我试了一个简单的方法,基于 @clanned 的 /t/241819
在 letsencrypt.sh
结尾处增加:
# Note: when acme-tiny fails to generate certs (rate limit for example), the
# following code won't run, you can run it mannally via Ansible:
#
# $ ansible-playbook prepare.yml --limit hostname --tags "ct_submit"
#
# Generate CT
CT_SUBMIT_DIR="/tmp/ct-submit"
if [ -d "$CT_SUBMIT_DIR" ]; then
echo "ct-submit detected, updating..."
cd $CT_SUBMIT_DIR
git pull
go build
else
echo "No ct-submit detected, cloning..."
cd /tmp/
git clone https://github.com/grahamedgecombe/ct-submit.git
cd ct-submit
go build
fi
CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
echo "Submitting Certificates Transparency..."
mkdir -p "$CT_CWD"
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
$CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"
这样签证完毕会自动提交 CT 信息
另外也可以创建独立的脚本,单独提交 CT 信息,这样可以避免 LE 的 rate limit :
#!/bin/bash
#
# Usage: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/domain.tld.conf
CONFIG=$1
if [ -f "$CONFIG" ];then
. "$CONFIG"
DIRNAME=$(dirname "$CONFIG")
cd "$DIRNAME"
else
echo "Missing config"
exit 1
fi
KEY_PREFIX="${DOMAIN_KEY%.*}"
DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"
# Generate CT
CT_SUBMIT_DIR="/tmp/ct-submit"
if [ -d "$CT_SUBMIT_DIR" ]; then
echo "ct-submit detected, updating..."
cd $CT_SUBMIT_DIR
git pull
go build
else
echo "No ct-submit detected, cloning..."
cd /tmp/
git clone https://github.com/grahamedgecombe/ct-submit.git
cd ct-submit
go build
fi
CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
echo "Submitting Certificates Transparency..."
mkdir -p "$CT_CWD"
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
$CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"
然后可以套在 Ansible :
tasks/main.yml
:
- name: sync ct-submit script
copy: src=le/le-ct-submit.sh
dest=/etc/nginx/le/
mode=755
tags:
- le
- ct_submit
- name: run ct-submit script
command: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/{{ item }}.conf
with_items: "{{ ssl_sites[inventory_hostname] }}"
notify:
- configtest nginx
- reload nginx
tags:
- le
- ct_submit
vars/main.yml
:
ssl_sites:
hostname:
- domain1.tld
- domain2.tld
- domain3.tld
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.