Add Certbot
Dct Mei
parent
c42f5620fc
commit
a780ba5abe
|
|
@ -1,12 +1,15 @@
|
|||
假設,證書文件所在的路徑為 `/srv/http/`。
|
||||
## 使用證書時權限不足
|
||||
|
||||
文件分別為 `/srv/http/example.com.key` 和 `/srv/http/example.com.pem`。
|
||||
假設,證書文檔分別為:
|
||||
|
||||
方案一:
|
||||
1. `/srv/http/example.com.pem`。
|
||||
2. `/srv/http/example.com.key`。
|
||||
|
||||
### 方案一(不推薦)
|
||||
|
||||
1. `/srv/http/` 的默認權限一般為 755;
|
||||
2. `/srv/http/example.com.key` 的默認權限一般為 600;
|
||||
3. `/srv/http/example.com.pem` 的默認權限一般為 644。
|
||||
2. `/srv/http/example.com.pem` 的默認權限一般為 644。
|
||||
3. `/srv/http/example.com.key` 的默認權限一般為 600;
|
||||
|
||||
將 `/srv/http/example.com.key` 修改為 644 即可:
|
||||
|
||||
|
|
@ -14,13 +17,13 @@
|
|||
# chmod 644 /srv/http/example.com.key
|
||||
```
|
||||
|
||||
方案二:
|
||||
### 方案二
|
||||
|
||||
```
|
||||
# id nobody
|
||||
```
|
||||
|
||||
1. 显示出来的结果可能是:
|
||||
* 輸出的结果可能是:
|
||||
|
||||
```
|
||||
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
|
||||
|
|
@ -32,7 +35,7 @@
|
|||
# chown -R nobody:nogroup /srv/http/
|
||||
```
|
||||
|
||||
2. 显示出来的结果也可能是:
|
||||
* 輸出的结果也可能是:
|
||||
|
||||
```
|
||||
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
|
||||
|
|
@ -43,3 +46,47 @@
|
|||
```
|
||||
# chown -R nobody:nobody /srv/http/
|
||||
```
|
||||
|
||||
### 方案三(Certbot)
|
||||
|
||||
這裡假定你已經通過 Certbot 獲取了證書文檔。
|
||||
|
||||
1. `/etc/letsencrypt/live/example.com/fullchain.pem`。
|
||||
2. `/etc/letsencrypt/live/example.com/privkey.pem`。
|
||||
|
||||
建立 V2Ray 專用的證書文檔目錄:
|
||||
|
||||
```
|
||||
# mkdir /etc/ssl/v2ray/
|
||||
```
|
||||
|
||||
將證書文檔以指定權限部署到指定路徑:
|
||||
|
||||
```
|
||||
# install -m 644 -o nobody -g nogroup /etc/letsencrypt/live/example.com/fullchain.pem -t /etc/ssl/v2ray/
|
||||
# install -m 600 -o nobody -g nogroup /etc/letsencrypt/live/example.com/privkey.pem -t /etc/ssl/v2ray/
|
||||
```
|
||||
|
||||
為在後續 `renew` 中自動重新部署(如果你使用 Debian 發行版,在安裝 Cerbot 後,`renew` 是會定期執行的),需要一個腳本,以下是參照內容:
|
||||
|
||||
```bash
|
||||
# vim /etc/letsencrypt/renewal-hooks/deploy/v2ray.sh
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
TROJAN_DOMAIN='example.com'
|
||||
|
||||
if [[ "$RENEWED_LINEAGE" == "/etc/letsencrypt/live/$TROJAN_DOMAIN" ]]; then
|
||||
install -m 644 -o nobody -g nogroup "/etc/letsencrypt/live/$TROJAN_DOMAIN/fullchain.pem" -t /etc/ssl/v2ray/
|
||||
install -m 600 -o nobody -g nogroup "/etc/letsencrypt/live/$TROJAN_DOMAIN/privkey.pem" -t /etc/ssl/v2ray/
|
||||
|
||||
sleep "$((RANDOM % 2048))"
|
||||
systemctl restart v2ray.service
|
||||
fi
|
||||
```
|
||||
|
||||
### 給予腳本可執行權限
|
||||
|
||||
```
|
||||
# chmod +x /etc/letsencrypt/renewal-hooks/deploy/v2ray.sh
|
||||
```
|
||||
Loading…
Reference in New Issue