acme dns 是Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
A simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges.
Many DNS servers do not provide an API to enable automation for the ACME DNS challenges. Those which do, give the keys way too much power. Leaving the keys laying around your random boxes is too often a requirement to have a meaningful process automation.
Acme-dns provides a simple API exclusively for TXT record updates and should be used with ACME magic “_acme-challenge” - subdomain CNAME records. This way, in the unfortunate exposure of API keys, the effects are limited to the subdomain TXT record in question.
So basically it boils down to accessibility and security.
原理
- 人工register
- DNS解析配置将要驗證的域名的 challenge 域名 CNAME 到 acme-dns register 生成的 fulldomain
- acme.sh 指令請求 Let’s Encrypt Server 傳回一個Text Value
- acme.sh 調用acme dns 的 update 接口,将上面的text Value,設定給fulldomain;這個接口的實際作用是在 acme dns上生成一條 fulldomain TXT Text-Value 的dns記錄
- Let’s Encrypt Server 驗證 Challenge 域名,看最終是否能擷取到Let’s Encrypt Server 傳回給acme.sh的Text Value。_acme-challenge.test2.greenwhale.tech - CNAME-> 27a59eb9-90a6-4a04-b135-1b34dd3ae092.auth.acme-dns.io -TXT-> Txt Value(Let’s Encrypt Server 傳回)
例子
這裡使用auth.acme-dns.io,為test.greenwhale.tech生成證書
curl -X POST https://auth.acme-dns.io/register 域名解析添加
CNAME _acme-challenge.test 27a59eb9-90a6-4a04-b135-1b34dd3ae092.auth.acme-dns.io
register是擷取到的fulldomain
export ACMEDNS_UPDATE_URL="https://auth.acme-dns.io/update"
export ACMEDNS_USERNAME="b2901f5b-f033-4b46-8220-e29a1233b6eb"
export ACMEDNS_PASSWORD="e0M_BfSFm4kXhnQBHFq1JWh_ohoMCi4j3HlYoL2d"
export ACMEDNS_SUBDOMAIN="27a59eb9-90a6-4a04-b135-1b34dd3ae092"
acme.sh --issue --dns dns_acmedns -d test.greenwhale.tech chenzhenyang@chenzhenyang:~$ dig txt _acme-challenge.test2.greenwhale.tech
; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> txt _acme-challenge.test2.greenwhale.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53018
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.test2.greenwhale.tech. IN TXT
;; ANSWER SECTION:
_acme-challenge.test2.greenwhale.tech. 599 IN CNAME 50231d33-06bb-4ae0-9e31-dad3c1d705a8.auth.taomiao.store.
50231d33-06bb-4ae0-9e31-dad3c1d705a8.auth.taomiao.store. 0 IN TXT "v6gMbHuLHUPluEV1g7l8xp-Ycqi7WLT3uyYnyelWD8E"
;; Query time: 3311 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: 二 9月 10 19:14:52 CST 2019
;; MSG SIZE rcvd: 191
![深入淺出!如何用一段代碼證明JVM加載類是懶加載模式?看看這篇文章吧!前言垃圾回收算法複制算法标記清除标記整理垃圾回收器CMS(Concurrent Mark Sweep)回收器G1(Garbage First)并發标記三色标記算法總結[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)