fix: use webroot nginx site for acme.sh certificate issuance

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
dekun
2026-06-16 08:30:33 +08:00
parent 7089fa5777
commit 2653afa287
4 changed files with 300 additions and 275 deletions
+1
View File
@@ -78,6 +78,7 @@ Nginx 127.0.0.1:8080 ← 伪装静态页(fallback
| 端口 | 协议 | 用途 |
|------|------|------|
| 22 | TCP | SSH |
| 80 | TCP | HTTPLet's Encrypt 证书验证) |
| 443 | TCP | VLESS + Reality |
| 8443 | UDP | Hysteria2 |
+1 -1
View File
@@ -146,7 +146,7 @@ systemctl restart sing-box
|------|------|
| `set: pipefail: invalid option` | Windows 换行符问题,执行:`sed -i 's/\r$//' scripts/*.sh .env` 后重试 |
| `dig` 未返回正确 IP | 等待 DNS 生效或检查解析记录 |
| acme 证书失败 | 确认 80 端口可访问:`curl -I http://66.hyf2.cc` |
| acme 证书失败 | 确认 80 端口可访问:`curl http://66.hyf2.cc/.well-known/acme-challenge/test`;检查 nginx acme 站点是否启用 |
| sing-box 启动失败 | `journalctl -u sing-box -n 50` 查看报错 |
| 客户端连不上 | 核对 `share-links.txt``.env` 中密钥一致 |
+8 -1
View File
@@ -63,6 +63,7 @@ ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP-ACME'
ufw allow 443/tcp comment 'Reality'
ufw allow 8443/udp comment 'Hysteria2'
ufw --force enable
@@ -73,6 +74,12 @@ cp "$ROOT_DIR/server/nginx/index.html" /var/www/fallback/
cp "$ROOT_DIR/server/nginx/fallback.conf" /etc/nginx/sites-available/fallback
ln -sf /etc/nginx/sites-available/fallback /etc/nginx/sites-enabled/fallback
rm -f /etc/nginx/sites-enabled/default
log "部署 Nginx ACME 验证站点 (80) ..."
mkdir -p /var/www/acme
sed "s|__DOMAIN__|${DOMAIN}|g" "$ROOT_DIR/server/nginx/acme.conf.template" \
> /etc/nginx/sites-available/acme
ln -sf /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
nginx -t && systemctl enable nginx && systemctl restart nginx
log "申请 TLS 证书 (Let's Encrypt) ..."
@@ -90,7 +97,7 @@ if [[ "$CURRENT_IP" != "$VPS_IP" ]]; then
fi
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" --nginx --force
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
--key-file /etc/sing-box/certs/privkey.pem \
--fullchain-file /etc/sing-box/certs/fullchain.pem \
+17
View File
@@ -0,0 +1,17 @@
server {
listen 80;
listen [::]:80;
server_name __DOMAIN__;
root /var/www/acme;
location /.well-known/acme-challenge/ {
default_type "text/plain";
try_files $uri =404;
}
location / {
return 200 'ok';
add_header Content-Type text/plain;
}
}