• 初次使用Let's encrypt

    wget --no-check-certificate -O shadowsocks.sh https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks.sh
chmod +x shadowsocks.sh
./shadowsocks.sh 2>&1 | tee shadowsocks.log

    完成后这这样
    Congratulations, Shadowsocks-python server install completed!
Your Server IP        :your_server_ip
Your Server Port      :your_server_port
Your Password         :your_password
Your Encryption Method:your_encryption_method

Welcome to visit:https://teddysun.com/342.html
Enjoy it!

    然后用 vi /etc/shadowsocks.json 把里面的配置修改

    启动:/etc/init.d/shadowsocks start
    停止:/etc/init.d/shadowsocks stop
    重启:/etc/init.d/shadowsocks restart
    状态:/etc/init.d/shadowsocks status

    建立Let's encrypt

    sudo yum install epel-release
    sudo yum install httpd mod_ssl python-certbot-apache
    sudo systemctl start httpd

    sudo firewall-cmd --add-service=http

    sudo firewall-cmd --add-service=https

    sudo firewall-cmd --runtime-to-permanent

     

    sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

    sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

    然后建立证书比如要建立一个二级域名sub.example.com

    sudo certbot --apache -d sub.example.com

    如无意外会出现如下

    - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

     这时证书会在 /etc/letsencrypt/live

    如果出错了要这个命令

     certbot --authenticator webroot --installer apache 

    再测试

    sudo apachectl configtest

    再重启

    sudo systemctl restart httpd

    这时相信你可以访问你的https网站

    这时要设置自动更新你的证书

    sudo certbot renew

    再用定时做个自动更新证书 

    sudo crontab -e

    进入后输入这个命令行

    30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

    好了,然后再做个ikev2服务器

    yum install strongswan

    systemctl enable strongswan
    systemctl start strongswan
    先确认 /etc/letsencrypt/live/mydomain.com/ 下面有你的证书文件
    fullchain.pem,privkey.pem,chain.pem
    然后用这几个命令,注意,下面的mydomain.com改成你自己的域名
    ln -s /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/strongswan/ipsec.d/certs/fullchain.pem
    ln -s /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/strongswan/ipsec.d/private/privkey.pem
    ln -s /etc/letsencrypt/live/mydomain.com/chain.pem /etc/strongswan/ipsec.d/cacerts/chain.pem

    修改/etc/strongswan/ipsec.conf,注意下面 leftid=server.mydomain.com 要改成自己的域名

    config setup

              uniqueids=no charon

                 debug = ike 3, cfg 3

    conn %default

                    dpdaction=clear

                     dpddelay=35s

                     dpdtimeout=2000s

                      keyexchange=ikev2

                       auto=add

                     rekey=no

                      reauth=no

                      fragmentation=yes

                        compress=yes

                     ### left - local (server) side

                        # filename of certificate chain located in /etc/strongswan/ipsec.d/certs/

                         leftcert=fullchain.pem

                           leftsendcert=always

                          leftsubnet=0.0.0.0/0,::/0

                       ### right - remote (client) side

                         eap_identity=%identity

                          rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112             

                             rightdns=8.8.8.8,2001:4860:4860::8888

          conn          ikev2-mschapv2

                          rightauth=eap-mschapv2

            conn        ikev2-mschapv2-apple

                            rightauth=eap-mschapv2 leftid=server.mydomain.com

     

    然后再改 /etc/strongswan/ipsec.secrets 根据自己改自己用户名和密码改下面的yonghuaming : EAP "mima"

    # filename of private key located in /etc/strongswan/ipsec.d/private/

    : RSA privkey.pem

    # syntax is `username : EAP "plaintextpassword"`

    yonghuaming : EAP "mima"

     

    然后开启防火墙

    firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept’

    firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'

    firewall-cmd --zone=public --permanent --add-port=500/udp

    firewall-cmd --zone=public --permanent --add-port=4500/udp

    firewall-cmd --zone=public --permanent --add-service="ipsec"

    firewall-cmd --zone=public --permanent --add-masquerade

    firewall-cmd --reload

    保存设置

    firewall-cmd --list-all

     

    再加些东西到 /etc/sysctl.conf

    net.ipv4.ip_forward = 1

    net.ipv4.conf.all.accept_redirects = 0

    net.ipv4.conf.all.send_redirects = 0

    然后使它生效

    sysctl -p

    全部完成了!

     
  • 相关阅读:
    Twitter OA prepare: Rational Sum
    Java: Best Way to read a file
    Summary: gcd最大公约数、lcm最小公倍数算法
    Twitter OA prepare: Flipping a bit
    Twitter OA prepare: Equilibrium index of an array
    echo -e 参数
    openwrt 添加luci选项
    基于TLS的EAP 认证方法
    linux命令 dirname
    freeradius 错误: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
  • 原文地址:https://www.cnblogs.com/redmondfan/p/7348923.html
Copyright © 2020-2023  润新知