存档在 2018年3月

怎样注册.SI域名

2018年3月27日

【介绍】

.SI域名后缀是斯洛文尼亚的国家域名(ccTLD)

【注册】

注册:https://www.hostko.si/

【应用】

怎样使用米农家管理DNS

2018年3月23日

【参考】

米农家集成 DNSPod、阿里云、DNS.COM(原 51dns)、CloudXNS、DNS.LA、DNS盾这六家 DNS 服务提供商。

用户只需填写鉴权参数,即可进行批量添加域名、批量添加解析记录、批量删除域名等操作。

官网:http://minongjia.cn/

以DNSPOd为例:

1. 在DNSPOd后台创建 API Token

https://www.dnspod.cn/console/user/security

2. 在米农家后台添加 API Token

http://minongjia.cn/view/account

注意填写完整的 Token 信息,即为 “ID,Token” (ID 和 Token 之间使用英文的逗号进行分割,不包括双引号)

3. 在米农家后台进行批量操作

我现在的需求是在DNSPOD账号内的所有域名批量添加记录 * ,www 和 @ 已存在。

当前流程:

1. 使用DNSPOD客户端导出域名列表。
2. 在米农家或者DNSPOD客户端批量删除域名。【注意:需要在DNSPOD后台关闭通知,否则域名有几个就会发几个邮件通知 https://www.dnspod.cn/console/user/notice
3. 在米农家后台 http://minongjia.cn/view/add_domain 操作:粘贴域名列表》填写IP》勾选同时添加 www @ * 》点击按钮【添加】

理想流程(官方已列入开发日程):

1. 使用DNSPOD客户端导出域名列表。
2. 在米农家后台 http://minongjia.cn/view/add_domain 操作:粘贴域名列表》填写IP》勾选同时添加 * 》点击按钮【添加】

参考:https://support.dnspod.cn/Support/api
参考:https://support.dnspod.cn/Kb/showarticle/tsid/229/#link3

怎样签发Let’s Encrypt证书

2018年3月20日

【思考】

A. 多域名证书:问题在于很少超过100个;弃用。
B. 泛域名证书 + 二级域名:从客户容量上能满足需求,但也要考虑自定义域名不受保护。
C. 单域名证书 + 二级目录:从客户容量上能满足需求,但也要考虑自定义域名不受保护。
D. 多个单域名证书:问题是WPMU如何对应多个证书?

1. 自动签发:当用户绑定成功时,自动签发和部署。
2. 定期续签:琢磨部署系统定期续签。
3. 证书部署:因为用户绑定的域名在服务器上并无实际目录对应,证书是否会正确生效?
4. 统一监控:考虑怎么实现letsmonitor.org的功能。
5. 批量为已存映像域名生成Let’sEncrypt证书 / 自动为新入映像域名生成Let’sEncrypt证书

参考:http://www.gossamer-threads.com/lists/gnupg/users/57476

【介绍】

Let’s Encrypt 2015年11月16日正式对外开放。2018年3月15日Let’s Encrypt发布的ACMEv2开始正式支持通配符证书。

参考:https://linux.cn/article-6565-1.html
参考:https://www.v2ex.com/t/437798#reply120
参考:https://www.zhihu.com/question/36710815?sort=created

【签发】

certbot方法:

实证适用于大部分VPS。

1. 安装certbot-auto

wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto

2. 申请证书

普通SSL证书:需要保护根域名 domainname.com,主域名 www.domainname.com ,或者其他二级域名 misc.domainname.com 。

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d domainname.com -d www.domainname.com -d misc.domainname.com --manual --preferred-challenges dns-01 certonly

通配符SSL证书:需要保护根域名 domainname.com,所有子域名 *.domainname.com 。

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d domainname.com -d "*.domainname.com" --manual --preferred-challenges dns-01 certonly

将安装一系列依赖包,然后设置,签发:

...
Dependency Installed:
...
Complete!
Upgrading certbot-auto 0.22.0 to 0.22.2...
...
Installation succeeded.
...
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): support@domainname.com
...
Please read the Terms of Service at
...
(A)gree/(C)ancel: A
...
Would you be willing to share your email address with the Electronic Frontier
...
(Y)es/(N)o: Y
...
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domainname.com
...
NOTE: The IP of this machine will be publicly logged as having requested this
...
(Y)es/(N)o: Y
...
Please deploy a DNS TXT record under the name
_acme-challenge.domainname.com with the following value:

fqVKGH-bbY87iqw2S5qYZ9IwFu1aOa82Wkqb5DAlwe0

Before continuing, verify the record is deployed.
...
Press Enter to Continue                                                                                                                                                                                                                      Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domainname.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domainname.com/privkey.pem
   Your cert will expire on 2018-06-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书路径:

/etc/letsencrypt/live/domainname.com/fullchain.pem
/etc/letsencrypt/live/domainname.com/privkey.pem

注意备份整个目录:

/etc/letsencrypt

3. 证书续展

./certbot-auto renew

4. 证书重签

如果需要重签,请先在如下各目录删除对应配置文件:

/etc/letsencrypt/archive
/etc/letsencrypt/csr
/etc/letsencrypt/keys
/etc/letsencrypt/live
/etc/letsencrypt/renewal

