|
|
|
@ -1,9 +1,11 @@ |
|
|
|
## 快速开始 |
|
|
|
|
|
|
|
Encryption365 是由 [Trust Ocean](https://www.trustocean.cn/) 提供的一款TLS证书,可申请免费的IP或域名证书,但官方只提供了[宝塔插件](https://github.com/londry/Encryption365_Baota),这对非宝塔用户很不友好,本工具基于该插件API编写,支持自动化注册、登录、申请、安装与续签。 |
|
|
|
Encryption365 是由 [Trust Ocean](https://www.trustocean.cn/) 提供的一款TLS证书,可申请免费的IP或域名证书,但官方只提供了[宝塔插件](https://github.com/londry/Encryption365_Baota)以供使用,本工具基于该插件API重构,支持证书的自动化注册、登录、申请、安装、管理与续签。 |
|
|
|
|
|
|
|
### 安装命令 |
|
|
|
|
|
|
|
输入以下命令执行安装,数据将存放在 `/etc/encryption365` 目录下,输入 `encryption365` 命令即可调用本工具。 |
|
|
|
|
|
|
|
``` |
|
|
|
shell> curl -sL https://raw.githubusercontent.com/dnomd343/Encryption365/master/install.sh | sh |
|
|
|
|
|
|
|
@ -11,6 +13,153 @@ shell> curl -sL https://raw.githubusercontent.com/dnomd343/Encryption365/master/ |
|
|
|
shell> curl -sL https://raw.fastgit.org/dnomd343/Encryption365/master/install.sh | sh |
|
|
|
``` |
|
|
|
|
|
|
|
安装时将会自动写入一个crontab任务,每小时自动检查一次证书续签,可输入 `crontab -l` 查看具体配置。 |
|
|
|
|
|
|
|
### 使用说明 |
|
|
|
|
|
|
|
待补充... |
|
|
|
**注册账号** |
|
|
|
|
|
|
|
证书申请时必须基于环智中诚账号,你可以选择在 [官网](https://page.trustocean.com/websecurity/welcome) 手动注册,或是使用 `encryption365 regist` 命令快速注册,后者仅需提供邮箱地址接收验证码,其余个人信息可选择如实填写或自动生成。 |
|
|
|
|
|
|
|
``` |
|
|
|
shell> encryption365 regist |
|
|
|
This process help you regist a Trustocean account, all you need is an email address to receive the verification code. |
|
|
|
Email: ... |
|
|
|
There will be an email sent to ..., please note checking. |
|
|
|
Verification code: ... |
|
|
|
Set a password for your account. |
|
|
|
Password: ... |
|
|
|
Trustocean need your Chinese ID card num, but you can just press ENTER to generate one. |
|
|
|
ID card num: |
|
|
|
Random ID card num: 510321198611073407 |
|
|
|
Random ID card info: 四川省 自贡市 荣县 1986-11-07 female |
|
|
|
Please enter your real name, or press ENTER to generate one. |
|
|
|
Name: |
|
|
|
Random name: 林瑶仪 |
|
|
|
Last step, enter your phone num, or randomly generate one by press ENTER. |
|
|
|
Phone: |
|
|
|
Random phone: 15915353380 |
|
|
|
It seems that all the information is complete, press ENTER to register your account... |
|
|
|
Regist success |
|
|
|
Use "encryption365 login" command to login. |
|
|
|
``` |
|
|
|
|
|
|
|
**登录账号** |
|
|
|
|
|
|
|
使用账号邮箱与密码登录, |
|
|
|
|
|
|
|
``` |
|
|
|
shell> encryption365 login |
|
|
|
This process need a Trustocean account, if you don't have it currently, there are two methods: |
|
|
|
1. Manually register at "https://page.trustocean.com/websecurity/welcome" |
|
|
|
2. Use "encryption365 regist" command regist automatically |
|
|
|
Email: ... |
|
|
|
Password: ... |
|
|
|
Login success |
|
|
|
Account status: active |
|
|
|
Login time: ... |
|
|
|
``` |
|
|
|
|
|
|
|
或者将邮箱与密码作为参数输入 |
|
|
|
|
|
|
|
``` |
|
|
|
shell> encryption365 login {email} {password} |
|
|
|
... |
|
|
|
``` |
|
|
|
|
|
|
|
**列出证书** |
|
|
|
|
|
|
|
