Ngezikhathi zeziphequluli ze-HTTPS kuphela, amakhukhi e-SameSite, nezimo ezingokoqobo zokuthuthukiswa, kubalulekile ukusebenza endaweni ngezitifiketi zangempela ze-SSL. I-Let Encrypt yenze umsebenzi wokuphayona lapha - ngosizo lwe -certbot ne -Cloudflare , ukudala nokuvuselela izitifiketi ze-wildcard kuyashesha futhi kulula. Lokhu kukuvumela ukuthi ufinyelele amaphrojekthi akho ewebhu abethelwe kunoma iyiphi idivayisi (i-smartphone, i-VM, ...) kunethiwekhi yendawo noma nge-VPN.
Okokuqala sibhalisa isizinda sonjiniyela nge-Cloudflare, isibonelo vielhuber.dev:
Manje sivumela lesi sizinda ukuthi sikhombe ekhelini laso le-IP lendawo (isibonelo 192.168.0.2) umbukiso. Ukwenza lokhu, dala amarekhodi e-DNS A alandelayo (okubalulekile: Isimo sommeleli kufanele sisethwe ukuze sithi grey/DNS-kuphela sethiwe):
| Uhlobo | Igama | Okuqukethwe |
|---|---|---|
| A | @ | 192.168.0.2 |
| A | * | 192.168.0.2 |
Ukuze uqinisekise izitifiketi ze-wildcard, kuyadingeka ukusetha amarekhodi e-TXT ngokuzenzakalelayo. Ukwenza lokhu, manje sakha ithokheni ye-API (Iphrofayela > Amathokheni e-API > Dala Ithokheni > Isifanekiso: Hlela indawo ye-DNS) bese ukhetha isizinda.:
Ekugcineni, sakha i-certbot:
sudo apt install certbot python3-certbot-dns-cloudflare
pip install --upgrade pyOpenSSL cryptography certbot certbot-dns-cloudflareManje sifaka ithokheni ye-API eyakhiwe ngaphambilini:
mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_WITH_EDIT_ZONE_DNS_PERMISSIONS
chmod 600 ~/.secrets/certbot/cloudflare.iniEkugcineni, sicela isitifiketi:
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d '*.vielhuber.dev' -d vielhuber.dev \
--agree-tos \
--email david@vielhuber.de \
--non-interactiveUkuvuselela okuzenzakalelayo nakho kusethwa ngokushesha. Ukuze uvimbele i-certbot ukuthi isebenze ngokuzenzakalelayo njalo emahoreni ayi-12 ngesikhathi esingahleliwe, siqale sivale umbhalo ojwayelekile bese sengeza okwethu.:
sudo mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
( crontab -l 2>/dev/null; echo "0 12 * * * certbot renew --quiet" ) | crontab -
certbot renew --dry-runYilokhu kuphela okudingekayo: Ukuze uhlanganise ne-Apache, ubhekisela ezitifiketini osanda kuzidala ekucushweni kwe-Apache kumaphrojekthi akho (isb. /etc/apache2/sites-available/project-xy.conf):
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vielhuber.dev/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vielhuber.dev/privkey.pemNgemuva kokuqala kabusha kwe-Apache (sudo systemctl reload apache2) izitifiketi sezivele ziyasebenza futhi ungafinyelela amaphrojekthi akho ngazo https://project-xy.vielhuber.dev.
Ngomzamo omncane wokuqala, ungakha indawo yokuthuthukisa yasendaweni ngezitifiketi zangempela ze-wildcard ezingagcini nje ngokuba namaqiniso kodwa futhi ezisebenza ngaphandle komthungo ngeziphequluli zesimanje, ama-API, namadivayisi. Ngenxa yokuqinisekiswa kwe-DNS-01, awudingi iseva efinyeleleka esidlangalaleni noma izicelo zesitifiketi ezenziwa mathupha – yonke into iyazenzakalela, ivikelekile, futhi ithembekile.