iT邦幫忙

第 11 屆 iThome 鐵人賽

DAY 8
0
DevOps

Oops Step ( Home lab of a kind ) 系列 第 8

Let's Encrypt by acme.sh

對於很多人來說,光是弄懂SSL憑證、看到密碼學眼皮就在練舉重,肩膀被鬼壓。然後要把網站掛憑證,還要考慮測試、資安整合,真是人生大考驗,生孩子還比較快一樣(但要看你是男是女 XD )
在現架構中,SSL加密可以在信任區域外緣再處理,不要再強迫開發團隊為這小事情煩惱。而資安測試想要把手深進明碼裡面,那就去吧,反正就像賽馬一樣,每個賭徒都有自己的一套。
因此這工作要交給誰呢?就給路由器吧那個CPU只有750MHz的Bosley!!/images/emoticon/emoticon47.gif
沒開玩笑,因為它的耗電量最小,所以CP值最高,這是慣老闆一種能者多勞的概念(誤)。我不是苛求,因為現在有acme.sh這工具,這件事情已經變的非常容易。

  • acme.sh
    安裝acme.sh很簡單,但是要跑Standalone模式,系統要先裝socat (SOcket CAT)來擷取封包。在openwrt上面用opkg安裝socat這種貓貓狗狗的事情就不贅述了。我們直接裝acme.sh
icekimo@Bosley:~$ curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   705    0   705    0     0   1173      0 --:--:-- --:--:-- --:--:--  1180
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  186k  100  186k    0     0   351k      0 --:--:-- --:--:-- --:--:--  363k
[Fri Sep  6 16:29:06 CST 2019] Installing from online archive.
[Fri Sep  6 16:29:06 CST 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Fri Sep  6 16:29:09 CST 2019] Extracting master.tar.gz
[Fri Sep  6 16:29:09 CST 2019] Installing to /home/icekimo/.acme.sh
[Fri Sep  6 16:29:09 CST 2019] Installed to /home/icekimo/.acme.sh/acme.sh
[Fri Sep  6 16:29:09 CST 2019] No profile is found, you will need to go into /home/icekimo/.acme.sh to use acme.sh
[Fri Sep  6 16:29:09 CST 2019] Installing cron job
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
[Fri Sep  6 16:29:09 CST 2019] Install cron job failed. You need to manually renew your certs.
[Fri Sep  6 16:29:09 CST 2019] Or you can add cronjob by yourself:
[Fri Sep  6 16:29:09 CST 2019] "/home/icekimo/.acme.sh"/acme.sh --cron --home "/home/icekimo/.acme.sh" > /dev/null
[Fri Sep  6 16:29:09 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Fri Sep  6 16:29:12 CST 2019] OK
[Fri Sep  6 16:29:12 CST 2019] Install success!
icekimo@Bosley:~$ sudo ln -s /home/icekimo/.acme.sh/acme.sh /usr/sbin/acme.sh \
# 建立執行連結

再來我們偷懶使用standalone模式,acme.sh會主動在port 80回答LetsEncrypt的驗證,就像司機會幫後座的老闆跟警衛說:『老闆在後面 做愛做的事 ,你快開門不然會被炒』,如果你沒有把Luci uhttpd服務埠號調走,你就...自己斟酌看著辦 ,反正luci只有你自己用
下面範例用ts109ii.myqnapcloud.com這單一Domain進行簽章。

