ssl - caddy 使用wild card 域名 以及申请 api token
发布时间: 2022-03-28 23:54:00
refer to:
下载caddy https://caddyserver.com/download
想使用wild card域名的话,就需要使用 caddy + plugin的版本,例如你的DNS服务商是 cloudflare, 那么就 需要使用 caddy-cloudflare plugin.
默认这个plugin是不包含在caddy中的,我们需要要么重新下载,要么重新编译
下载的网址在上面,具体如何下载我没有找到。
于是我们使用xcaddy 来编译
1. 下载go (注意最新版本不行,会报错。需要使用1.17 )
curl -OL https://go.dev/dl/go1.17.linux-amd64.tar.gz
tar zxvf go1.17.linux-amd64.tar.gz
添加go 命令到 $PATH中。
2. 下载xcaddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
3. 根据xcaddy来编译 caddy + cloudflare
xcaddy build --with github.com/caddy-dns/cloudflare
这样一个新版的 caddy 就构建好了,放在当前目录下的 caddy文件夹中。
4. 重新运行caddy
5. 编辑Caddyfile
这里需要使用 cloud flare token: 参考: http://siwei.me/blog/posts/cloudflare-api-token-ssl
yangqigong.cn {
respond "hello, I am yangqigong.cn"
log {
output file /var/log/caddy/yangqigong.cn.log
}
}
*.yangqigong.cn {
respond "hello, I am *.yangqigong.cn"
log {
output file /var/log/caddy/yangqigong.cn.log
}
tls {
# 注意: 1. a1b2c3...这里没有双引号
# 这个东东来自于: (见下面的操作,注意它的名称是 api tokens, 必须你要创建才行)
# 它的目的是可以自动修改你的dns server.(增加一个 txt 记录,为注册SSL证书做准备)
dns cloudflare a1b2c3d4kskdfkasdjjfd
}
@name1 host name1.yangqigong.cn
handle @name1 {
respond "hello, name1"
}
@name2 host name2.yangqigong.cn
handle @name2 {
respond "hello, name2"
}
handle {
respond "hello, I am *.yangqigong.cn"
}
}
6. 重启就可以了。
2022/03/29 02:44:05.877 INFO using adjacent Caddyfile
2022/03/29 02:44:05.880 WARN input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/03/29 02:44:05.882 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/03/29 02:44:05.883 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022/03/29 02:44:05.884 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/03/29 02:44:05.884 INFO http enabling automatic TLS certificate management {"domains": ["yangqigong.cn", "*.yangqigong.cn"]}
2022/03/29 02:44:05.898 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0000dd810"}
2022/03/29 02:44:05.899 INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
2022/03/29 02:44:05.926 INFO tls finished cleaning storage units
2022/03/29 02:44:06.626 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2022/03/29 02:44:06.627 INFO serving initial configuration
2022/03/29 02:44:06.627 INFO tls.obtain acquiring lock {"identifier": "*.yangqigong.cn"}
2022/03/29 02:44:06.633 INFO tls.obtain lock acquired {"identifier": "*.yangqigong.cn"}
2022/03/29 02:44:06.636 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["*.yangqigong.cn"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/03/29 02:44:06.636 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["*.yangqigong.cn"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/03/29 02:44:08.197 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "*.yangqigong.cn", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/03/29 02:44:14.588 INFO tls.issuance.acme.acme_client validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/385292330/75447596190"}
2022/03/29 02:44:15.938 INFO tls.issuance.acme.acme_client successfully downloaded available certificate chains {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/049ce7e066980e7b88c0c47e92ab59c05417"}
2022/03/29 02:44:15.939 INFO tls.obtain certificate obtained successfully {"identifier": "*.yangqigong.cn"}
2022/03/29 02:44:15.939 INFO tls.obtain releasing lock {"identifier": "*.yangqigong.cn"}
7. 我们尝试几个域名:
@域名是没问题的:
然后随便看一个 子域名: 没问题. 域名的有效时间是3个月。
再来一个:
如何申请api token
1. 登录cloudflare -> dns -> 申请 api token
2. 根据模板来:
3. edit zone DNS 就可以
4. 略微设置一下,就得到了下面的结果