`encryption365 list` 命令用于列出当前申请或申请中的证书,包括证书主域名、ID、包含域名、申请时间、到期时间等信息。 |
|
|
|
|
|
|
|
**申请证书** |
|
|
|
|
|
|
|
`encryption365 issue` 命令申请指定域名的证书,后面需跟上证书类型(ECC或RSA),后接一个或多个域名。 |
|
|
|
|
|
|
|
``` |
|
|
|
shell> encryption365 issue ECC example.com 1.2.3.4 |
|
|
|
··· |
|
|
|
``` |
|
|
|
|
|
|
|
申请时,CA服务器会对域名所有权进行验证,此处使用HTTP方式进行回应,验证请求格式类似于 `http://{doamin}/.well-known/pki-validation/xx...xxx.txt`,由于前置web服务器的存在,我们需要配置其将目标域名的 `/.well-known/pki-validation/` 路径转发给脚本验证,以*Nginx*配置为例。 |
|
|
|
|
|
|
|
``` |
|
|
|
# 若需要验证多个域名,可以统一反向代理到一个socket |
|
|
|
server { |
|
|
|
listen 80; |
|
|
|
server_name 1.2.3.4; |
|
|
|
location / { |
|
|
|
root /var/www/home; |
|
|
|
index index.html; |
|
|
|
} |
|
|
|
location /.well-known/pki-validation/ { |
|
|
|
proxy_set_header Host $http_host; |
|
|
|
proxy_pass http://unix:/var/run/encryption365.sock:/; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
server { |
|
|
|
listen 80; |
|
|
|
server_name example.com; |
|
|
|
location / { |
|
|
|
return 301 https://$server_name$request_uri; |
|
|
|
} |
|
|
|
location /.well-known/pki-validation/ { |
|
|
|
proxy_set_header Host $http_host; |
|
|
|
proxy_pass http://unix:/var/run/encryption365.sock:/; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
# 127.0.0.1:9000 为php-fpm的fastcgi端口,在Ubuntu/Debian上一般为socket形式 |
|
|
|
server { |
|
|
|
listen unix:/var/run/encryption365.sock; |
|
|
|
location / { |
|
|
|
include fastcgi_params; |
|
|
|
fastcgi_pass 127.0.0.1:9000; |
|
|
|
fastcgi_param SCRIPT_FILENAME /etc/encryption365/validation.php; |
|
|
|
} |
|
|
|
} |
|
|
|
``` |
|
|
|
|
|
|
|
执行 `nginx -s reload` 生效。 |
|
|
|
|
|
|
|
申请请求发送后,脚本会每隔30s查询是否验证成功,配置无误的情况下,一般两分钟内就能签发,如果处于高峰期可能需要十分钟以上,签发成功后,登录账号的邮箱将会收到一封签发成功的邮件。如果30分钟后仍未签发,则脚本会报错退出,这种情况可以手动执行重新验证。 |
|
|
|
|
|
|
|
**重新验证** |
|
|
|
|
|
|
|
申请证书时,验证可能会出现超时失败,使用 `encryption365 reverify {HOST}` 命令可以对指定站点重新验证签发。 |
|
|
|
|
|
|
|
**刷新证书** |
|
|
|
|
|
|
|
如果不慎删除证书文件,或在等待签发期间强制退出,可以使用 `encryption365 flash {HOST}` 命令刷新指定站点,检查证书状态并重新下载。 |
|
|
|
|
|
|
|
**续签证书** |
|
|
|
|
|
|
|
免费证书一次签发有效期为三个月,执行 `encryption365 renew {HOST}` 命令可续签指定站点的证书,不过该命令大多数情况下无需手动执行,系统配置了crontab任务将会持续运行 `encryption365 autorenew` 指令,自动对即将过期证书进行续签。 |
|
|
|
|
|
|
|
**安装证书** |
|
|
|
|
|
|
|
证书申请成功后,执行 `encryption365 install {HOST} [options]` 命令可安装指定站点的证书,可用选项如下: |
|
|
|
|
|
|
|
+ fullchain:完整证书链 |
|
|
|
|
|
|
|
+ key:私钥文件 |
|
|
|
|
|
|
|
+ cert:证书文件 |
|
|
|
|
|
|
|
+ ca:CA证书文件 |
|
|
|
|
|
|
|
+ cmd:安装完成后执行的命令 |
|
|
|
|
|
|
|
例如安装给*Nginx*使用 |
|
|
|
|
|
|
|
``` |
|
|
|
shell> encryption365 install example.com \ |
|
|
|
fullchain=/etc/ssl/certs/example.com/fullchain.pem \ |
|
|
|
key=/etc/ssl/certs/example.com/privkey.pem \ |
|
|
|
cmd="systemctl force-reload nginx" |
|
|
|
Install OK |
|
|
|
``` |
|
|
|
|
|
|
|
**自动续签** |
|
|
|
|
|
|
|
执行 `encryption365 autorenew` 命令将会检查全部站点,如果发现证书将于十天后过期,将自动执行续签工作,该命令无需手动执行,安装时将会被自动添加至系统crontab定时任务中。 |
|
|
|
|
dnomd343
3 years ago