icekimo@Bosley:~$ sudo acme.sh --config-home /etc/acme --force --debug --issue --domain ts109ii.myqnapcloud.com  --standalone
[Fri Sep  6 17:17:42 CST 2019] Lets find script dir.
[Fri Sep  6 17:17:42 CST 2019] _SCRIPT_='/usr/sbin/acme.sh'
[Fri Sep  6 17:17:42 CST 2019] _script='/home/icekimo/.acme.sh/acme.sh'
[Fri Sep  6 17:17:42 CST 2019] _script_home='/home/icekimo/.acme.sh'
[Fri Sep  6 17:17:42 CST 2019] Using default home:/root/.acme.sh
[Fri Sep  6 17:17:42 CST 2019] Using config home:/etc/acme
https://github.com/Neilpang/acme.sh
v2.8.3
[Fri Sep  6 17:17:42 CST 2019] Running cmd: issue
[Fri Sep  6 17:17:42 CST 2019] _main_domain='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:42 CST 2019] _alt_domains='no'
[Fri Sep  6 17:17:42 CST 2019] Using config home:/etc/acme
[Fri Sep  6 17:17:42 CST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Sep  6 17:17:42 CST 2019] DOMAIN_PATH='/etc/acme/ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:42 CST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Fri Sep  6 17:17:42 CST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri Sep  6 17:17:42 CST 2019] GET
[Fri Sep  6 17:17:42 CST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Fri Sep  6 17:17:42 CST 2019] timeout=
[Fri Sep  6 17:17:42 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:43 CST 2019] ret='0'
[Fri Sep  6 17:17:43 CST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Fri Sep  6 17:17:43 CST 2019] ACME_NEW_AUTHZ
[Fri Sep  6 17:17:43 CST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Sep  6 17:17:43 CST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Fri Sep  6 17:17:43 CST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Fri Sep  6 17:17:43 CST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Fri Sep  6 17:17:43 CST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri Sep  6 17:17:43 CST 2019] ACME_VERSION='2'
[Fri Sep  6 17:17:44 CST 2019] Le_NextRenewTime
[Fri Sep  6 17:17:44 CST 2019] _on_before_issue
[Fri Sep  6 17:17:44 CST 2019] _chk_main_domain='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:44 CST 2019] _chk_alt_domains
[Fri Sep  6 17:17:44 CST 2019] Le_LocalAddress
[Fri Sep  6 17:17:44 CST 2019] d='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:44 CST 2019] Check for domain='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:44 CST 2019] _currentRoot='no'
[Fri Sep  6 17:17:44 CST 2019] Standalone mode.
[Fri Sep  6 17:17:44 CST 2019] _checkport='80'
[Fri Sep  6 17:17:44 CST 2019] _checkaddr
[Fri Sep  6 17:17:44 CST 2019] Using: netstat
[Fri Sep  6 17:17:44 CST 2019] d
[Fri Sep  6 17:17:45 CST 2019] _saved_account_key_hash is not changed, skip register account.
[Fri Sep  6 17:17:45 CST 2019] Read key length:
[Fri Sep  6 17:17:45 CST 2019] _createcsr
[Fri Sep  6 17:17:45 CST 2019] Single domain='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:45 CST 2019] Getting domain auth token for each domain
[Fri Sep  6 17:17:45 CST 2019] d
[Fri Sep  6 17:17:45 CST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Sep  6 17:17:45 CST 2019] payload='{"identifiers": [{"type":"dns","value":"ts109ii.myqnapcloud.com"}]}'
[Fri Sep  6 17:17:45 CST 2019] RSA key
[Fri Sep  6 17:17:45 CST 2019] HEAD
[Fri Sep  6 17:17:45 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri Sep  6 17:17:46 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:46 CST 2019] _ret='0'
[Fri Sep  6 17:17:47 CST 2019] POST
[Fri Sep  6 17:17:47 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Sep  6 17:17:47 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:47 CST 2019] _ret='0'
[Fri Sep  6 17:17:47 CST 2019] code='201'
[Fri Sep  6 17:17:47 CST 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/65242117/1033992042'
[Fri Sep  6 17:17:47 CST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/65242117/1033992042'
[Fri Sep  6 17:17:48 CST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/217274123'
[Fri Sep  6 17:17:48 CST 2019] payload
[Fri Sep  6 17:17:48 CST 2019] POST
