I nā manawa o nā mākaʻikaʻi HTTPS-wale, nā kuki SameSite, a me nā kūlana hoʻomohala maoli, pono ia e hana ma ka ʻāina me nā palapala SSL maoli. Ua hana ʻo Let's Encrypt i ka hana paionia ma ʻaneʻi – me ke kōkua o certbot a me Cloudflare , wikiwiki a maʻalahi ka hana ʻana a me ka hoʻololi ʻana i nā palapala hōʻoia wildcard. ʻAe kēia iā ʻoe e komo i kāu mau papahana pūnaewele i hoʻopili ʻia ma kekahi mea hana (smartphone, VM, ...) ma ka pūnaewele kūloko a i ʻole VPN.
Hoʻopaʻa inoa mua mākou i kahi kahua hoʻomohala me Cloudflare, no ka laʻana vielhuber.dev:
Ua ʻae mākou i kēia kikowaena e kuhikuhi i kāna IP IP kūloko (no ka laʻana 192.168.0.2) hōʻike. No ka hana ʻana i kēia, hana i nā moʻolelo DNS A ma lalo nei (mea nui: Pono e hoʻonohonoho ʻia ke kūlana proxy hina/DNS-wale e hoʻonohonoho):
| ʻano ʻano | Inoa | ʻIkepili |
|---|---|---|
| A | @ | 192.168.0.2 |
| A | * | 192.168.0.2 |
No ka hōʻoia ʻana i nā palapala wildcard, pono e hoʻonohonoho aunoa i nā moʻolelo TXT. No ka hana ʻana i kēia, hana mākou i kahi hōʻailona API (Profile> API Token> Create Token> Template: Edit zone DNS) a koho i ka domain:
ʻO ka hope, hoʻonohonoho mākou i ka certbot:
sudo apt install certbot python3-certbot-dns-cloudflare
pip install --upgrade pyOpenSSL cryptography certbot certbot-dns-cloudflareI kēia manawa, waiho mākou i ka hōʻailona API i hana mua ʻia:
mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_WITH_EDIT_ZONE_DNS_PERMISSIONS
chmod 600 ~/.secrets/certbot/cloudflare.iniʻO ka hope, noi mākou i palapala hōʻoia:
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d '*.vielhuber.dev' -d vielhuber.dev \
--agree-tos \
--email david@vielhuber.de \
--non-interactiveHoʻonohonoho koke ʻia ka hana hou ʻana. No ka pale ʻana i ka certbot mai ka holo ʻokoʻa ʻana i kēlā me kēia 12 mau hola me ka manawa pōkole, hoʻopau mua mākou i ka palapala maʻamau a hoʻohui i kā mākou iho.:
sudo mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
( crontab -l 2>/dev/null; echo "0 12 * * * certbot renew --quiet" ) | crontab -
certbot renew --dry-runʻO kēia wale nō ka mea e pono ai: No ka hoʻohui ʻana i Apache, e nānā ʻoe i nā palapala hōʻoia āu i hana ai ma ka hoʻonohonoho Apache i kāu mau papahana (e.g. /etc/apache2/sites-available/project-xy.conf):
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vielhuber.dev/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vielhuber.dev/privkey.pemMa hope o ka hoʻomaka hou ʻana o Apache (sudo systemctl reload apache2) ua hana mua nā palapala hōʻoia a hiki iā ʻoe ke komo i kāu mau papahana me https://project-xy.vielhuber.dev.
Me ka hoʻoikaika mua iki, hiki iā ʻoe ke kūkulu i kahi kaiapuni hoʻomohala kūloko me nā palapala hōʻoia wildcard maoli ʻaʻole maoli wale nō akā hana maʻalahi pū me nā polokalamu kele hou, API, a me nā mea hana. Mahalo i ka hōʻoia DNS-01, ʻaʻole pono ʻoe i kahi kikowaena hiki ke ʻike ʻia e ka lehulehu a i ʻole nā noi palapala hōʻoia - ʻakomi nā mea āpau, palekana, a hilinaʻi.