字数:4214
引子
certbot官网带我来到这里:
https://community.letsencrypt.org/t/list-of-client-implementations/2103/3
然后找到这个开源项目:
https://github.com/PKISharp/win-acme
然后从这里下载程序:
https://github.com/PKISharp/win-acme/releases
内网主机安装失败
运行程序即可,制作证书过程如下:
N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew *all*
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel *all* scheduled renewals
Q: Quit
Please choose from the menu: m
[INFO] Running in Advanced mode
1: Single binding of an IIS site
2: SAN certificate for all bindings of an IIS site
3: SAN certificate for all bindings of multiple IIS sites
4: Manually input host names
C: Cancel
Which kind of certificate would you like to create?: 4
Enter comma-separated list of host names, starting with the primary one: xltx.com
[INFO] Plugin Manual generated target [Manual] [1 binding - bank.xltx.com]
1: [dns-01] Azure DNS
2: [dns-01] Run external program/script to create and update records
3: [http-01] Save file on local (network) path
4: [http-01] Self-host verification files (recommended)
5: [http-01] Upload verification file to FTP(S) server
6: [http-01] Upload verification file to WebDav path
C: Cancel
How would you like to validate this certificate?: 3
Enter a site path (the web root of the host for http authentication): D:\dev\workspace\4.7.2\xltx_bankserv\webapp
Copy default web.config before validation? (y/n): - yes
1: Create or update ftps bindings in IIS
2: Create or update https bindings in IIS
3: Do not run any installation steps
4: Run a custom script
C: Cancel
Which installer should run for the certificate?: 3
[INFO] Authorize identifier: bank.xltx.com
[INFO] Authorizing bank.xltx.com using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://bank.xltx.com/.well-known/acme-challenge/AHTsVFBYcgcIuCZYl72MYMDRqi8hZOWGMoasXr90Udo
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:unknownHost
[EROR] [detail] No valid IP addresses found for bank.xltx.com
[EROR] [status] 400
[EROR] Create certificate failed
只有10次试错机会,不然等下一个3小时吧。一直不成功,猜测是域名解析的IP与主机IP不一致
云主机OK
在云服务器上再试一下,顺畅地就通过了,生成了一堆文件:
bank.xltx.com.history.json
bank.xltx.com-all.pfx
bank.xltx.com-chain.pem
bank.xltx.com-crt.der
bank.xltx.com-crt.pem
bank.xltx.com-csr.pem
bank.xltx.com-gen-csr.json
bank.xltx.com-gen-key.json
bank.xltx.com-key.pem
ca-bank.xltx.com-crt.der
ca-bank.xltx.com-crt.pem
Registration
Renewals
Signer
找个tomcat,新建一个程序,xltx_bank,然后配置一下web.xml和tomcat的server.xml。
server.xml里加这一段(参考自https://blog.csdn.net/reaper1022/article/details/52196378),选两个pem文件试试居然可以:
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/bank.xltx.com-crt.pem"
SSLCertificateKeyFile="C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/bank.xltx.com-key.pem"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />
还要加一个host配置:
<Host name="bank.xltx.com" appBase=""
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="C:\dev\apache-tomcat-8.0.52\webapps\xltx_bank" debug="0" reloadable="true"/>
</Host>
WEB-INF\web.xml内容如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>xltx_bank</display-name>
</web-app>
总结
(1)安装证书的程序可能会验证两个东西:主机IP和域名IP,两者指向要一致;这个结论没有去找官方说法,只是推论。因此花生壳通过主机转发的形式,安装证书不成功
(2)能不能将可用的证书拷贝到另外的主机?(第二个主机域名访问OK)。答案是:内网的不行,https可能会直接找域名指向的主机的证书而非最终主机