清淨平等覺

$ sudo apt install curl
$ sudo apt install socat
$ curl https://get.acme.sh | sh
$ sudo ln -s /home/leeyc/.acme.sh/acme.sh /usr/sbin/acme.sh
//$ sudo acme.sh --config-home /etc/acme --force --debug --issue --domain www.leeyc.net --standalone
//$ sudo acme.sh --config-home /etc/acme --force --debug --issue --domain hr.central-security.com.tw --standalone

申請 ssl key 成功
$ acme.sh --issue -d www.leeyc.net -w /web/www
$ acme.sh --issue -d hr.central-security.com.tw -w /web/www
$ acme.sh --issue -d pm.endiamond.com -w /web/html

2021-08-09 遇到不能更新時 要先註冊EMAIL
$ acme.sh  --register-account  -m leeyichung@gmail.com --server zerossl

[公曆 20廿年 十月 十八日 週日 〇時46分52秒] Your cert is in  /home/leeyc/.acme.sh/www.leeyc.net/www.leeyc.net.cer
[公曆 20廿年 十月 十八日 週日 〇時46分52秒] Your cert key is in  /home/leeyc/.acme.sh/www.leeyc.net/www.leeyc.net.key
[公曆 20廿年 十月 十八日 週日 〇時46分52秒] The intermediate CA cert is in  /home/leeyc/.acme.sh/www.leeyc.net/ca.cer
[公曆 20廿年 十月 十八日 週日 〇時46分52秒] And the full chain certs is there:  /home/leeyc/.acme.sh/www.leeyc.net/fullchain.cer
renew
leeyc@b:~$ acme.sh --issue --force -d www.leeyc.net -w /web/www
$ acme.sh --issue --force -d hr.central-security.com.tw -w /web/www
leeyc@b:~$ cp -r /home/leeyc/.acme.sh/www.leeyc.net /web/www
leeyc@b:~$ cp -r /home/leeyc/.acme.sh/www.leeyc.net /web/html
cp -r /home/leeyc/.acme.sh/hr.central-security.com.tw /web/www

acme.sh --issue --force -d pm.endiamond.com -w /web/html
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/html
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/ww1
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/ww2
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/ww3


# docker exec -it apache /bin/bash
# docker exec -it app /bin/bash

vi /etc/httpd/conf/httpd.conf
vi /etc/httpd/conf.d/ssl.conf <== 編輯此檔 把KEY設定上即可
nano /etc/apache2/sites-enabled/default-ssl.conf
/etc/apache2/sites-available# ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
sudo apachectl restart
sudo apachectl configtest

SSLCertificateFile /var/www/html/www.leeyc.net/fullchain.cer
SSLCertificateKeyFile /var/www/html/www.leeyc.net/www.leeyc.net.key
SSLCACertificateFile /var/www/html/www.leeyc.net/ca.cer

/home/leeyc/.acme.sh/hr.central-security.com.tw/hr.central-security.com.tw.cer
/home/leeyc/.acme.sh/hr.central-security.com.tw/hr.central-security.com.tw.key
/home/leeyc/.acme.sh/hr.central-security.com.tw/ca.cer
/home/leeyc/.acme.sh/hr.central-security.com.tw/fullchain.cer

SSLCertificateFile /var/www/html/hr.central-security.com.tw/fullchain.cer
SSLCertificateKeyFile /var/www/html/hr.central-security.com.tw/hr.central-security.com.tw.key
SSLCACertificateFile /var/www/html/hr.central-security.com.tw/ca.cer

存檔後執行 systemctl restart httpd 重新啟動即可生效。

# docker exec -it endia /bin/bash
# vi /etc/httpd/conf.d/httpd-vhosts.conf
Listen 81
<VirtualHost *:81>
    DocumentRoot /var/www/html/
    ServerName leeyc.ddns.net
    <Directory "/var/www/html">
       Options FollowSymLinks
       AllowOverride None
       Order allow,deny
       Allow from all
    </Directory>
    SSLProxyEngine on
    SSLEngine on
    SSLCertificateFile /var/www/html/leeyc.ddns.net/fullchain.cer
    SSLCertificateKeyFile /var/www/html/leeyc.ddns.net/leeyc.ddns.net.key
    SSLCACertificateFile /var/www/html/leeyc.ddns.net/ca.cer
</VirtualHost>
https://leeyc.ddns.net:81/Endia/ <== 測試 這樣是可行的

LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so

Listen 443 https
<VirtualHost *:443>
    ServerName homeblog.com.tw
    DocumentRoot /www
    #ServerAlias www1.homeblog.com.tw
    SSLEngine on
    SSLCertificateFile /etc/dehydrated/certs/homeblog.com.tw/cert.pem
    SSLCertificateChainFile /etc/dehydrated/certs/homeblog.com.tw/chain.pem
    SSLCertificateKeyFile /etc/dehydrated/certs/homeblog.com.tw/privkey.pem
    #Alias /.well-known/acme-challenge/ /var/www/dehydrated/
</VirtualHost>

docker-compose.yml
version: '3.3'
services:
  app:
    build:
      context: ./html
      dockerfile: Dockerfile
    container_name: app
    ports:
      - "8080:80"
      - "443:443"
    volumes:
      - "./html:/var/www/html"
      - "/etc/localtime:/etc/localtime:ro"
    restart: always
    depends_on:
      - db

Dockerfile
FROM php:7.4-apache
MAINTAINER Valerio Galano
# Prepare apt
RUN apt-get update
# Prepare fake SSL certificate
RUN apt-get install -y ssl-cert
# Setup Apache2 mod_ssl
RUN a2enmod ssl
# Setup Apache2 HTTPS env
RUN a2ensite default-ssl.conf
RUN docker-php-ext-install mysqli pdo pdo_mysql
# Work directory
WORKDIR /var/www/html
EXPOSE 80 443

中央保全 自動更新憑證 renew.sh
#!/bin/bash
acme.sh --issue --force -d hr.central-security.com.tw -w /web/www
cp -r /home/leeyc/.acme.sh/hr.central-security.com.tw /web/www
docker restart apache

leeyc@leeyc-net:~$ cat renew.sh
#!/bin/bash
acme.sh --issue --force -d www.leeyc.net -w /web/www
cp -r /home/leeyc/.acme.sh/www.leeyc.net /web/www
cp -r /home/leeyc/.acme.sh/www.leeyc.net /web/html
docker restart apache
docker restart app

leeyc@e14:~$ cat renew.sh
#!/bin/bash
acme.sh --issue --force -d pm.endiamond.com -w /web/html
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/html
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/ww1
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/ww2
cp -r /home/leeyc/.acme.sh/pm.endiamond.com /web/ww3
docker restart finance
docker restart endia
docker restart enks
docker restart app

leeyc.net 192.168.31.24 ssl => 1433
docker exec -it app /bin/bash
:/etc/apache2/sites-enabled# nano default-ssl.conf

清淨平等覺

Let's Encrypt by acme.sh

Let's Encrypt by acme.sh