ddatsh vps note
ddatsh
ddatsh vps note
域名
dnssec
dig @8.8.8.8 +dnssec ddatsh.com
返回值有RRSIG,则配置成功
解析
dnspod 用了多年
现用 cloudflare
主机
放个博客,挂几个小服务,乞丐版配置就够用
早期FQ搬瓦工,后用机场,现 cloudflare workers,pages,国内VPS
腾讯云、阿里云
证书
let’s encrypt
curl https://get.acme.sh | sh
export CF_Key=""
export CF_Email=""
acme.sh --register-account -m i@ddatsh.com
acme.sh --issue --dns dns_cf -d *.ddatsh.com -d ddatsh.com --force
acme.sh --issue --dns dns_cf -d *.ddatsh.com -d ddatsh.com --keylength ec-384 --force
acme.sh --installcert --ecc -d *.ddatsh.com --key-file /etc/nginx/conf.d/ssl/ddatsh.com.ecc.key --fullchain-file /etc/nginx/conf.d/ssl/ddatsh.com.ecc.cer --reloadcmd "/usr/sbin/nginx -s reload"
acme.sh --installcert -d *.ddatsh.com --key-file /etc/nginx/conf.d/ssl/ddatsh.com.rsa.key --fullchain-file /etc/nginx/conf.d/ssl/ddatsh.com.rsa.cer --reloadcmd "/usr/sbin/nginx -s reload"
邮件
腾讯企业邮箱
nginx
cat >> /etc/yum.repos.d/nginx.repo <<EOF
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
server {
resolver 8.8.8.8 8.8.4.4 223.5.5.5 valid=300s;
resolver_timeout 5s;
ssl_stapling on;
ssl_stapling_verify on;
...
}
ocsp.int-x3.letsencrypt.org国内DNS 污染,修改 resolver 8.8.8.8 否则 nginx error.log
[warn] 10739#10739: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/conf.d/ssl/ddatsh.com.ecc.cer"
验证
openssl s_client -connect ddatsh.com:443 -servername ddatsh.com -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
成功响应
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
失败
OCSP response: no response sent
多执行几次, nginx 并不是马上就去获取 OCSP Response, 而是当网站被访问之后异步获取, 所以可能前几次请求不会有 OCSP Response
部署
webhook
https://github.com/adnanh/webhook
fork https://github.com/ncarlier/webhookd 后diy