Ngamaxesha eephequluli ze-HTTPS kuphela, i-cookies ye-SameSite, kunye neemeko zophuhliso oluyinyani, kubalulekile ukusebenza kwindawo kunye nezatifikethi zangempela ze-SSL. Makhe Encrypt wenze umsebenzi wobuvulindlela apha - ngoncedo lwe -certbot kunye ne -Cloudflare , ukudala kunye nokuhlaziya izatifikethi ze-wildcard ngokukhawuleza kwaye kulula. Oku kukuvumela ukuba ufikelele kwiiprojekthi zakho zewebhu ezifihliweyo kuso nasiphi na isixhobo (i-smartphone, i-VM, ...) kwinethiwekhi yendawo okanye nge-VPN.
Siqala ukubhalisa isizinda sophuhlisi kunye ne-Cloudflare, umzekelo vielhuber.dev:
Ngoku sivumela le sizinda ukuba ikhombe kwidilesi yayo ye-IP yendawo (umzekelo 192.168.0.2) bonisa. Ukwenza oku, yenza ezi rekhodi ze-DNS A zilandelayo (ezibalulekileyo: Ubume bommeli kufuneka bumiselwe ngwevu/DNS-kuphela miselwa):
| Uhlobo | Igama | Imixholo |
|---|---|---|
| A | @ | 192.168.0.2 |
| A | * | 192.168.0.2 |
Ukuqinisekisa izatifikethi ze-wildcard, kuyimfuneko ukuseta iirekhodi ze-TXT ngokuzenzekelayo. Ukwenza oku, ngoku senza ithokheni ye-API (Iprofayili> Iimpawu ze-API> Yenza iToken> Itemplate: Hlela indawo ye-DNS) kwaye ukhethe i-domain.:
Ekugqibeleni, siseta i-certbot:
sudo apt install certbot python3-certbot-dns-cloudflare
pip install --upgrade pyOpenSSL cryptography certbot certbot-dns-cloudflareNgoku sifaka ithokheni ye-API eyenziwe ngaphambili:
mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_WITH_EDIT_ZONE_DNS_PERMISSIONS
chmod 600 ~/.secrets/certbot/cloudflare.iniEkugqibeleni, sicela isatifikethi:
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d '*.vielhuber.dev' -d vielhuber.dev \
--agree-tos \
--email david@vielhuber.de \
--non-interactiveUhlaziyo oluzenzekelayo nalo lusekwe ngokukhawuleza. Ukuthintela i-certbot ukuba isebenze ngokuzenzekelayo rhoqo kwiiyure ezili-12 ngexesha elingenamkhethe, siqala sivale iskripthi esisemgangathweni kwaye songeze ezethu.:
sudo mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
( crontab -l 2>/dev/null; echo "0 12 * * * certbot renew --quiet" ) | crontab -
certbot renew --dry-runNantsi yonke into efunekayo: Ukudibanisa kwi-Apache, ubhekisa kwizatifikethi othe wazenza kuqwalaselo lwe-Apache kwiiprojekthi zakho (umzekelo. /etc/apache2/sites-available/project-xy.conf):
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vielhuber.dev/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vielhuber.dev/privkey.pemEmva kokuqalisa kwakhona i-Apache (sudo systemctl reload apache2) izatifikethi sele zisebenza kwaye unokufikelela kwiiprojekthi zakho nge https://project-xy.vielhuber.dev.
Ngomzamo omncinci wokuqala, unokwakha imeko-bume yophuhliso lwendawo enezatifikethi zekhadi lasendle lokwenyani elingelokwenyani kuphela kodwa lisebenza ngokungenamthungo kunye nezikhangeli zangoku, ii-APIs, kunye nezixhobo. Enkosi kuqinisekiso lwe-DNS-01, awudingi iseva efikelelekayo esidlangalaleni okanye izicelo zesatifikethi sesandla – yonke into iyazenzekela, ikhuselekile, kwaye ithembekile.