参考:https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
参考:https://www.oschina.net/news/94188/acme-v2-and-wildcard-certificate-support-is-live
参考:https://www.coderecord.cn/lets-encrypt-wildcard-certificates.html
参考:https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
参考:https://my.oschina.net/kimver/blog/1634575
参考:https://my.oschina.net/u/1021968/blog/1604461
参考:https://www.chinassl.net/faq/n583.html

参考:https://www.v2ex.com/t/165930
参考:https://www.v2ex.com/t/437798#reply120

【部署】

1. 服务器设置

打开 httpd-vhosts.conf ,编辑:

<virtualhost *:443>
	ServerName domainname.com
	ServerAlias www.domainname.com
	DocumentRoot /usr/local/apache2/htdocs/domainname.com/portal/
	ErrorLog /usr/local/apache2/htdocs/logs/domainname.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domainname.com_access.log combined
	GnuTLSEnable on
	GnuTLSPriorities NORMAL
	GnuTLSCertificateFile /usr/local/apache2/htdocs/ssl/domainname.com/chained.pem
	GnuTLSKeyFile /usr/local/apache2/htdocs/ssl/domainname.com/domain.key
	<Directory /usr/local/apache2/htdocs/domainname.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</virtualhost>

<virtualhost *:80>
	ServerName domainname.com
	ServerAlias www.domainname.com
	DocumentRoot /usr/local/apache2/htdocs/domainname.com/portal/
	Alias /.well-known/acme-challenge/ /usr/local/apache2/htdocs/challenges/
	ErrorLog /usr/local/apache2/htdocs/logs/domainname.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domainname.com_access.log combined
	<Directory /usr/local/apache2/htdocs/domainname.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

【验证】

部署后重启服务器,在浏览器中打开无误。

查看证书详情,在“证书用者可选名称”中显示:

非关键
DNS 名称: *.domainname.com
DNS 名称: domainname.com

【排障】

如果配置到一半,服务器退出,这时如果再重新生成此域名,会报错:

Another instance of Certbot is already running

查看已添加到一半的域名所占用的进程号:

ps -ef | grep certb

然后通过kill进程号命令删除:

kill 1105

清除相关进程号之后,重新执行签发命令。

怎样在Vultr里使用快照重置服务器

2018年3月13日

1. 在已有VPS上使用快照重置服务器

You can restore an Automatic Backup or manual Snapshot to your instance via the following steps:

1. Log in to my.vultr.com
2. Click the label of the instance you’d like to restore.
3. Click the “Backups” or “Snapshots” tab near the top of this page.
4. Click the “Restore” icon next to the appropriate Backup or Snapshot.

Please note that this will overwrite the selected instance’s file system with the data contained within this Backup or Snapshot.

2. 使用快照新建VPS

参考:https://www.vultr.com/docs/how-to-restore-a-snapshot

Restoring a snapshot

In order to restore a snapshot, you will need to create a new server with that snapshot selected. In order to restore a snapshot, log in to My Vultr https://my.vultr.com/ and click “Deploy” in the menu or “Deploy New Instance”.

You can choose your server type, location. At operating system, select “Snapshot” instead of an actual OS. Now, click your snapshot in the dropdown. You can identify snapshots as the format is ID – description. The description will be the hostname of your server. Make sure that you use an equal or bigger disk size that the snapshot was created from. Say you created a snapshot of a server with a 45 GB, you can only restore the snapshot to a server with a 45 GB disk or more.

You can now select your plan and optional features. Once you’ve confirmed everything is correct and you’ve chosen your snapshot as your OS, click “Place Order”.

A new VPS will be launched based on your snapshot. Once it boots, it will be ready for use. If you need to make networking changes, see this guide.

重要:https://www.vultr.com/docs/correcting-network-configuration-after-snapshot-restore

CentOS

Log in to your server via the KVM in your control panel
Remove the contents of /etc/udev/rules.d/70-persistent-net.rules

Open /etc/sysconfig/network-scripts/ifcfg-eth0, and change the contents to the following:

DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
DNS1=8.8.8.8
NAME="System eth0"

Reboot your server
Once you have network connectivity again, you can permanently fix these issues by installing the cloud-init package from EPEL. This software will take care of adjusting your network adapter configuration whenever a snapshot is restored.

怎样使用yum groupinstall

2018年3月13日

报错:No packages in any requested group available to install or update

yum groupinstall "Development Tools"

报错:

Loaded plugins: langpacks, product-id, subscription-manager
epel/x86_64/metalink | 14 kB 00:00
rhel-7-workstation-extras-rpms | 2.5 kB 00:00
rhel-7-workstation-optional-rpms | 2.9 kB 00:00
rhel-7-workstation-rpms | 3.7 kB 00:00
rpmforge | 1.9 kB 00:00
Warning: Group development does not have any packages to install.
No packages in any requested group available to install or update

可能已经安装此包。

则可以先用yum grouplist 检查一下已安装的组可支持的组,获得对应的组名再安装。

yum grouplist

参考:http://www.jb51.net/os/RedHat/117151.html
参考:https://access.redhat.com/discussions/1262603
参考:http://www.cnblogs.com/qinwei/p/7466512.html