VPS侦探论坛

 找回密码
 注册
查看: 250|回复: 6

请教军哥,家庭局域网怎么配置安全证书

[复制链接]
发表于 2021-10-14 18:55:43 | 显示全部楼层 |阅读模式



请教军哥,家庭局域网怎么配置安全证书


自己在家里面用centOS7 搭建了一个博客程序
现在是以http方式访问的,一直想实现局域网https
网上找了一些教程,只怪自己才疏学浅

域名解析到局域网IP地址,用Let’s Encrypt SSL生成证书报错
错误码请参见https://curl.haxx.se/libcurl/c/libcurl-errors.html: 6
CURLE_COULDNT_RESOLVE_HOST (6)
Couldn't resolve host. The given remote host was not resolved.
无法解析主机。指定的远程主机未解析。

求教,如何实现实现,谢谢
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
发表于 2021-10-14 19:56:58 | 显示全部楼层


可以使用 lnmp onlyssl **  利用DNS生成
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
 楼主| 发表于 2021-10-14 21:03:32 | 显示全部楼层



木风木 发表于 2021-10-14 19:56
可以使用 lnmp onlyssl **  利用DNS生成

谢谢,正在研究
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
发表于 2021-10-15 09:30:29 | 显示全部楼层



首先按你发的错误信息看,你这个可能是你机器上dns设置错误,域名未解析
其次局域网内的机器letsencyrpt是无法访问到的所以也就无法验证,也就无法生成ssl证书,局域网内使用https的话就只能通过dns api方式进行验证生成ssl证书
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
 楼主| 发表于 2021-10-16 13:34:38 | 显示全部楼层

首先感谢 木风木 licess 两位大佬的帮助


已经实现局域网https访问


如何获取安全证书
用了两种方法获取安全证书,不过缺点是到期后需要手动续签
一种是通过域名DNS服务商提供的免费安全证书 (安全证书有效期是一年)
另一种是通过 lnmp onlyssl 获取的免费安全证书 (安全证书有效期是三个月)


第一种通过域名DNS服务商提供的免费安全证书,这里就不详说了


通过lnmp onlyssl 获取的免费安全证书
lnmp onlyssl
+-------------------------------------------+|    Manager for LNMP, Written by Licess    |+-------------------------------------------+|              https://lnmp.org             |+-------------------------------------------+The dns manual mode can not renew automatically, you must renew it manually./usr/local/acme.sh/acme.sh [found]Please enter domain(example: lnmp.org): 这里是你的域名 #这里键入你的域名 Your domain: 这里是你的域名Enter more domain name(example: *.lnmp.org): 这里是你的域名 #这里键入你的域名 domain list: 这里是你的域名Starting create SSL Certificate use Let's Encrypt...[Sat Oct 16 12:47:18 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory[Sat Oct 16 12:47:18 CST 2021] Multi domain='DNS:这里是你的域名,DNS:这里是你的域名'[Sat Oct 16 12:47:18 CST 2021] Getting domain auth token for each domain[Sat Oct 16 12:47:22 CST 2021] Getting webroot for domain='这里是你的域名'[Sat Oct 16 12:47:22 CST 2021] Getting webroot for domain='这里是你的域名'[Sat Oct 16 12:47:22 CST 2021] Add the following TXT record:[Sat Oct 16 12:47:22 CST 2021] Domain: '_acme-challenge.这里是你的域名'   #_acme-challenge.是添加TXT记录的别名,即域名前缀[Sat Oct 16 12:47:22 CST 2021] TXT value: '这里是需要给域名手动添加TXT记录的内容'[Sat Oct 16 12:47:22 CST 2021] Please be aware that you prepend _acme-challenge. before your domain[Sat Oct 16 12:47:22 CST 2021] so the resulting subdomain will be: _acme-challenge.这里是你的域名[Sat Oct 16 12:47:22 CST 2021] Add the following TXT record:[Sat Oct 16 12:47:22 CST 2021] Domain: '_acme-challenge.这里是你的域名'[Sat Oct 16 12:47:22 CST 2021] TXT value: '这里是需要给域名手动添加TXT记录的内容'[Sat Oct 16 12:47:22 CST 2021] Please be aware that you prepend _acme-challenge. before your domain[Sat Oct 16 12:47:22 CST 2021] so the resulting subdomain will be: _acme-challenge.这里是你的域名[Sat Oct 16 12:47:22 CST 2021] Please add the TXT records to the domains, and re-run with --renew.[Sat Oct 16 12:47:22 CST 2021] Please check log file for more details: /usr/local/acme.sh/acme.sh.logPlease add the above TXT record to the domain in 120 seconds!!!
这里中途你有120秒的时间给域名添加TXT记录[Sat Oct 16 12:49:25 CST 2021] Renew: '这里是你的域名'[Sat Oct 16 12:49:26 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory[Sat Oct 16 12:49:26 CST 2021] Multi domain='DNS:这里是你的域名,DNS:这里是你的域名'[Sat Oct 16 12:49:26 CST 2021] Getting domain auth token for each domain[Sat Oct 16 12:49:26 CST 2021] Verifying: 这里是你的域名[Sat Oct 16 12:49:32 CST 2021] Pending[Sat Oct 16 12:49:35 CST 2021] Pending[Sat Oct 16 12:49:39 CST 2021] Pending[Sat Oct 16 12:49:42 CST 2021] Pending[Sat Oct 16 12:49:45 CST 2021] Pending[Sat Oct 16 12:49:49 CST 2021] Pending[Sat Oct 16 12:49:52 CST 2021] Success[Sat Oct 16 12:49:52 CST 2021] Verifying: 这里是你的域名[Sat Oct 16 12:49:56 CST 2021] Success[Sat Oct 16 12:49:56 CST 2021] Verify finished, start to sign.[Sat Oct 16 12:49:56 CST 2021] Lets finalize the order.[Sat Oct 16 12:49:56 CST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/ID*****'[Sat Oct 16 12:49:58 CST 2021] Downloading cert.[Sat Oct 16 12:49:58 CST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/ID*****'[Sat Oct 16 12:49:59 CST 2021] Cert success.[Sat Oct 16 12:49:59 CST 2021] Your cert is in  /usr/local/nginx/conf/ssl/这里是你的域名/这里是你的域名.cer [Sat Oct 16 12:49:59 CST 2021] Your cert key is in  /usr/local/nginx/conf/ssl/这里是你的域名/这里是你的域名.key [Sat Oct 16 12:49:59 CST 2021] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/这里是你的域名/ca.cer [Sat Oct 16 12:49:59 CST 2021] And the full chain certs is there:  /usr/local/nginx/conf/ssl/这里是你的域名/fullchain.cer ------------------ SSL Certificate information as follows ------------------| Domain: 这里是你的域名 这里是你的域名| SSL Certificate: /usr/local/nginx/conf/ssl/这里是你的域名/fullchain.cer  #这里是你的安全证书| SSL Certificate Key: /usr/local/nginx/conf/ssl/这里是你的域名/这里是你的域名.key  #这里是你的安全证书密钥------------------------------------ ---------------------------------------Let's Encrypt SSL Certificate create successfully.
这样你就得到了安全证书和密钥了



