教程:使用Let's Encrypt + freedns为RT-AC86U路由器及其他服务器颁发SSL证书
相关文章:搭建家庭娱乐服务器
关键约束:
- 国内家用宽带80、433端口都被电信封了,无法使用HTTP方式进行Let’s Encrypt验证,只能使用DNS验证方式(而且这种方式要求DNS服务支持通过API方式修改DNS record,才能做到通过acme客户端全自动更新证书,否则需定期人工操作)-> 因此需要一个支持API的DNS provider
- 尽管CloudFlare提供免费的DNS服务,但华硕路由器不支持CloudFlare as DDNS
- 华硕路由器也不支持aliyun DNS和腾讯dnsPod as DDNS -> 只有freedns满足:
- a) 支持API方式修改DNS record
- b) 支持DDNS
- c) 华硕路由器支持该DNS provider作为DDNS 此外freedns还是免费的(只要将domain设置为shared)
- 你需要拥有一个domain(才能将它的DNS nameserver配置为freedns)-> 因此需要购买一个domain,正好freenom提供免费的一年domain
前期准备:
- Get a domain (free with freenom)
- Setup dns nameservers for domain (free with freedns if domain shared)
- Enable DDNS for the domain in freedns (free)
- Install acme.sh on your server (mine is a Raspberry Pi with OMV and Portainer)
为RT-AC86U路由器颁发SSL证书
- Configure asus router to use freedns as ddns (username, password, domain name)
- Use acme.sh to do auto DNS validation for Let’s Encrypt with freedns (as 80 & 443 ports are blocked by ISP, can only choose DNS challenge)
- Upload the fullchain cert and private key in the DDNS settings page (need to re-upload if new cert issued)
为其他服务器颁发SSL证书
- Setup acme.sh on a server to automatically issue Let’s Encrypt certificate for domain (cert and private key files will be stored on server)
- Open Media Vault: copy and paste the fullchain cert and private key in the admin page (need to manual update if new cert issued)
- Portainer: upload the fullchain cert and private key in the settings page (need to re-upload if new cert issued)
- For the containers, e.g. nginx, plex etc, just reference the fullchain cert and private key stored in
~/.acme.sh/
directory (just restart the containers if new cert issued)