xdtianyu / scripts Goto Github PK
View Code? Open in Web Editor NEWscripts for work
Home Page: https://www.xdty.org
scripts for work
Home Page: https://www.xdty.org
我想学会看这个sh脚本,然后改造。请问我该学习那些知识,谢谢。
https://github.com/xdtianyu/scripts/blob/master/net/cmurl.sh
Lighttpd需要两个关键参数: ssl.ca-file
和ssl.pemfile
ssl.ca-file
= example.chained.crt
ssl.pemfile
需要按如下方式合并
cat example.com.key example.crt > example.pem
启用这个example.pem
就好了
这个工作非常好用,非常感谢。
letsencrypt-account.key
static.chained.crt
static.crt
static.csr
lets-encrypt-x1-cross-signed.pem
static.miagame.com.key
生成的密钥哪个是公钥,哪个是私钥呢?
是否有完整Nginx配置说明?
Generate account key...
Generating RSA private key, 4096 bit long modulus
......................................++
.................................................++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
.........................+++
........................................................+++
e is 65537 (0x10001)
Generate CSR...mrluo.csr
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying mrluo.pw...
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/tmp/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/tmp/acme_tiny.py", line 123, in get_crt
wellknown_path, wellknown_url))
ValueError: Wrote file to /home/wwwroot/mrluo.pw/.well-known/acme-challenge/4NioLXi0m0egqi20mTZl3ELheqychV1ZX_kTDC36zX4, but couldn't download http://mrluo.pw/.well-known/acme-challenge/4NioLXi0m0egqi20mTZl3ELheqychV1ZX_kTDC36zX4 @
Let's Encrypt最近将根证书换成了Let's Encrypt Authority X3。使用本Script生成的证书存在证书链不完整的情况。
File "/tmp/acme_tiny.py", line 31 pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
SyntaxError: invalid syntax
如果我账户下有两个域名,xxx.com和xxx.com.cn,签发证书时使用脚本向cloudxns提交xxx.com的txt记录的时候,就会向xxx.com.cn提交而不是xxx.com
生成那么多文件,如何使用,nginx如何配置?
多域名,是跨目录的,如恶化配置,每个域名配置一个文件;
单个域名多个二级域名,可以配置dns
超时问题如何规避?
已确保conf填写正确,已在cloudxns上填写相应subdomain A记录
root@OpenWrt:~/ddns# ./cloudxns.sh cloudxns.conf
DOMAIN ID: 53193 334499
RECORD ID:
Invalid API request, may be your URL path error, please check your URL, and then try again.
Fri Jan 1 10:10:12 HKT 2016 -- Update failed
通过 DNS 验证方式获取 lets-encrypt 证书的快速脚本 这个
你好, 以dnspod为例,
如果我有多个根域名,
aaa.com
11.aaa.com 22.aaa.com 33.aaa.com ....
bbb.com
11.bbb.com 22.bbb.com 33.bbb.com ....
ccc.com
11.ccc.com 22.ccc.com 33.ccc.com ....
那配置文件里应该怎么写呢? 我试过DOMAIN="aaa.com bbb.com"
还有打多行
DOMAIN="aaa.com"
DOMAIN="bbb.com"
都没法用的.
难不成只有建立多个文件夹?
1、这四个参数都表示什么意思?
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="example.com.key"
DOMAIN_DIR="/var/www/example.com"
DOMAINS="DNS:example.com,DNS:whatever.example.com"
2、为什么没有 fullchain.pem 和 privkey.pem ?
nginx 应该怎么配置?
3、脚本必须放在/etc/nginx/certs目录下吗?
谢谢
请教一下作者:
DOMAIN_DIR="/var/www/example.com",我的网站是upstream反向到后端服务器的,nginx服务器上面没有。这里要怎么填。
可以直接用吗?还是需要做下改动?
配好nginx后报错:
nginx: [emerg] PEM_read_bio_X509_AUX("/ca/lihuasheng.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
作者能否增加cloudflare的支持呀
都放在脚本工作目录 清理起来好麻烦啊
Generate CSR...app-test.csr
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 2, in
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
ImportError: No module named argparse
生成的文件名称能够简单标明下,那些是公钥 那些是私钥,谢谢!
but couldn't download http://www.XXXXX/.well-known/acme-challenge/kCxBr6NL0g01PbacQEpr6jw7U0t5I0M4xmkBUJ sohJM
failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Generate CSR...key.csr unable to find 'distinguished_name' in config problems making Certificate Request 140705217980320:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name Parsing account key... Parsing CSR... Traceback (most recent call last): File "/tmp/acme_tiny.py", line 198, in <module> main(sys.argv[1:]) File "/tmp/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/tmp/acme_tiny.py", line 70, in get_crt raise IOError("Error loading {0}: {1}".format(csr, err)) IOError: Error loading key.csr: unable to load X509 request 140623771527072:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
比如给deluge-webui配证书,因为是在nginx 上proxy到8112端口,没有DOMAIN_DIR,那这种怎么填?
