初次使用Let's encrypt

wget --no-check-certificate -O shadowsocks.sh https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks.sh
chmod +x shadowsocks.sh
./shadowsocks.sh 2>&1 | tee shadowsocks.log

完成后这这样

Congratulations, Shadowsocks-python server install completed!
Your Server IP        :your_server_ip
Your Server Port      :your_server_port
Your Password         :your_password
Your Encryption Method:your_encryption_method

Welcome to visit:https://teddysun.com/342.html
Enjoy it!

然后用 vi /etc/shadowsocks.json 把里面的配置修改

启动：/etc/init.d/shadowsocks start
停止：/etc/init.d/shadowsocks stop
重启：/etc/init.d/shadowsocks restart
状态：/etc/init.d/shadowsocks status

建立Let's encrypt

sudo yum install epel-release
sudo yum install httpd mod_ssl python-certbot-apache
sudo systemctl start httpd

sudo firewall-cmd --add-service=http

sudo firewall-cmd --add-service=https

sudo firewall-cmd --runtime-to-permanent

 

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

然后建立证书比如要建立一个二级域名sub.example.com

sudo certbot --apache -d sub.example.com

如无意外会出现如下

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 这时证书会在 /etc/letsencrypt/live

如果出错了要这个命令

 certbot --authenticator webroot --installer apache 

再测试

sudo apachectl configtest

再重启

sudo systemctl restart httpd

这时相信你可以访问你的https网站

这时要设置自动更新你的证书

sudo certbot renew

再用定时做个自动更新证书 

sudo crontab -e

进入后输入这个命令行

30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

好了，然后再做个ikev2服务器

yum install strongswan

systemctl enable strongswan

systemctl start strongswan

先确认 /etc/letsencrypt/live/mydomain.com/ 下面有你的证书文件

fullchain.pem，privkey.pem，chain.pem

然后用这几个命令，注意，下面的mydomain.com改成你自己的域名

ln -s /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/strongswan/ipsec.d/certs/fullchain.pem

ln -s /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/strongswan/ipsec.d/private/privkey.pem

ln -s /etc/letsencrypt/live/mydomain.com/chain.pem /etc/strongswan/ipsec.d/cacerts/chain.pem

修改/etc/strongswan/ipsec.conf，注意下面 leftid=server.mydomain.com 要改成自己的域名

config setup

          uniqueids=no charon

             debug = ike 3, cfg 3

conn %default

                dpdaction=clear

                 dpddelay=35s

                 dpdtimeout=2000s

                  keyexchange=ikev2

                   auto=add

                 rekey=no

                  reauth=no

                  fragmentation=yes

                    compress=yes

                 ### left - local (server) side

                    # filename of certificate chain located in /etc/strongswan/ipsec.d/certs/

                     leftcert=fullchain.pem

                       leftsendcert=always

                      leftsubnet=0.0.0.0/0,::/0

                   ### right - remote (client) side

                     eap_identity=%identity

                      rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112             

                         rightdns=8.8.8.8,2001:4860:4860::8888

      conn          ikev2-mschapv2

                      rightauth=eap-mschapv2

        conn        ikev2-mschapv2-apple

                        rightauth=eap-mschapv2 leftid=server.mydomain.com

 

然后再改 /etc/strongswan/ipsec.secrets 根据自己改自己用户名和密码改下面的yonghuaming : EAP "mima"

# filename of private key located in /etc/strongswan/ipsec.d/private/

: RSA privkey.pem

# syntax is `username : EAP "plaintextpassword"`

yonghuaming : EAP "mima"

 

然后开启防火墙

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept’

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'

firewall-cmd --zone=public --permanent --add-port=500/udp

firewall-cmd --zone=public --permanent --add-port=4500/udp

firewall-cmd --zone=public --permanent --add-service="ipsec"

firewall-cmd --zone=public --permanent --add-masquerade

firewall-cmd --reload

保存设置

firewall-cmd --list-all

 

再加些东西到 /etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

然后使它生效

sysctl -p

全部完成了！