第6部分 - 获取和配置证书

  • 使用certbot生成并安装证书
  • 更新root证书
  • 使用zend验证证书安装



描述指令
1

在继续之前验证环境变量是否已从第3部分,第1步和第2步正确设置,如果不是,则需要在继续之前重新执行这些步骤


Echo需要输出您的FQDN










需要读取.bashrc的最后一行:export FQDN = <您的FQDN here>

echo $FQDN


Example Output

zenops@node01:~$ echo $FQDN
node01.zentest.win


sed -e 1b -e '$!d' $HOME/.bashrc


Example Output

zenops@node01:~$ sed -e 1b -e '$!d' $HOME/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
export FQDN=node01.zentest.win

2

安装证书(安全/超级节点网络的端到端TLS加密所需)certbot将用于生成和验证您的证书

    • 您可以安全地传递--register-unsafely-without-email标志,因为(1)可以随时请求新证书(2)指南将在第10部分中配置自动证书续订

注意:某些VPS提供商启用了apache2,这会锁定端口80.如果在建立独立证书时无法绑定到端口80错误,则需要禁用apache2

禁用apache2(如果启用,请参阅注释)

sudo systemctl disable apache2
sudo systemctl stop apache2
sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN
Example Output

zenops@node01$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

Saving debug log to.../var/log/letsencrypt/letsencrypt.log

Registering without email!

Obtaining a new certificate

Performing the following challenges:
http-01 challenge for node01.zentest.win
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
....-...Congratulations! Your certificate and chain have been saved at:
........./etc/letsencrypt/live/node01.zentest.win/fullchain.pem
.........Your key file has been saved at:
........./etc/letsencrypt/live/node01.zentest.win/privkey.pem
.........Your cert will expire on 2018-09-05. To obtain a new or tweaked
.........version of this certificate in the future, simply run certbot
.........again. To non-interactively renew *all* of your certificates, run
........."certbot renew"
....-...If you like Certbot, please consider supporting our work by:

Donating to ISRG /............Let's Encrypt:..............https://letsencrypt.org/donate
Donating to EFF:..........................................................https://eff.org/donate-le


3

根据您的系统要求复制Root CA - 这个示例已经过DebianUbuntu的验证


注意:如果键入此命令,请确保使用“.crt”扩展名重命名证书,这是下一个用于标识证书并将其添加到证书库的命令所必需的。 除非另有说明,否则建议复制和粘贴


适用于CentOS / Arch Linux版

Debian / Ubuntu系统

sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt
4

使用在上一步中复制的root CA更新证书存储


适用于CentOS / Arch Linux版

Debian / Ubuntu系统

sudo update-ca-certificates
Example Output

zenops@node01:~$ sudo update-ca-certificates

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

5

将证书和密钥位置添加到zen.conf

注意:只运行一次这些命令

证书

echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.conf

密钥

echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf
6修改/ etc / letsencrypt目录中的组所有权和权限,以允许非root用户访问证书和私钥(通过sudo组授予访问权限,非root用户已添加到该组)

修改所有权

sudo chown -R root:sudo /etc/letsencrypt/

修改权限

sudo chmod -R 750 /etc/letsencrypt/
7现在停止并启动zend以获取新配置,证书和私钥
zen-cli stop && sleep 30 && zend && sleep 30
8

检查证书是否已正确安装和配置

  • 运行显示的命令并在此行中返回验证为true - “tls_cert_verified”:true


如果该行显示为false,请验证上述步骤是否已成功完成,并参阅节点故障排除指南

zen-cli getnetworkinfo


Example Output

zenops@node01:~$ zen-cli getnetworkinfo
{
"version": 2001751,
"subversion": "/zen:2.0.17-1/",
"protocolversion": 170002,
"localservices": "0000000000000001",
"timeoffset": 0,
"connections": 8,
"tls_cert_verified": true,

第6部分/共11部分 - 获取和配置证书



© 2019 Horizen. All rights reserved.