> \n <p>\u8fd9\u4e2a\u5bb9\u5668\u8bbe\u7f6e\u4e86\u4e00\u4e2a Nginx \u670d\u52a1\u5668\uff0c\u652f\u6301 PHP \u7684\u53cd\u5411\u4ee3\u7406\u548c\u4e00\u4e2a\u5185\u7f6e\u7684 letsencrypt \u5ba2\u6237\u7aef\uff0c\u53ef\u4ee5\u81ea\u52a8\u5316\u751f\u6210\u6216\u66f4\u65b0 SSL \u670d\u52a1\u5668\u8bc1\u4e66\u3002\u5b83\u8fd8\u5305\u542b\u7528\u4e8e\u9632\u5fa1\u5165\u4fb5\u7684 fail2ban\u3002<\/p> \n <h4>1.1 \u4f7f\u7528<\/h4> \n <pre class=\"brush: text; gutter: true\">docker create \\\r\n  --cap-add=NET_ADMIN \\\r\n  --name=letsencrypt \\\r\n  -v &lt;path to data&gt;:\/config \\\r\n  -e PGID=&lt;gid&gt; -e PUID=&lt;uid&gt;  \\\r\n  -e EMAIL=&lt;email&gt; \\\r\n  -e URL=&lt;url&gt; \\\r\n  -e SUBDOMAINS=&lt;subdomains&gt; \\\r\n  -e VALIDATION=&lt;method&gt; \\\r\n  -p 80:80 -p 443:443 \\\r\n  -e TZ=&lt;timezone&gt; \\\r\n  linuxserver\/letsencrypt<\/pre> \n <h4>1.2 \u53c2\u6570<\/h4> \n <ul> \n  <li>\u2013cap-add=NET_ADMIN cap-add\uff1a\u5373 Add Linux capabilities \u6dfb\u52a0 Linux \u5185\u6838\u80fd\u529b\u3002\u8fd9\u91cc\u5177\u4f53\u6dfb\u52a0\u7684\u80fd\u529b\u662f\u5141\u8bb8\u6267\u884c\u7f51\u7edc\u7ba1\u7406\u4efb\u52a1\u3002\u8fd9\u662f\u56e0\u4e3a fail2ban \u9700\u8981\u4fee\u6539 iptables<\/li> \n  <li>-p 80 -p 443\uff1a\u7aef\u53e3<\/li> \n  <li>-v \/config\uff1a\u5305\u62ec webroot \u5728\u5185\u7684\u6240\u6709\u914d\u7f6e\u6587\u4ef6\u90fd\u4fdd\u5b58\u5728\u6b64\u5904<\/li> \n  <li>-e URL\uff1a\u9876\u7ea7\u57df\u540d\uff08\u5b8c\u5168\u62e5\u6709\u5219\u5982\uff1a\u201ccustomdomain.com\u201d\uff0c\u52a8\u6001 DNS \u5219\u5982 \u201ccustomsubdomain.ddnsprovider.com\u201d \uff09<\/li> \n  <li>-e SUBDOMAINS\uff1a\u8bc1\u4e66\u8986\u76d6\u7684\u5b50\u57df\u540d (\u9017\u53f7\u5206\u9694\uff0c\u65e0\u7a7a\u683c) .\u5982 www,ftp,cloud.\u5bf9\u4e8e\u901a\u914d\u7b26\u8bc1\u4e66, \u8bf7\u5c06\u6b64\u660e\u786e\u5730\u8bbe\u7f6e\u4e3a\u901a\u914d\u7b26 (\u901a\u914d\u7b26\u8bc1\u4e66\u53ea\u5141\u8bb8\u901a\u8fc7dns\u65b9\u5f0f\u9a8c\u8bc1)<\/li> \n  <li>-e VALIDATION\uff1aletsencrypt\u9a8c\u8bc1\u65b9\u6cd5\uff0c\u9009\u9879\u662f http\u3001tls-sni \u6216\u8005 DNS<\/li> \n  <li>\u4e0d\u540c\u6821\u9a8c\u65b9\u5f0f\u7684\u533a\u522b: \n   <ul> \n    <li><strong>HTTP \u6821\u9a8c<\/strong>\uff1a\u9700\u8981\u4f7f\u7528\u523080\u7aef\u53e3\uff0c\u6545\u5bbf\u4e3b\u673a80\u7aef\u53e3\u5e94\u8be5\u8f6c\u53d1\u5230\u5bb9\u5668\u768480\u7aef\u53e3<\/li> \n    <li><strong>tls-sni \u6821\u9a8c<\/strong>\uff1a\u9700\u8981\u4f7f\u7528\u5230443\u7aef\u53e3\uff0c\u6545\u5bbf\u4e3b\u673a443\u7aef\u53e3\u5e94\u8be5\u8f6c\u53d1\u5230\u5bb9\u5668\u7684443\u7aef\u53e3\uff08\u6ce8\u610f\uff1a\u7531\u4e8e\u5b89\u5168\u6f0f\u6d1e\uff0cletsencrypt \u7981\u7528\u4e86 tls-sni \u9a8c\u8bc1\uff0c\u4f7f\u7528\u8be5\u65b9\u5f0f\u4f1a\u62a5\u9519\uff1a<span style=\"color: #ff0000;\">Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA<\/span>\uff09<\/li> \n    <li><strong>DNS \u9a8c\u8bc1<\/strong>\uff1a\u9700\u8981\u8bbe\u7f6e DNSPLUGIN \u53d8\u91cf\uff08\u4e0d\u662f\u6240\u6709\u7684DNS\u670d\u52a1\u5546\u90fd\u652f\u6301\uff09\uff0c\u5e76\u4e14\u9700\u8981\u5728 \/config\/dns-conf \u6587\u4ef6\u5939\u4e0b\u8f93\u5165\u51ed\u636e\u5230\u76f8\u5e94\u7684 ini \u6587\u4ef6\u91cc\uff0c\u5f53\u65e0\u6cd5\u901a\u8fc7\u7aef\u53e3\u9a8c\u8bc1\u65f6\u53ef\u4f7f\u7528\u8fd9\u79cd\u65b9\u6cd5\u9a8c\u8bc1<\/li> \n   <\/ul> <\/li> \n  <li>-e PGID \u8bbe\u7f6e GroupID<\/li> \n  <li>-e PUID \u8bbe\u7f6e UserID<\/li> \n  <li><code style=\"font-style: inherit; font-weight: inherit;\">-e TZ<\/code>&nbsp;- \u65f6\u533a \u5982&nbsp;America\/New_York\uff1a\u4e0a\u6d77\u65f6\u533a\u4e3aAsia\/Shanghai<\/li> \n <\/ul> \n <p>\u901a\u8fc7\u6307\u5b9a\u7528\u6237ID\u548c\u6240\u5c5e\u7fa4\u7684ID\u6765\u907f\u514d\u6570\u636e\u5377\u6302\u8f7d(<strong>-v<\/strong>)\u65f6\u5bb9\u5668\u548c\u5bbf\u4e3b\u673a\u76f4\u63a5\u53ef\u80fd\u4ea7\u751f\u7684\u6743\u9650\u95ee\u9898\u3002\u6700\u597d\u8ba9\u6302\u8f7d\u7684\u6570\u636e\u5377\u76ee\u5f55\u7684\u62e5\u6709\u8005\u548c\u6307\u5b9a\u7684\u7528\u6237\u7edf\u4e00\u3002<\/p> \n <p>\u53e6\u5916\uff0c\u9700\u8981\u6ce8\u610f\uff1a\u4e0d\u80fd\u6307\u5b9aroot\u7528\u6237\uff08\u5373PGID=0,PUID=0\uff09\uff0c\u5426\u5219\u4f1a\u4e00\u76f4\u62a5\u9519\uff08\u4f46\u4e0d\u5f71\u54cd\u4f7f\u7528\uff09\u3002<\/p> \n <pre class=\"brush: text; gutter: true\">#\u5bbf\u4e3b\u673aroot\u7528\u6237\u73af\u5883\u4e0b\u4f7f\u7528\u4f8b\u5b50(\u975e\u5b98\u65b9,\u4ec5\u4f9b\u53c2\u8003)\r\n\r\n#\u521b\u5efa\u8981\u6302\u8f7d\u7684\u76ee\u5f55,\u6b64\u65f6\u8be5\u76ee\u5f55\u5c5eroot\u7528\u6237\u548croot\u7ec4\r\nmkdir \/opt\/letsencrypt\r\n#\u521b\u5efadocker\u7528\u6237(\u9ed8\u8ba4\u4f1a\u987a\u5e26\u65b0\u5efa\u540c\u540dGroup)\r\nuseradd dockeruser\r\n#\u4fee\u6539\u6587\u4ef6\u5939\u5f52\u5c5e(R\u4ee3\u8868\u9012\u5f52\u64cd\u4f5c,\u6587\u4ef6\u5939\u4e0b\u7684\u4e5f\u4e00\u5e76\u4fee\u6539)\r\nchown -R dockeruser:dockeruser \/opt\/letsencrypt\r\n#\u67e5\u770bdockeruser\u7684\u7528\u6237id\u548c\u7fa4id\r\nid dockeruser<\/pre> \n <p>\u53ef\u9009\u8bbe\u7f6e\uff1a<\/p> \n <ul> \n  <li>-e DNSPLUGIN\uff1a\u5982\u679c VALIDATION \u8bbe\u7f6e\u4e3a DNS \u5219\u6b64\u9879\u5fc5\u9009\u3002\u9009\u9879\u6709 cloudflare\u3001cloudxns\u3001digitalocean\u3001dnsimple\u3001dnsmadeeasy\u3001google\u3001luadns\u3001nsone\u3001rfc2136 \u548c route53\u3002\u8fd8\u9700\u8981\u5728 \/config\/dns-conf \u6587\u4ef6\u5939\u4e0b\u8f93\u5165\u51ed\u636e\u5230\u76f8\u5e94\u7684 ini \u6587\u4ef6\u91cc\u3002\u8fd9\u91cc\u63a8\u8350\u4f7f\u7528 cloudflare\uff0c\u514d\u8d39\u800c\u4e14\u597d\u7528.<\/li> \n  <li>\u4f7f\u7528 Cloudflare \u670d\u52a1\u7684\u8bdd\u5e94\u786e\u4fdd\u8bbe\u7f6e\u4e3a dns only \u800c\u975e dns + proxy\uff08\u4e8b\u5b9e\u4e0a Cloudflare \u7684 proxy \u5df2\u7ecf\u63d0\u4f9b\u514d\u8d39\u81ea\u52a8 SSL \u670d\u52a1\u4e86\uff0c\u4e5f\u5c31\u6ca1\u6709\u672c\u6587\u7684\u5fc5\u8981\uff09<\/li> \n  <li>Google DNS \u63d2\u4ef6\u7684\u4f7f\u7528\u5bf9\u8c61\u662f\u4f01\u4e1a\u4ed8\u8d39\u4ea7\u54c1\u201cGoogle Cloud DNS\u201d\u800c\u975e\u201cGoogle Domains DNS\u201d<\/li> \n  <li>-e EMAIL\uff1a\u60a8\u7684\u8bc1\u4e66\u6ce8\u518c\u548c\u901a\u77e5\u7684\u7535\u5b50\u90ae\u4ef6\u5730\u5740<\/li> \n  <li>-e DHLEVEL\uff1adhparams \u4f4d\u503c\uff08\u9ed8\u8ba4\u503c= 2048\uff0c\u53ef\u8bbe\u7f6e\u4e3a1024\u62164096\uff09<\/li> \n  <li>-p 80\uff1aVALIDATION\u8bbe\u7f6e\u4e3a http \u800c\u4e0d\u662f dns \u6216 tls-sni \u65f6\u9700\u898180\u7aef\u53e3\u8fdb\u884c\u8f6c\u53d1<\/li> \n  <li>-e ONLY_SUBDOMAINS\uff1a\u4ec5\u4e3a\u5b50\u57df\u540d\u83b7\u53d6\u8bc1\u4e66\uff08\u4e3b\u57df\u540d\u53ef\u80fd\u6258\u7ba1\u5728\u53e6\u5916\u4e00\u53f0\u8ba1\u7b97\u673a\u4e14\u65e0\u6cd5\u9a8c\u8bc1\uff09\u65f6\u8bf7\u5c06\u6b64\u9879\u8bbe\u7f6e\u4e3a true<\/li> \n  <li>-e EXTRA_DOMAINS\uff1a\u989d\u5916\u7684\u5b8c\u5168\u9650\u5b9a\u57df\u540d\uff08\u9017\u53f7\u5206\u9694\uff0c\u65e0\u7a7a\u683c\uff09\u5982 extradomain.com,subdomain.anotherdomain.org<\/li> \n  <li>-e STAGING\uff1a\u8bbe\u7f6e\u4e3a true \u53ef\u4ee5\u63d0\u9ad8\u901f\u7387\u9650\u5236\uff0c\u4f46\u8bc1\u4e66\u4e0d\u4f1a\u901a\u8fc7\u6d4f\u89c8\u5668\u7684\u5b89\u5168\u6d4b\u8bd5\uff0c\u4ec5\u7528\u4e8e\u6d4b\u8bd5<\/li> \n  <li>-e HTTPVAL\uff1a\u5df2\u5f03\u7528, \u8bf7\u7528VALIDATION \u4ee3\u66ff<\/li> \n <\/ul> \n <div> \n  <h3>2. \u5b9e\u8df5<\/h3> \n  <h4>2.1 \u4f7f\u7528 HTTP \u65b9\u5f0f\u9a8c\u8bc1<\/h4> \n  <p>\u9996\u5148\uff0c\u4f60\u5e94\u8be5\u5148\u4fdd\u8bc1\u8981\u83b7\u53d6\u8bc1\u4e66\u7684\u57df\u540d\uff08\u5b50\u57df\u540d\uff09\u80fd\u6b63\u786e\u5730\u8bbf\u95ee\u5230\u4e3b\u673a\u3002\u6ce8\u610f\uff1a\u57df\u540d\u9700\u8981\u5907\u6848\u3002<\/p> \n  <p>\u8fd9\u91cc\u6211\u6620\u5c04\u7684\u5bbf\u4e3b\u673a\u76ee\u5f55\u4e3a <strong>\/opt\/letsencrypt1<\/strong>\uff0cPGID \u548c PUID \u7531\u4e0a\u6587\u63d0\u5230\u7684\u65b9\u5f0f\u83b7\u5f97\u3002\u914d\u7f6e\u7684\u57df\u540d\u4e3a my.com \u548c www.my.com \uff08\u5b9e\u9645\u4e0a\u6211\u914d\u7f6e\u7684\u662f\u53e6\u5916\u4e00\u4e2a\u6211\u81ea\u5df1\u771f\u6b63\u62e5\u6709\u7684\u57df\u540d\uff0c\u8fd9\u91cc\u4e0d\u8d34\u51fa\u6765\uff09<\/p> \n  <p>\u6ce8\u610f\uff1a\u4f7f\u7528 HTTP \u65b9\u5f0f\u9a8c\u8bc1\u7684\u8bdd\u5f00\u53d180\u7aef\u53e3\u5c31\u53ef\u4ee5\u4e86\uff0c\u8fd9\u91cc443\u7aef\u53e3\u4e5f\u8fdb\u884c\u6620\u5c04\u3002\u8fd9\u662f\u4e3a\u4e86\u8bc1\u4e66\u83b7\u53d6\u6210\u529f\u540e\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528 HTTPS \u767b\u5f55\u8be5\u5bb9\u5668\u63d0\u4f9b\u7684\u9ed8\u8ba4\u9996\u9875\u8fdb\u884c\u786e\u8ba4\u3002<\/p> \n <\/div> \n <pre class=\"brush: text; gutter: true\">docker run -d \\\r\n--cap-add=NET_ADMIN \\\r\n--name=letsencrypt \\\r\n-v \/opt\/letsencrypt1:\/config \\\r\n-e PGID=1002 -e PUID=1001  \\\r\n-e URL=my.com \\\r\n-e SUBDOMAINS=www \\\r\n-e VALIDATION=http \\\r\n-p 80:80 -p 443:443 \\\r\n-e TZ=Asia\/Shanghai \\\r\nlinuxserver\/letsencrypt<\/pre> \n <p>\u5bb9\u5668\u4f1a\u5728\u540e\u53f0\u8fd0\u884c\uff0c\u8fd9\u4e2a\u65f6\u5019\u5e94\u8be5\u63d0\u4f9b\u5982\u4e0b\u6307\u4ee4\u67e5\u770b\u65e5\u5fd7\u8f93\u51fa\uff08CTRL + z\u9000\u51fa\uff09","orderid":"0","title":"Docker\u4f7f\u7528 linuxserver\/letsencrypt \u751f\u6210SSL\u8bc1\u4e66\u6700\u5168\u89e3\u6790\u53ca\u5b9e\u8df5(\u4e00)","smalltitle":"","mid":"0","fname":"JAVA","special_id":"0","bak_id":"0","info":"0","hits":"718","pages":"4","comments":"0","posttime":"2019-01-03 10:09:49","list":"1546481389","username":"admin","author":"","copyfrom":"","copyfromurl":"","titlecolor":"","fonttype":"0","titleicon":"0","picurl":"http:\/\/incdn1.b0.upaiyun.com\/2019\/01\/46bcdc99be231a16ee549b13330577d4-1024x434.png","ispic":"1","yz":"1","yzer":"","yztime":"0","levels":"0","levelstime":"0","keywords":"<A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=Docker' target=_blank>Docker<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%CA%B9%D3%C3' target=_blank>\u4f7f\u7528<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=linuxserver%2Fletsencrypt' target=_blank>linuxserver\/letsencrypt<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%C9%FA%B3%C9' target=_blank>\u751f\u6210<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=SSL' target=_blank>SSL<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%D6%A4%CA%E9' target=_blank>\u8bc1\u4e66<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%D7%EE%C8%AB' target=_blank>\u6700\u5168<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%BD%E2%CE%F6' target=_blank>\u89e3\u6790<\/A> <A HREF='https:\/\/www.cppentry.com\/do\/search.php?type=keyword&keyword=%CA%B5%BC%F9' target=_blank>\u5b9e\u8df5<\/A>","jumpurl":"","iframeurl":"","style":"","template":"a:3:{s:4:\"head\";s:0:\"\";s:4:\"foot\";s:0:\"\";s:8:\"bencandy\";s:0:\"\";}","target":"0","ip":"47.106.78.186","lastfid":"0","money":"0","buyuser":"","passwd":"","allowdown":"","allowview":"","editer":"","edittime":"0","begintime":"0","endtime":"0","description":"Docker\u4f7f\u7528 linuxserver\/letsencrypt \u751f\u6210SSL\u8bc1\u4e66\u6700\u5168\u89e3\u6790\u53ca\u5b9e\u8df5","lastview":"1714034190","digg_num":"0","digg_time":"0","forbidcomment":"0","ifvote":"0","heart":"","htmlname":"","city_id":"0"},"page":"1"}