ssl - caddy 使用wild card 域名 以及申请 api token

访问量: 33

refer to:

下载caddy https://caddyserver.com/download

想使用wild card域名的话,就需要使用 caddy + plugin的版本,例如你的DNS服务商是 cloudflare, 那么就 需要使用 caddy-cloudflare plugin.

默认这个plugin是不包含在caddy中的,我们需要要么重新下载,要么重新编译

下载的网址在上面,具体如何下载我没有找到。

于是我们使用xcaddy 来编译

1. 下载go  (注意最新版本不行,会报错。需要使用1.17 )

curl -OL https://go.dev/dl/go1.17.linux-amd64.tar.gz

tar zxvf go1.17.linux-amd64.tar.gz

添加go 命令到 $PATH中。

2. 下载xcaddy

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

3. 根据xcaddy来编译 caddy + cloudflare

xcaddy build --with github.com/caddy-dns/cloudflare

这样一个新版的 caddy 就构建好了,放在当前目录下的 caddy文件夹中。

4. 重新运行caddy

5. 编辑Caddyfile

这里需要使用 cloud flare token: 参考: http://siwei.me/blog/posts/cloudflare-api-token-ssl

yangqigong.cn {
  respond "hello, I am yangqigong.cn"
  log {
    output file /var/log/caddy/yangqigong.cn.log
  }
}


*.yangqigong.cn {
  respond "hello, I am *.yangqigong.cn"
  log {
    output file /var/log/caddy/yangqigong.cn.log
  }
  tls {
# 注意: 1. a1b2c3...这里没有双引号
# 这个东东来自于: (见下面的操作,注意它的名称是 api tokens, 必须你要创建才行)
# 它的目的是可以自动修改你的dns server.(增加一个 txt 记录,为注册SSL证书做准备) dns cloudflare a1b2c3d4kskdfkasdjjfd } @name1 host name1.yangqigong.cn handle @name1 { respond "hello, name1" } @name2 host name2.yangqigong.cn handle @name2 { respond "hello, name2" } handle { respond "hello, I am *.yangqigong.cn" } }

6. 重启就可以了。

2022/03/29 02:44:05.877	INFO	using adjacent Caddyfile
2022/03/29 02:44:05.880	WARN	input is not formatted with 'caddy fmt'	{"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/03/29 02:44:05.882	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/03/29 02:44:05.883	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2022/03/29 02:44:05.884	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2022/03/29 02:44:05.884	INFO	http	enabling automatic TLS certificate management	{"domains": ["yangqigong.cn", "*.yangqigong.cn"]}
2022/03/29 02:44:05.898	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc0000dd810"}
2022/03/29 02:44:05.899	INFO	tls	cleaning storage unit	{"description": "FileStorage:/root/.local/share/caddy"}
2022/03/29 02:44:05.926	INFO	tls	finished cleaning storage units
2022/03/29 02:44:06.626	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2022/03/29 02:44:06.627	INFO	serving initial configuration
2022/03/29 02:44:06.627	INFO	tls.obtain	acquiring lock	{"identifier": "*.yangqigong.cn"}
2022/03/29 02:44:06.633	INFO	tls.obtain	lock acquired	{"identifier": "*.yangqigong.cn"}
2022/03/29 02:44:06.636	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["*.yangqigong.cn"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/03/29 02:44:06.636	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["*.yangqigong.cn"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/03/29 02:44:08.197	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "*.yangqigong.cn", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}

2022/03/29 02:44:14.588	INFO	tls.issuance.acme.acme_client	validations succeeded; finalizing order	{"order": "https://acme-v02.api.letsencrypt.org/acme/order/385292330/75447596190"}

2022/03/29 02:44:15.938	INFO	tls.issuance.acme.acme_client	successfully downloaded available certificate chains	{"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/049ce7e066980e7b88c0c47e92ab59c05417"}
2022/03/29 02:44:15.939	INFO	tls.obtain	certificate obtained successfully	{"identifier": "*.yangqigong.cn"}
2022/03/29 02:44:15.939	INFO	tls.obtain	releasing lock	{"identifier": "*.yangqigong.cn"}

7. 我们尝试几个域名:

@域名是没问题的:

然后随便看一个 子域名: 没问题. 域名的有效时间是3个月。

再来一个:

如何申请api token

1. 登录cloudflare -> dns -> 申请 api token

2. 根据模板来:

3.  edit zone DNS 就可以

4.  略微设置一下,就得到了下面的结果

订阅/RSS Feed

Subscribe