VPS侦探论坛

标题: 请教军哥，家庭局域网怎么配置安全证书 [打印本页]

作者: 很酷很拽的昵称 时间: 2021-10-14 18:55
标题: 请教军哥，家庭局域网怎么配置安全证书
请教军哥，家庭局域网怎么配置安全证书

自己在家里面用centOS7 搭建了一个博客程序
现在是以http方式访问的，一直想实现局域网https
网上找了一些教程，只怪自己才疏学浅

域名解析到局域网IP地址，用Let’s Encrypt SSL生成证书报错
错误码请参见https://curl.haxx.se/libcurl/c/libcurl-errors.html: 6
CURLE_COULDNT_RESOLVE_HOST (6)
Couldn't resolve host. The given remote host was not resolved.
无法解析主机。指定的远程主机未解析。

求教，如何实现实现，谢谢

作者: 木风木 时间: 2021-10-14 19:56
可以使用 lnmp onlyssl ** 利用DNS生成

作者: 很酷很拽的昵称 时间: 2021-10-14 21:03

木风木发表于 2021-10-14 19:56
可以使用 lnmp onlyssl ** 利用DNS生成

谢谢，正在研究

作者: licess 时间: 2021-10-15 09:30
首先按你发的错误信息看，你这个可能是你机器上dns设置错误，域名未解析
其次局域网内的机器letsencyrpt是无法访问到的所以也就无法验证，也就无法生成ssl证书，局域网内使用https的话就只能通过dns api方式进行验证生成ssl证书

作者: 很酷很拽的昵称 时间: 2021-10-16 13:34
首先感谢木风木 licess 两位大佬的帮助

已经实现局域网https访问

如何获取安全证书
用了两种方法获取安全证书，不过缺点是到期后需要手动续签
一种是通过域名DNS服务商提供的免费安全证书（安全证书有效期是一年）
另一种是通过 lnmp onlyssl 获取的免费安全证书（安全证书有效期是三个月）

第一种通过域名DNS服务商提供的免费安全证书，这里就不详说了

通过lnmp onlyssl 获取的免费安全证书
lnmp onlyssl
+-------------------------------------------+| Manager for LNMP, Written by Licess |+-------------------------------------------+|             https://lnmp.org          |+-------------------------------------------+The dns manual mode can not renew automatically, you must renew it manually./usr/local/acme.sh/acme.sh [found]Please enter domain(example: lnmp.org): 这里是你的域名 #这里键入你的域名 Your domain: 这里是你的域名Enter more domain name(example: *.lnmp.org): 这里是你的域名 #这里键入你的域名 domain list: 这里是你的域名Starting create SSL Certificate use Let's Encrypt...[Sat Oct 16 12:47:18 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory[Sat Oct 16 12:47:18 CST 2021] Multi domain='DNS:这里是你的域名,DNS:这里是你的域名'[Sat Oct 16 12:47:18 CST 2021] Getting domain auth token for each domain[Sat Oct 16 12:47:22 CST 2021] Getting webroot for domain='这里是你的域名'[Sat Oct 16 12:47:22 CST 2021] Getting webroot for domain='这里是你的域名'[Sat Oct 16 12:47:22 CST 2021] Add the following TXT record:[Sat Oct 16 12:47:22 CST 2021] Domain: '_acme-challenge.这里是你的域名' #_acme-challenge.是添加TXT记录的别名，即域名前缀[Sat Oct 16 12:47:22 CST 2021] TXT value: '这里是需要给域名手动添加TXT记录的内容'[Sat Oct 16 12:47:22 CST 2021] Please be aware that you prepend _acme-challenge. before your domain[Sat Oct 16 12:47:22 CST 2021] so the resulting subdomain will be: _acme-challenge.这里是你的域名[Sat Oct 16 12:47:22 CST 2021] Add the following TXT record:[Sat Oct 16 12:47:22 CST 2021] Domain: '_acme-challenge.这里是你的域名'[Sat Oct 16 12:47:22 CST 2021] TXT value: '这里是需要给域名手动添加TXT记录的内容'[Sat Oct 16 12:47:22 CST 2021] Please be aware that you prepend _acme-challenge. before your domain[Sat Oct 16 12:47:22 CST 2021] so the resulting subdomain will be: _acme-challenge.这里是你的域名[Sat Oct 16 12:47:22 CST 2021] Please add the TXT records to the domains, and re-run with --renew.[Sat Oct 16 12:47:22 CST 2021] Please check log file for more details: /usr/local/acme.sh/acme.sh.logPlease add the above TXT record to the domain in 120 seconds!!!
这里中途你有120秒的时间给域名添加TXT记录[Sat Oct 16 12:49:25 CST 2021] Renew: '这里是你的域名'[Sat Oct 16 12:49:26 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory[Sat Oct 16 12:49:26 CST 2021] Multi domain='DNS:这里是你的域名,DNS:这里是你的域名'[Sat Oct 16 12:49:26 CST 2021] Getting domain auth token for each domain[Sat Oct 16 12:49:26 CST 2021] Verifying: 这里是你的域名[Sat Oct 16 12:49:32 CST 2021] Pending[Sat Oct 16 12:49:35 CST 2021] Pending[Sat Oct 16 12:49:39 CST 2021] Pending[Sat Oct 16 12:49:42 CST 2021] Pending[Sat Oct 16 12:49:45 CST 2021] Pending[Sat Oct 16 12:49:49 CST 2021] Pending[Sat Oct 16 12:49:52 CST 2021] Success[Sat Oct 16 12:49:52 CST 2021] Verifying: 这里是你的域名[Sat Oct 16 12:49:56 CST 2021] Success[Sat Oct 16 12:49:56 CST 2021] Verify finished, start to sign.[Sat Oct 16 12:49:56 CST 2021] Lets finalize the order.[Sat Oct 16 12:49:56 CST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/ID*****'[Sat Oct 16 12:49:58 CST 2021] Downloading cert.[Sat Oct 16 12:49:58 CST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/ID*****'[Sat Oct 16 12:49:59 CST 2021] Cert success.[Sat Oct 16 12:49:59 CST 2021] Your cert is in  /usr/local/nginx/conf/ssl/这里是你的域名/这里是你的域名.cer [Sat Oct 16 12:49:59 CST 2021] Your cert key is in  /usr/local/nginx/conf/ssl/这里是你的域名/这里是你的域名.key [Sat Oct 16 12:49:59 CST 2021] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/这里是你的域名/ca.cer [Sat Oct 16 12:49:59 CST 2021] And the full chain certs is there:  /usr/local/nginx/conf/ssl/这里是你的域名/fullchain.cer ------------------ SSL Certificate information as follows ------------------| Domain: 这里是你的域名这里是你的域名| SSL Certificate: /usr/local/nginx/conf/ssl/这里是你的域名/fullchain.cer  #这里是你的安全证书| SSL Certificate Key: /usr/local/nginx/conf/ssl/这里是你的域名/这里是你的域名.key  #这里是你的安全证书密钥------------------------------------ ---------------------------------------Let's Encrypt SSL Certificate create successfully.
这样你就得到了安全证书和密钥了

