Letsencrypt certbot-nginx插件.它是如何工作的?

前端之家收集整理的这篇文章主要介绍了Letsencrypt certbot-nginx插件.它是如何工作的? 前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我成功使用certbot-Nginx插件.

我知道it是开源的,托管在github上.

但是我没有足够的技能来分析此代码.

例如:

我有几个由Nginx代理的内部站点.所有virtualhost配置均具有以下匿名访问限制:

allow 192.168.1.0/24;
allow 192.168.0.0/24;
allow 10.88.0.0/16;
allow 127.0.0.1;
# gate1.example.com
allow X.X.X.X;
# gate2.example.com
allow X.X.X.X;
# other gate's
# .......
deny all;

此访问限制禁止letencrypt服务器以及所有其他未定义的主机.

但是certbot更新–Nginx正常执行证书更新.

它是如何工作的 ?

是否安全?

最佳答案
我本人也在问同样的问题,所以我做了一些挖掘,这是我发现的:

Certbot主要使用80或443端口进行质询(http-01和tls-sni-01)以验证域所有权,如certbot docs中所述:

Under the hood,plugins use one of several ACME protocol challenges to
prove you control a domain. The options are http-01 (which uses port
80),tls-sni-01 (port 443) and dns-01 (requiring configuration of a
DNS server on port 53,though that’s often not the same machine as
your webserver). A few plugins support more than one challenge type,
in which case you can choose one with –preferred-challenges.

查看http-01挑战的certbot_Nginx plugin implementation,我们可以看到插件编辑了Nginx配置,以包括用于执行挑战的其他服务器块:

  def _make_server_block(self,achall):
    """Creates a server block for a challenge.
    :param achall: Annotated HTTP-01 challenge
    :type achall:
        :class:`certbot.achallenges.KeyAuthorizationAnnotatedChallenge`
    :param list addrs: addresses of challenged domain
        :class:`list` of type :class:`~Nginx.obj.Addr`
    :returns: server block for the challenge host
    :rtype: list
    """

猜你在找的Nginx相关文章