日志:
Generate CSR…aaa.csr
error on line -1 of /dev/fd/63
3073771784:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen(‘/dev/fd/63′,’rb’)
3073771784:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:178:
3073771784:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:
报错信息如下
[root@sz ssl]# ./le-dnspod.sh dnspod.conf
# INFO: Using main config file dnspod.conf
+ ERROR: An error occurred while sending get-request to https://acme-v01.api.letsencrypt.org/directory (Status 504)
Details:
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference #97.9eef54b8.1495190163.378bde92
</BODY></HTML>
# INFO: Using main config file dnspod.conf
+ ERROR: An error occurred while sending get-request to https://acme-v01.api.letsencrypt.org/directory (Status 504)
Details:
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference #97.9cef54b8.1495190223.3714abaa
</BODY></HTML>
wget --no-check-certificate --quiet --output-document=- "https://myip.ipip.net" | grep -E -o '([0-9]+.){3}[0-9]+'
似乎很简单。只要把生成私钥的格式改一下就行了。
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400)
Details:
{
"type": "urn:acme:error:badNonce",
"detail": "JWS has invalid anti-replay nonce NT53frvQNmWWskR4OsyLrjm07m_ZdoQzl4JFHgXh4Og",
"status": 400
}
[root@hjl10001 ]#./le-dnspod.sh dnspod.conf
To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
To accept these terms of service run ./letsencrypt.sh --register --accept-terms
.
Verifying blog.abc.com...
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/tmp/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/tmp/acme_tiny.py", line 123, in get_crt
wellknown_path, wellknown_url))
ValueError: Wrote file to /data/wwwroot/blog.abc.com/.well-known/acme-challenge/_cHNv_NkY5imag1sViV7xXfqLiT2DmpCd, but couldn't download 。。。
生成的文件:
-rw-r--r-- 1 root root 1647 Oct 13 16:19 *.chained.crt
-rw-r--r-- 1 root root 1679 Oct 13 15:56 *.com.key
-rw-r--r-- 1 root root 0 Oct 13 16:19 *.crt
-rw-r--r-- 1 root root 964 Oct 13 16:19 *.csr
-rw-r--r-- 1 root root 272 Oct 13 15:54 *_letsencrypt.conf
-rw-r--r-- 1 root root 3243 Oct 13 15:56 letsencrypt-account.key
-rwxr-xr-x 1 root root 2124 Oct 13 15:56 letsencrypt.sh
-rw-r--r-- 1 root root 1647 Jul 3 23:25 lets-encrypt-x3-cross-signed.pem
配置nginx:
#SSL配置
ssl on;
ssl_certificate /opt/letsencrypt/.chained.crt;
ssl_certificate_key /opt/letsencrypt/.com.key;
生成后的证书启动nginx报错:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/letsencrypt/*.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
configuration file /opt/nginx/conf/nginx.conf test failed
请问这个可以解决吗?
[root@canbin-aliyun www]# sh /www/letsencrypt.sh /www/letsencrypt.conf
Generate CSR...94cb.csr
/www/letsencrypt.sh: line 50: syntax error near unexpected token `('
/www/letsencrypt.sh: line 50: `openssl req -new -sha256 -key "$DOMAIN_KEY" -subj "/" -reqexts SAN -config <(cat $OPENSSL_CONF <(printf "[SAN]\nsubjectAltName=%s" "$DOMAINS")) > "$DOMAIN_CSR"'
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/tmp/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/tmp/acme_tiny.py", line 104, in get_crt
raise ValueError("Error requesting challenges: {0} {1}".format(code, result))
ValueError: Error requesting challenges: 500 {
"type": "urn:acme:error:serverInternal",
"status": 500
不是很懂,总之https失效了
letsencrypt-vesta 脚本是专门针对 VestaCP 这款 web 面板而制作的自动申请 LE 证书的脚本工具。我一直用 VestaCP 来搭建 web 控制面板,因此也一直用 letsencrypt-vesta 脚本。
但是 letsencrypt-vesta 脚本有一个缺点:它不能通过 DNSPOD 的 NS 服务器来验证域名,导致使用 DNSPOD 解析的域名在申请 LE 证书时失败。
我已在 letsencrypt-vesta 脚本官方论坛提交了这个问题:
interbrite/letsencrypt-vesta#60
但是我估计老外很可能对 DNSPOD 没有兴趣,不见得能很快解决这个问题。
我觉得 tianyu 这个工具看起来不错,不知道你有没有兴趣改进一下 letsencrypt-vesta 脚本,把你这个脚本中针对 DNSPOD 的那部分代码移植到 letsencrypt-vesta 脚本里面,从而使得 letsencrypt-vesta 脚本可以针对 DNSPOD 也正常工作?
