fix: use webroot nginx site for acme.sh certificate issuance
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -78,6 +78,7 @@ Nginx 127.0.0.1:8080 ← 伪装静态页(fallback)
|
||||
| 端口 | 协议 | 用途 |
|
||||
|------|------|------|
|
||||
| 22 | TCP | SSH |
|
||||
| 80 | TCP | HTTP(Let's Encrypt 证书验证) |
|
||||
| 443 | TCP | VLESS + Reality |
|
||||
| 8443 | UDP | Hysteria2 |
|
||||
|
||||
|
||||
+1
-1
@@ -146,7 +146,7 @@ systemctl restart sing-box
|
||||
|------|------|
|
||||
| `set: pipefail: invalid option` | Windows 换行符问题,执行:`sed -i 's/\r$//' scripts/*.sh .env` 后重试 |
|
||||
| `dig` 未返回正确 IP | 等待 DNS 生效或检查解析记录 |
|
||||
| acme 证书失败 | 确认 80 端口可访问:`curl -I http://66.hyf2.cc` |
|
||||
| acme 证书失败 | 确认 80 端口可访问:`curl http://66.hyf2.cc/.well-known/acme-challenge/test`;检查 nginx acme 站点是否启用 |
|
||||
| sing-box 启动失败 | `journalctl -u sing-box -n 50` 查看报错 |
|
||||
| 客户端连不上 | 核对 `share-links.txt` 与 `.env` 中密钥一致 |
|
||||
|
||||
|
||||
+8
-1
@@ -63,6 +63,7 @@ ufw --force reset
|
||||
ufw default deny incoming
|
||||
ufw default allow outgoing
|
||||
ufw allow 22/tcp comment 'SSH'
|
||||
ufw allow 80/tcp comment 'HTTP-ACME'
|
||||
ufw allow 443/tcp comment 'Reality'
|
||||
ufw allow 8443/udp comment 'Hysteria2'
|
||||
ufw --force enable
|
||||
@@ -73,6 +74,12 @@ cp "$ROOT_DIR/server/nginx/index.html" /var/www/fallback/
|
||||
cp "$ROOT_DIR/server/nginx/fallback.conf" /etc/nginx/sites-available/fallback
|
||||
ln -sf /etc/nginx/sites-available/fallback /etc/nginx/sites-enabled/fallback
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
|
||||
log "部署 Nginx ACME 验证站点 (80) ..."
|
||||
mkdir -p /var/www/acme
|
||||
sed "s|__DOMAIN__|${DOMAIN}|g" "$ROOT_DIR/server/nginx/acme.conf.template" \
|
||||
> /etc/nginx/sites-available/acme
|
||||
ln -sf /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
|
||||
nginx -t && systemctl enable nginx && systemctl restart nginx
|
||||
|
||||
log "申请 TLS 证书 (Let's Encrypt) ..."
|
||||
@@ -90,7 +97,7 @@ if [[ "$CURRENT_IP" != "$VPS_IP" ]]; then
|
||||
fi
|
||||
|
||||
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
|
||||
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" --nginx --force
|
||||
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
|
||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name __DOMAIN__;
|
||||
|
||||
root /var/www/acme;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
default_type "text/plain";
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 200 'ok';
|
||||
add_header Content-Type text/plain;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user