[Fri Sep  6 17:17:48 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/217274123'
[Fri Sep  6 17:17:48 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:49 CST 2019] _ret='0'
[Fri Sep  6 17:17:49 CST 2019] code='200'
[Fri Sep  6 17:17:49 CST 2019] d='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:49 CST 2019] Getting webroot for domain='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:49 CST 2019] _w='no'
[Fri Sep  6 17:17:49 CST 2019] _currentRoot='no'
[Fri Sep  6 17:17:49 CST 2019] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w","token":"fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY"'
[Fri Sep  6 17:17:49 CST 2019] token='fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY'
[Fri Sep  6 17:17:49 CST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w'
[Fri Sep  6 17:17:49 CST 2019] keyauthorization='fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY.GIUzFIlR4PLWky59U7CfCyDQ2p2f9_CXMdeSMZZ8fYk'
[Fri Sep  6 17:17:49 CST 2019] dvlist='ts109ii.myqnapcloud.com#fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY.GIUzFIlR4PLWky59U7CfCyDQ2p2f9_CXMdeSMZZ8fYk#https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w#http-01#no'
[Fri Sep  6 17:17:49 CST 2019] d
[Fri Sep  6 17:17:50 CST 2019] vlist='ts109ii.myqnapcloud.com#fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY.GIUzFIlR4PLWky59U7CfCyDQ2p2f9_CXMdeSMZZ8fYk#https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w#http-01#no,'
[Fri Sep  6 17:17:50 CST 2019] d='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:50 CST 2019] ok, let's start to verify
[Fri Sep  6 17:17:50 CST 2019] Verifying: ts109ii.myqnapcloud.com
[Fri Sep  6 17:17:50 CST 2019] d='ts109ii.myqnapcloud.com'
[Fri Sep  6 17:17:50 CST 2019] keyauthorization='fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY.GIUzFIlR4PLWky59U7CfCyDQ2p2f9_CXMdeSMZZ8fYk'
[Fri Sep  6 17:17:50 CST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w'
[Fri Sep  6 17:17:50 CST 2019] _currentRoot='no'
[Fri Sep  6 17:17:50 CST 2019] Standalone mode server
[Fri Sep  6 17:17:50 CST 2019] content='fu4Ob2CjRIO7A0fNQQp6AUi2Tu0JmCIo5NOfRV2cymY.GIUzFIlR4PLWky59U7CfCyDQ2p2f9_CXMdeSMZZ8fYk'
[Fri Sep  6 17:17:50 CST 2019] ncaddr
[Fri Sep  6 17:17:50 CST 2019] startserver: 10623
[Fri Sep  6 17:17:50 CST 2019] Le_HTTPPort='80'
[Fri Sep  6 17:17:50 CST 2019] Le_Listen_V4
[Fri Sep  6 17:17:50 CST 2019] Le_Listen_V6
[Fri Sep  6 17:17:50 CST 2019] _content_len='87'
[Fri Sep  6 17:17:50 CST 2019] _NC='socat TCP-LISTEN:80,crlf,reuseaddr,fork'
[Fri Sep  6 17:17:51 CST 2019] serverproc='11349'
[Fri Sep  6 17:17:51 CST 2019] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w'
[Fri Sep  6 17:17:51 CST 2019] payload='{}'
[Fri Sep  6 17:17:51 CST 2019] POST
[Fri Sep  6 17:17:51 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w'
[Fri Sep  6 17:17:51 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:52 CST 2019] _ret='0'
[Fri Sep  6 17:17:52 CST 2019] code='200'
[Fri Sep  6 17:17:52 CST 2019] trigger validation code: 200
[Fri Sep  6 17:17:52 CST 2019] sleep 2 secs to verify
[Fri Sep  6 17:17:54 CST 2019] checking
[Fri Sep  6 17:17:54 CST 2019] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w'
[Fri Sep  6 17:17:54 CST 2019] payload
[Fri Sep  6 17:17:55 CST 2019] POST
[Fri Sep  6 17:17:55 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/217274123/kYyO5w'
[Fri Sep  6 17:17:55 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:55 CST 2019] _ret='0'
[Fri Sep  6 17:17:55 CST 2019] code='200'
[Fri Sep  6 17:17:55 CST 2019] Success
[Fri Sep  6 17:17:55 CST 2019] pid='11349'
[Fri Sep  6 17:17:56 CST 2019] Skip for removelevel:
[Fri Sep  6 17:17:56 CST 2019] pid
[Fri Sep  6 17:17:56 CST 2019] No need to restore nginx, skip.
[Fri Sep  6 17:17:56 CST 2019] _clearupdns
[Fri Sep  6 17:17:56 CST 2019] dns_entries
[Fri Sep  6 17:17:56 CST 2019] skip dns.
[Fri Sep  6 17:17:56 CST 2019] Verify finished, start to sign.
[Fri Sep  6 17:17:56 CST 2019] i='2'
[Fri Sep  6 17:17:56 CST 2019] j='16'
[Fri Sep  6 17:17:56 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/65242117/1033992042