谢谢!
ah ,how to deal with it?
[root@localhost ~]# ./letsencrypt.sh letsencrypt.conf
Generate CSR...abc.csr
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.abc.com...
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
File "/tmp/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/tmp/acme_tiny.py", line 123, in get_crt
wellknown_path, wellknown_url))
ValueError: Wrote file to /var/www/abc/.well-known/acme-challenge/xxxxxxx, but couldn't download http://www.abc.com/.well-known/acme-challenge/xxxxxxx
this is the resulte,but i dont know what error there,and how to do.
λ key ./le-cloudxns.sh cloudxns.conf
Processing ky0n.xyz with alternative names: www.ky0n.xyz
首先感谢作者 Tianyu,这个工具确实可以顺利地为通过 DNSPOD 解析的域名申请到 LE 证书。
但是,我按照网上某个教程(tianyu 并没有提供证书申请后的其它设置步骤)在 nginx 配置文件中启用了 SSL 之后,然后在 SSL Labs 对网站进行 SSL 强度评分,得到的成绩是 B。 最终报告页面上的警告消息是:
This server's certificate chain is incomplete. Grade capped to B
经过研究发现,我在 nginx 配置文件里面填写的证书路径是:
ssl_certificate /root/certs/对应域名证书文件夹/cert.pem;
如果换成:
ssl_certificate /root/certs/对应域名证书文件夹/fullchain.pem;
其它任何设置都不改动,再次用 SSL Labs 进行评分,这次得到了 A 成绩。
说明我们应该直接使用 **fullchain.pem ** 这个文件作为证书来配置服务器。
但是,我看了一下域名文件夹,le-dns 工具生成的证书文件有10个:
cert-1529388469.csr
cert.csr
chain-1529388469.pem
fullchain-1529388469.pem
privkey-1529388469.pem
cert-1529388469.pem
cert.pem
chain.pem
fullchain.pem
privkey.pem
这么多文件是不是有点眼花缭乱?既然真正配置 nginx 只用到两个文件 fullchain.pem 和 privkey.pem,何必生成其它8个文件呢?干脆只生成这两个就够了,用户也很好辨识。
总是到这一步:Requesting challenge for aa.bbb.cccc
就断了,检查了API,没错,环境是腾讯云
能不能让证书生成后自动合并 fullchain.pem privkey.pem 这两个证书生成名字为根域名的证书?
还有就是,最好是支持在同个DNSPOD账号下的不同根域名的多域名证书生成,不然域名很多的时候,生成证书,然后合并证书都蛋疼。
另外原本letsencrypt.sh是好像支持ECDSA 证书的.
hey guys, i got this exception, does anyone knows why? Thanks in advance!
u'error': {u'type': u'urn:acme:error:connection', u'detail': u'DNS query timed out'}, u'type': u'http-01'}
27行
https://github.com/lukas2511/letsencrypt.sh/raw/master/letsencrypt.sh
应改为
https://github.com/lukas2511/dehydrated/raw/master/dehydrated
我在验证域名的时候总是无法成功验证,然后发现脚本生成的目录有点问题,遂修改了脚本,把脚本第53行的'mkdir -p $DOMAIN_DIR'改成了'mkdir $DOMAIN_DIR',随后再次运行脚本出现了如下提示:
mkdir: cannot create directory `/home/wwwroot/domain/web\r/.well-known/acme-challenge/': No such file or directory
我认为是\r回车符的原因,但我技术不够高无法解决这个问题,所以在这里求教您。
一台机器有多个站,例如:
www.domain.com 对应-> /home/wwwroot/www.domian.com
static.domain.com 对应-> /home/wwwroot/static.domain.com
那个DOMAIN_DIR该如何配置呢?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.