Waqtiyada daalacashada HTTPS-kaliya, cookies-ka SameSite, iyo xaaladaha horumarka dhabta ah, waa muhiim in gudaha lagala shaqeeyo shahaadooyin SSL-ga dhabta ah. Aynu Encrypt ku qabanay shaqo horudhac ah halkan - iyadoo la kaashanayo certbot iyo Cloudflare , abuurista iyo cusboonaysiinta shahaadooyinka kaararka duurjoogta ah waa mid degdeg ah oo fudud. Tani waxay kuu ogolaanaysaa inaad gasho mashaariicda shabakadaada sir ah qalab kasta (smartphone, VM, ...) ee shabakada degaanka ama VPN.
Waxaan marka hore ka diiwaan gashannay domain horumariye Cloudflare, tusaale ahaan vielhuber.dev:
Hadda waxaan u ogolaanay goobtan inay tilmaamto cinwaanka IP-ga maxalliga ah ee u gaarka ah (tusaale ahaan 192.168.0.2) show. Si tan loo sameeyo, samee diiwaannada DNS A ee soo socda (muhiim ah: Xaaladda wakiil waa in la dejiyaa cawl/DNS-kaliya la dhigay):
| Nooca | Magac | Nuxurka |
|---|---|---|
| A | @ | 192.168.0.2 |
| A | * | 192.168.0.2 |
Si loo ansixiyo shahaadooyinka kaarka duurjoogta ah, waa lagama maarmaan in si toos ah loo dejiyo diiwaannada TXT. Si tan loo sameeyo, waxaan hadda abuurnay calaamad API ah (Profile> API Tokens> Abuur Token> Template: Edit zone DNS) oo dooro domainka:
Ugu dambeyntii, waxaan sameynay certbot:
sudo apt install certbot python3-certbot-dns-cloudflare
pip install --upgrade pyOpenSSL cryptography certbot certbot-dns-cloudflareHadda waxaanu dhignaa calaamadii API ee hore loo soo saaray:
mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_WITH_EDIT_ZONE_DNS_PERMISSIONS
chmod 600 ~/.secrets/certbot/cloudflare.iniUgu dambeyntii, waxaan codsaneynaa shahaado:
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d '*.vielhuber.dev' -d vielhuber.dev \
--agree-tos \
--email david@vielhuber.de \
--non-interactiveCusbooneysiin toos ah ayaa sidoo kale si degdeg ah loo dejiyay. Si looga hortago in certbot-ku uu si toos ah u shaqeeyo 12-kii saacadoodba mar si aan kala sooc lahayn, marka hore waxaanu joojinaa qoraalka caadiga ah oo aanu ku darnaa annaga.:
sudo mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
( crontab -l 2>/dev/null; echo "0 12 * * * certbot renew --quiet" ) | crontab -
certbot renew --dry-runTani waa waxa kaliya ee loo baahan yahay: Si aad ugu biirto Apache, waxaad tixraacaysaa shahaadooyinka aad hadda ku abuurtay qaabaynta Apache ee mashaariicdaada (tusaale. /etc/apache2/sites-available/project-xy.conf):
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vielhuber.dev/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vielhuber.dev/privkey.pemKa dib markii Apache dib loo bilaabo (sudo systemctl reload apache2) shahaadooyinka ayaa markaaba firfircoonaaday oo waxaad ku geli kartaa mashaariicdaada https://project-xy.vielhuber.dev.
Dadaal yar oo bilow ah, waxaad ku dhisi kartaa jawi horumarineed oo maxalli ah oo wata shahaadooyin dhab ah oo aan ahayn mid dhab ah laakiin sidoo kale si aan kala go 'lahayn ula shaqeeya daalacashada casriga ah, API-yada, iyo aaladaha. Mahadsanid xaqiijinta DNS-01, uma baahnid serfer si guud loo heli karo ama codsiyada shahaado-gacmeedka - wax walba waa otomaatig, ammaan ah, oo la isku halayn karo.