[Fri Sep  6 17:17:56 CST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/65242117/1033992042'
[Fri Sep  6 17:17:56 CST 2019] payload='{"csr": "MIICqTCCAZECAQAwIjEgMB4GA1UEAwwXdHMxMDlpaS5teXFuYXBjbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL1TsJY5-HPoMfrd2lpmF75jVVtkiy7sOZrnTx3ygQH5Jy8VPKEjgndRikYps0oxZGWCspFymZ2_EAvOjcNufWlr-IfgRYVY65xPyaIEX-_R1md8GniXzm_xXCXdxhiE6w6ZRq7Dx0FxIzBI4MlC3iA0o0MgCi8b5QlaOOtmAKRtYoP5vIMsouMMSqC3ePqLi4sW9ZnZBjADF6gBqc_TUUA72BDYW5WZdslA9P9kcSZjmqKnNDXF1HE0iaX7iYzdo_RR3JHz1sdSavFuIQfAc_YxX92C_3tgtwSljH4O_Xn0B0Eh4aznsoFQJjk5dGvtcwR3u1Uyz8asrFp0vJSZ21AgMBAAGgQjBABgkqhkiG9w0BCQ4xMzAxMAsGA1UdDwQEAwIF4DAiBgNVHREEGzAZghd0czEwOWlpLm15cW5hcGNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAbm1v0ZRuF7iX1QFcGiDDNsIXvPtfNUmFrCSU7BRdkKLEXaSswz7spsCjVfJTVOFR8GKLK4JY8Sezk1YT12yC799Kb-gHL52BsRHjj7WiCUh5DszDpT_IcLAqjXxzwSieMK_7RKfIDmbqSZiJzr5czQLwdbv1ioDhVteznW97rL1-3uMfDihPl1OELXtfp1dv9EPzj38bjg1EvKvgdauZ53OLBz65E4CLvHWfAfgw9rH6GvG_h3DRYO1HhIhyz1darr5FunSkaSY5KtZvJDKhTje-0HUTBiQSMPN7cdMtfUHRv-6aPYugEchpcp1dIM7CMST_z1gZDd_jzQTOBmcbiw"}'
[Fri Sep  6 17:17:56 CST 2019] POST
[Fri Sep  6 17:17:56 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/65242117/1033992042'
[Fri Sep  6 17:17:56 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:58 CST 2019] _ret='0'
[Fri Sep  6 17:17:58 CST 2019] code='200'
[Fri Sep  6 17:17:58 CST 2019] Order status is valid.
[Fri Sep  6 17:17:58 CST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/034629cd3a63f0313d7dd95e86d43db33343'
[Fri Sep  6 17:17:58 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/034629cd3a63f0313d7dd95e86d43db33343
[Fri Sep  6 17:17:58 CST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/034629cd3a63f0313d7dd95e86d43db33343'
[Fri Sep  6 17:17:58 CST 2019] payload
[Fri Sep  6 17:17:58 CST 2019] POST
[Fri Sep  6 17:17:58 CST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/034629cd3a63f0313d7dd95e86d43db33343'
[Fri Sep  6 17:17:58 CST 2019] _CURL='curl -L --silent --dump-header /etc/acme/http.header  -g '
[Fri Sep  6 17:17:59 CST 2019] _ret='0'
[Fri Sep  6 17:17:59 CST 2019] code='200'
[Fri Sep  6 17:17:59 CST 2019] Found cert chain
[Fri Sep  6 17:17:59 CST 2019] _end_n='31'
[Fri Sep  6 17:17:59 CST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/034629cd3a63f0313d7dd95e86d43db33343'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:46:29:cd:3a:63:f0:31:3d:7d:d9:5e:86:d4:3d:b3:33:43
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Sep  6 08:17:57 2019 GMT
            Not After : Dec  5 08:17:57 2019 GMT
        Subject: CN=ts109ii.myqnapcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:d5:3b:09:63:9f:87:3e:83:1f:ad:dd:a5:a6:
                    61:7b:e6:35:55:b6:48:b2:ee:c3:99:ae:74:f1:df:
                    28:10:1f:92:72:f1:53:ca:12:38:27:75:18:a4:62:
                    9b:34:a3:16:46:58:2b:29:17:29:99:db:f1:00:bc:
                    e8:dc:36:e7:d6:96:bf:88:7e:04:58:55:8e:b9:c4:
                    fc:9a:20:45:fe:fd:1d:66:77:c1:a7:89:7c:e6:ff:
                    15:c2:5d:dc:61:88:4e:b0:e9:94:6a:ec:3c:74:17:
                    12:33:04:8e:0c:94:2d:e2:03:4a:34:32:00:a2:f1:
                    be:50:95:a3:8e:b6:60:0a:46:d6:28:3f:9b:c8:32:
                    ca:2e:30:c4:aa:0b:77:8f:a8:b8:b8:b1:6f:59:9d:
                    90:63:00:31:7a:80:1a:9c:fd:35:14:03:bd:81:0d:
                    85:b9:59:97:6c:94:0f:4f:f6:47:12:66:39:aa:2a:
                    73:43:5c:5d:47:13:48:9a:5f:b8:98:cd:da:3f:45:
                    1d:c9:1f:3d:6c:75:26:af:16:e2:10:7c:07:3f:63:
                    15:fd:d8:2f:f7:b6:0b:70:4a:58:c7:e0:ef:d7:9f:
                    40:74:12:1e:1a:ce:7b:28:15:02:63:93:97:46:be:
                    d7:30:47:7b:b5:53:2c:fc:6a:ca:c5:a7:4b:c9:49:
                    9d:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                AE:5F:1F:06:A5:E7:44:47:11:94:6A:D0:F7:82:AB:B6:E3:72:E1:60
