Versions Compared

Old Version 6

changes.mady.by.user Guan Yin

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Bode

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Tree
expandCollapseAlltrue
root安全节点+超级节点搭建教程


Panel
borderColorgrey
bgColorwhite
titleColorblack
borderWidth1
titleBGColorwhite
borderStylesolid
titleLanguages


  • 使用certbot生成并安装证书
  • 更新root证书
  • 使用zend验证证书安装




描述指令
1

在继续之前验证环境变量是否已从第3部分,第1步和第2步正确设置,如果不是,则需要在继续之前重新执行这些步骤


Echo需要输出您的FQDN










需要读取.bashrc的最后一行:export FQDN = <您的FQDN here>


Code Block
echo $FQDN



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ echo $FQDN
node01.zentest.win



Code Block
sed -e 1b -e '$!d' $HOME/.bashrc



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
export FQDN=node01.zentest.win


2

安装证书(安全/超级节点网络的端到端TLS加密所需)certbot将用于生成和验证您的证书

    • 您可以安全地传递--register-unsafely-without-email标志,因为(1)可以随时请求新证书(2)指南将在第10部分中配置自动证书续订

注意:某些VPS提供商启用了apache2,这会锁定端口80.如果在建立独立证书时无法绑定到端口80错误,则需要禁用apache2

禁用apache2(如果启用,请参阅注释)

Code Block
sudo systemctl disable apache2
sudo systemctl stop apache2




Code Block
sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN





Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

Saving debug log to.../var/log/letsencrypt/letsencrypt.log

Registering without email!

Obtaining a new certificate

Performing the following challenges:
http-01 challenge for node01.zentest.win
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
....-...Congratulations! Your certificate and chain have been saved at:
........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem
.........Your key file has been saved at:
........./etc/letsencrypt/live/node01.zentest.win/privkey.pem
.........Your cert will expire on 2018-09-05. To obtain a new or tweaked
.........version of this certificate in the future, simply run certbot
.........again. To non-interactively renew *all* of your certificates, run
........."certbot renew"
....-...If you like Certbot, please consider supporting our work by:

Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate
Donating to EFF:..........................................................https://eff.org/donate-le


3

根据您的系统要求复制Root CA - 这个示例已经过DebianUbuntu的验证


注意:如果键入此命令,请确保使用“.crt”扩展名重命名证书,这是下一个用于标识证书并将其添加到证书库的命令所必需的。 除非另有说明,否则建议复制和粘贴


适用于CentOS / Arch Linux版

Debian / Ubuntu系统

Code Block
sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt


4

使用在上一步中复制的root CA更新证书存储


适用于CentOS / Arch Linux版

Debian / Ubuntu系统

Code Block
sudo update-ca-certificates


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sudo update-ca-certificates

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.


5

Anchor
part6.5
part6.5
将证书和密钥位置添加到zen.conf

注意:只运行一次这些命令

证书

Code Block
echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.conf

密钥

Code Block
echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf


6修改/ etc / letsencrypt目录中的组所有权和权限,以允许非root用户访问证书和私钥(通过sudo组授予访问权限,非root用户已添加到该组)

修改所有权

Code Block
sudo chown -R root:sudo /etc/letsencrypt/

修改权限

Code Block
sudo chmod -R 750 /etc/letsencrypt/


7现在停止并启动zend以获取新配置,证书和私钥


Code Block
zen-cli stop && sleep 30 && zend && sleep 30


8

检查证书是否已正确安装和配置

  • 运行显示的命令并在此行中返回验证为true - “tls_cert_verified”:true


如果该行显示为false,请验证上述步骤是否已成功完成,并参阅节点故障排除指南


Code Block
zen-cli getnetworkinfo



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ zen-cli getnetworkinfo
{
"version": 2001751,
"subversion": "/zen:2.0.17-1/",
"protocolversion": 170002,
"localservices": "0000000000000001",
"timeoffset": 0,
"connections": 8,
"tls_cert_verified": true,



第5部分

第6部分/共11部分 - 获取和配置证书

 第7部分

Insert excerpt
友情链接
友情链接
nopaneltrue