获取到证书和密钥以后,重新绑定了虚拟主机
lnmp vhost add
在添加安全证书选项,选择了使用自己的SSL证书和密钥
Add SSL Certificate (y/n) y
1: Use your own SSL Certificate and Key
2: Use Let's Encrypt to create SSL Certificate and Key
Enter 1 or 2: 1
然后手动录入安全证书和密钥的路径
Please enter full path to SSL Certificate file: /usr/local/nginx/conf/ssl/域名/fullchain.cer
Please enter full path to SSL Certificate Key file: /usr/local/nginx/conf/ssl/域名/域名.key
返回结果
================================================
Virtualhost infomation:
Your domain: 域名
Home Directory: /home/wwwroot/域名
Rewrite: other
Enable log: yes
Create database: no
Create ftp account: no
Enable SSL: yes
  =>Certificate file
================================================
到此就可以正常访问https
但是http还是能打开,然后设置301自动跳转
vi /usr/local/nginx/conf/vhost/域名.conf


添加规则
return 301 https://域名$request_uri; #跳转到https
修改配置文件后需要重启Nginx
nginx -s reload
浏览器访问前端地址不管是访问【http://域名】还是访问【http://www.域名】还是访问【https://www.域名/】
都会自动跳转到https://域名/

虽然还不完美,不能自动续签,先这样吧,再次感谢两位



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x

美国VPS、VPN、域名代购:http://shop63846532.taobao.com/

 楼主| 发表于 2021-10-16 13:45:23 | 显示全部楼层

用dns api验证生成ssl证书报错
export DP_Key="ID"
export DP_Secret="密钥"
lnmp dns dp

然后就报错了

Starting create SSL Certificate use Let's Encrypt...
[Fri Oct 15 18:32:22 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Oct 15 18:32:22 CST 2021] Multi domain='DNS:www.域名,DNS:域名'
[Fri Oct 15 18:32:22 CST 2021] Getting domain auth token for each domain
[Fri Oct 15 18:32:28 CST 2021] Getting webroot for domain='www.域名'
[Fri Oct 15 18:32:28 CST 2021] Getting webroot for domain='域名'
[Fri Oct 15 18:32:28 CST 2021] You don't specify dnspod api key and key id yet.
[Fri Oct 15 18:32:28 CST 2021] Please create you key and try again.
[Fri Oct 15 18:32:28 CST 2021] Please check log file for more details: /usr/local/acme.sh/acme.sh.log
Let's Encrypt SSL Certificate create failed!

报错说我没有使用api密钥和密钥ID,但我都使用了,也不知道啥原因
以后再研究吧
发表于 2021-10-16 17:22:31 | 显示全部楼层

很酷很拽的昵称 发表于 2021-10-16 13:45
用dns api验证生成ssl证书报错
export DP_Key="ID"
export DP_Secret="密钥"

你这export的变量名字写错了肯定会提示 You don't specify dnspod api key and key id yet.
具体变量及参数可以去 https://lnmp.org/faq/letsencrypt-wildcard-ssl.html 查看或去acme.sh官网查看

如果要301对应域名到对应域名的https的话可以查看 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html 教程上面都有说明
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|VPS侦探 ( 鲁ICP备16040043号-1 )

GMT+8, 2021-10-26 08:08 , Processed in 0.057667 second(s), 27 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表