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:ts109ii.myqnapcloud.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Sep  6 09:17:57.731 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:A0:4C:7F:7F:16:35:19:87:E4:3F:D6:
                                56:84:E3:2A:65:E6:52:B6:5C:52:5D:F6:01:9F:07:82:
                                45:85:2D:28:EC:02:20:5D:F2:90:FC:52:8E:64:02:7B:
                                B8:92:E9:F0:51:CF:10:B5:CE:EF:12:BC:4B:2D:BA:03:
                                AD:71:8C:2E:48:41:30
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Sep  6 09:17:57.794 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:7F:1B:43:79:47:51:6B:B1:DE:D2:54:7C:
                                16:10:D9:00:1D:C7:D1:06:E5:99:E4:C3:42:7F:14:83:
                                DB:8E:DF:20:02:20:35:D8:5F:34:C9:5E:58:7E:8D:FA:
                                6D:E6:37:BA:BA:AA:AC:1A:03:90:CB:9D:77:F2:DA:05:
                                21:64:FC:04:C8:A5
    Signature Algorithm: sha256WithRSAEncryption
         1e:db:b6:93:9b:e0:9c:79:e7:ab:48:af:e0:30:a1:04:c2:ed:
         9c:d6:35:11:bf:08:33:a3:66:ad:40:e1:32:b3:bb:9e:89:30:
         a0:75:2b:20:e8:e0:8f:cd:e5:25:a7:45:3f:39:7c:fc:c5:87:
         10:bc:97:e4:42:c6:eb:24:a3:fb:b0:3f:ef:e2:31:89:dc:96:
         46:22:7a:09:39:9f:c8:67:c3:d3:22:24:51:d9:d1:61:9e:15:
         40:a5:8b:d1:77:70:26:84:b3:a3:a8:e1:1f:f9:92:8e:e7:fd:
         dd:4b:6a:8e:15:9f:48:3b:0e:ec:30:d3:96:cd:16:c7:e7:85:
         7d:3c:2f:9a:78:cd:cc:5d:84:1e:15:90:eb:72:a4:02:0c:13:
         25:91:81:50:4b:41:39:8a:9c:01:3f:4d:15:f3:37:5d:f2:bf:
         80:fd:00:0e:63:96:cd:7b:7a:8c:5e:29:7f:ef:e8:f9:c3:cb:
         09:72:ec:e4:a4:6a:a0:22:15:26:77:ad:59:a4:0b:8c:25:57:
         fc:fe:96:34:e1:6c:57:76:51:d4:77:c2:d3:cc:b5:08:9a:a5:
         60:5b:0a:cc:4f:5c:86:ea:22:a3:01:f6:3c:73:e8:ef:56:44:
         47:e3:e9:d2:a7:9d:bc:26:0b:a6:1b:43:5c:a7:d2:c5:56:41:
         e4:5b:f9:a9
[Fri Sep  6 17:18:00 CST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgISA0YpzTpj8DE9fdlehtQ9szNDMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MDYwODE3NTdaFw0x
OTEyMDUwODE3NTdaMCIxIDAeBgNVBAMTF3RzMTA5aWkubXlxbmFwY2xvdWQuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9U7CWOfhz6DH63dpaZh
e+Y1VbZIsu7Dma508d8oEB+ScvFTyhI4J3UYpGKbNKMWRlgrKRcpmdvxALzo3Dbn
1pa/iH4EWFWOucT8miBF/v0dZnfBp4l85v8Vwl3cYYhOsOmUauw8dBcSMwSODJQt
4gNKNDIAovG+UJWjjrZgCkbWKD+byDLKLjDEqgt3j6i4uLFvWZ2QYwAxeoAanP01
FAO9gQ2FuVmXbJQPT/ZHEmY5qipzQ1xdRxNIml+4mM3aP0UdyR89bHUmrxbiEHwH
P2MV/dgv97YLcEpYx+Dv159AdBIeGs57KBUCY5OXRr7XMEd7tVMs/GrKxadLyUmd
tQIDAQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSuXx8GpedERxGU
atD3gqu243LhYDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMCIGA1UdEQQbMBmCF3RzMTA5aWkubXlxbmFwY2xvdWQuY29t
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB
9ASB8QDvAHYA4mlLribo6UAJ6IYbtjuD1D7n/nSI+6SPKJMBnd3x2/4AAAFtBd2w
YwAABAMARzBFAiEAoEx/fxY1GYfkP9ZWhOMqZeZStlxSXfYBnweCRYUtKOwCIF3y
kPxSjmQCe7iS6fBRzxC1zu8SvEstugOtcYwuSEEwAHUAKTxRllTIOWW6qlD8WAfU
t2+/WHopctykwwz05UVH9HgAAAFtBd2wogAABAMARjBEAiB/G0N5R1Frsd7SVHwW
ENkAHcfRBuWZ5MNCfxSD247fIAIgNdhfNMleWH6N+m3mN7q6qqwaA5DLnXfy2gUh
ZPwEyKUwDQYJKoZIhvcNAQELBQADggEBAB7btpOb4Jx556tIr+AwoQTC7ZzWNRG/
CDOjZq1A4TKzu56JMKB1KyDo4I/N5SWnRT85fPzFhxC8l+RCxusko/uwP+/iMYnc
lkYiegk5n8hnw9MiJFHZ0WGeFUCli9F3cCaEs6Oo4R/5ko7n/d1Lao4Vn0g7Duww
05bNFsfnhX08L5p4zcxdhB4VkOtypAIMEyWRgVBLQTmKnAE/TRXzN13yv4D9AA5j
ls17eoxeKX/v6PnDywly7OSkaqAiFSZ3rVmkC4wlV/z+ljThbFd2UdR3wtPMtQia
pWBbCsxPXIbqIqMB9jxz6O9WREfj6dKnnbwmC6YbQ1yn0sVWQeRb+ak=
-----END CERTIFICATE-----
[Fri Sep  6 17:18:00 CST 2019] Your cert is in  /etc/acme/ts109ii.myqnapcloud.com/ts109ii.myqnapcloud.com.cer
[Fri Sep  6 17:18:00 CST 2019] Your cert key is in  /etc/acme/ts109ii.myqnapcloud.com/ts109ii.myqnapcloud.com.key
[Fri Sep  6 17:18:00 CST 2019] v2 chain.
[Fri Sep  6 17:18:00 CST 2019] The intermediate CA cert is in  /etc/acme/ts109ii.myqnapcloud.com/ca.cer
[Fri Sep  6 17:18:00 CST 2019] And the full chain certs is there:  /etc/acme/ts109ii.myqnapcloud.com/fullchain.cer
[Fri Sep  6 17:18:00 CST 2019] _on_issue_success