获取到证书和密钥以后，重新绑定了虚拟主机
lnmp vhost add
在添加安全证书选项，选择了使用自己的SSL证书和密钥
Add SSL Certificate (y/n) y
1: Use your own SSL Certificate and Key
2: Use Let's Encrypt to create SSL Certificate and Key
Enter 1 or 2: 1
然后手动录入安全证书和密钥的路径
Please enter full path to SSL Certificate file: /usr/local/nginx/conf/ssl/域名/fullchain.cer
Please enter full path to SSL Certificate Key file: /usr/local/nginx/conf/ssl/域名/域名.key
返回结果
================================================
Virtualhost infomation:
Your domain: 域名
Home Directory: /home/wwwroot/域名
Rewrite: other
Enable log: yes
Create database: no
Create ftp account: no
Enable SSL: yes
  =>Certificate file
================================================
到此就可以正常访问https
但是http还是能打开，然后设置301自动跳转
vi /usr/local/nginx/conf/vhost/域名.conf
[attach]6567[/attach]

添加规则
return 301 https://域名$request_uri; #跳转到https
修改配置文件后需要重启Nginx
nginx -s reload
浏览器访问前端地址不管是访问【http://域名】还是访问【http://www.域名】还是访问【https://www.域名/】
都会自动跳转到https://域名/

虽然还不完美，不能自动续签，先这样吧，再次感谢两位

作者: 很酷很拽的昵称 时间: 2021-10-16 13:45
用dns api验证生成ssl证书报错
export DP_Key="ID"
export DP_Secret="密钥"
lnmp dns dp

然后就报错了

Starting create SSL Certificate use Let's Encrypt...
[Fri Oct 15 18:32:22 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Oct 15 18:32:22 CST 2021] Multi domain='DNS:www.域名,DNS:域名'
[Fri Oct 15 18:32:22 CST 2021] Getting domain auth token for each domain
[Fri Oct 15 18:32:28 CST 2021] Getting webroot for domain='www.域名'
[Fri Oct 15 18:32:28 CST 2021] Getting webroot for domain='域名'
[Fri Oct 15 18:32:28 CST 2021] You don't specify dnspod api key and key id yet.
[Fri Oct 15 18:32:28 CST 2021] Please create you key and try again.
[Fri Oct 15 18:32:28 CST 2021] Please check log file for more details: /usr/local/acme.sh/acme.sh.log
Let's Encrypt SSL Certificate create failed!

报错说我没有使用api密钥和密钥ID，但我都使用了，也不知道啥原因
以后再研究吧

作者: licess 时间: 2021-10-16 17:22

很酷很拽的昵称发表于 2021-10-16 13:45
用dns api验证生成ssl证书报错
export DP_Key="ID"
export DP_Secret="密钥"

你这export的变量名字写错了肯定会提示 You don't specify dnspod api key and key id yet.
具体变量及参数可以去 https://lnmp.org/faq/letsencrypt-wildcard-ssl.html 查看或去acme.sh官网查看

如果要301对应域名到对应域名的https的话可以查看 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html 教程上面都有说明

欢迎光临 VPS侦探论坛 (https://bbs.lnmp.com/)