软路由网络架构实现内网穿透后,有一个必须需要做的动作就是实现内网全局SSL证书的部署。以本人的家庭网络为例,ikuai+Openwrt /LEDE的系统架构,上面部署了很多服务,有ESXI系统/PVE系统,还有各种VPS主机。
本文旨在总结内网穿透服务中,针对局域网暴露在外网中的域名(泛域名)做SSL证书部署,以便加强网络的安全访问。以内网中部署的PVE业务为例讲解了SSL证书部署的过程,同时也适合内网站点、LEDE、Esxi、PVE、Nextcloud等业务的部署,读者可以举一反三进行操作。
局域网外网访问实现方式:
OpenWrt frp内网穿透 + 内网分布服务
一、SSL证书申请
二、SSL证书部署
三、SSL证书续签
一、SSL证书申请
1> 访问www.sslforfree.com, 可以用游客模式申请证书。如果域名较多,建议注册一个账户对所有域名证书进行统一管控
2> 填写泛域名和一级域名, 泛域名和主域名使用空格隔开。点击”Create Free SSL Certificate”
按照提示添加两条TXT解析记录
x3_xxxxxxxxxxxxx_xxxxxxxxxxxxvIjE2R3WSdok
p_xxxxxxxxxxxxx_xxxxxxxxxxxxS0muQC7zIzuDoo
Go into the DNS management page that your domains use (This link may help with setting up your TXT records [ignoring Google specific parts]).
Add the following TXT records below to the DNS server for each domain (Please note your DNS software may auto-add the domain in the name field, contact DNS provider if unsure or if you get NXDOMAIN errors):
Add TXT record with the name/host_acme-challenge.yourdomain.com
with the value xxxx
and a TTL (Time to Live) (in seconds) of1
Add TXT record with the name/host_acme-challenge.yourdomain.com
with the xxxx
and a TTL (Time to Live) (in seconds) of1
Verify TXT records have been propagated by going to the following links. The corresponding values above should show up within the record:
Verify _acme-challenge.xxx.com (2 TXT Records should show up. Multiple TXT records with the same hostname are allowed by spec. Contact your DNS provider if you need help setting up multiple TXT records.)
解析记录验证成功后,下载就可以了
下载后的证书包含三个文件:certificate.crt , Private.key , ca_bundel.crt 。该证书适合部署在xxx.com主域名下的所有主机。
本文由作者 okass 发布在 TNEXT , 转载请联系客服授权处理,获得授权后请保留文章的完整性并附上原文链接: https://tnext.org/6441.html