很神奇吧還是只有我一個人這樣覺得嗎,憑證已經放好在/etc/acme下了。有QNAP的同學說,他們本來就有APP會處理這Let's Encrypt的小事,但是我不喜歡麻煩他們(誤)。至於其他的憑證也可以比照這有夠dirty的方法申請下來,不只農舍,籃球場、停車場都可以。什麼?你說那部分是違建,開玩笑,誰會沒事剛好有那麼多鋼筋水泥可以蓋違建,這都要錢不是嗎?什麼?剛好隔壁住個建築包商,那一定是他亂丟建材,剛好丟完就變成這樣了,就像AOE的村民這樣,你懂得。大不了我拆掉世界奇觀,大家不要再打了。/images/emoticon/emoticon37.gif
OK,下一篇,我們要把憑證上到Nginx上面,取得Chrome瀏覽器裡面綠綠的小鎖頭,不會再被抹紅的啦。
/images/emoticon/emoticon12.gif

REF:
https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E


上一篇
Why KVM , why?
下一篇
NGINX -s reload (Part 1)
系列文
Oops Step ( Home lab of a kind ) 34
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

1 則留言

0
icekimo
iT邦新手 3 級 ‧ 2021-07-03 13:56:45

From acme.sh v3.0.0, acme.sh is using Zerossl as default ca, you must register the account first(one-time) before you can issue new certs.https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA

Q&A 2: Will I still be able to use letsencrypt then?

Yes, of course. You are still free to use any supported CA with providing --server parameter.


acme.sh  --issue  -d example.com --dns dns_cf    --server  letsencrypt

我要留言

立即登入留言