使用LetsEncrypt生成SSL证书:修订间差异
(→生成证书) |
(→生成证书) |
||
第19行: | 第19行: | ||
==生成证书== | ==生成证书== | ||
命令: | |||
<code>cd letsencrypt | <code>cd letsencrypt | ||
sudo ./letsencrypt-auto certonly --manual --email 你的邮箱 -d 你的域名</code> | sudo ./letsencrypt-auto certonly --manual --email 你的邮箱 -d 你的域名</code> | ||
注意:域名需要写全,比如使用 home.domoticz.cn,就不能只写 domotiz.cn。 | 注意:域名需要写全,比如使用 home.domoticz.cn,就不能只写 domotiz.cn。 | ||
第48行: | 第50行: | ||
printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符 | printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
注意:此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开,可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器,绑定你的域名后将验证文件放到网站内。 | 注意:此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开,可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器,绑定你的域名后将验证文件放到网站内。 | ||
确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符 可以正常访问。 | 确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符 可以正常访问。 | ||
然后回到之前的Shell窗口,按回车键继续生成证书。 | 然后回到之前的Shell窗口,按回车键继续生成证书。 | ||
如果一切正常,应该返回以下信息: | 如果一切正常,应该返回以下信息: | ||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> |
2017年3月4日 (六) 17:22的版本
This article shows you how to add a Lets Encrypt certificate to Domoticz so you can access your server over a secure HTTPS channel.
The provided steps are executed using a Raspberry Pi, but they should work on every Linux OS.
Prerequisites (see here : http://www.domoticz.com/wiki/Native_HTTPS_/_SSL_support)
- Port 80 (HTTP) and 443 (HTTPS) are forwarded to your Domoticz server
- You own a domain name
- The (sub)domain name for Domoticz has a DNS entry that points to your external IP address
Startup script
If you want Domoticz to use only HTTPS, you will need to edit the startup script.
sudo vi /etc/init.d/domoticz.sh
DAEMON_ARGS="-daemon -sslwww 443"
安装Let’s Encrypt
git clone https://github.com/letsencrypt/letsencrypt
生成证书
命令:
cd letsencrypt
sudo ./letsencrypt-auto certonly --manual --email 你的邮箱 -d 你的域名
注意:域名需要写全,比如使用 home.domoticz.cn,就不能只写 domotiz.cn。
如果你有多个域名,可以在命令后面继续添加-d参数,每个-d参数后面对应一个域名。
如果显示以下信息,不要按回车键:
If you don't have HTTP server configured, you can run the following command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" <some random string> > .well-known/acmechallenge/<some random string>
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
Press ENTER to continue
新打开一个Shell窗口,执行以下命令将Let's Encrypt之前给出的随机字符文件加入网站,以通过Let's Encrypt的域名验证:
mkdir -p /home/pi/domoticz/www/.well-known/acme-challenge/
cd /home/pi/domoticz/www/
printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符
注意:此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开,可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器,绑定你的域名后将验证文件放到网站内。
确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符 可以正常访问。 然后回到之前的Shell窗口,按回车键继续生成证书。
如果一切正常,应该返回以下信息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/<your domain>/fullchain.pem. Your
cert will expire on <date>. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Add the certificate to Domoticz
The last thing to do is adding the created certificate to Domoticz. This is easily done with the following commands:
sudo rm ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/fullchain.pem >> ~/domoticz/server_cert.pem
When there's a domoticz error after rebooting the service like : Error: [web:443] missing SSL DH parameters from file Add the DHparam :
sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem