简体繁体 English

如何使用Let's Encrypt为自定义域设置SSL Generator

[英]How to setup SSL Generator for custom domains using Let's Encrypt

原文 2018-05-07 19:04:08 6 1 azure/ ssl/ ssl-certificate/ azure-web-sites/ lets-encrypt

I want to setup SSL Certificates generator/manager for Custom Domains - using Let's Encrypt but I'm not able to find the right tutorial. 我想为“自定义域”设置SSL证书生成器/管理器-使用“让我们加密”，但找不到正确的教程。 I've done some research work and I'm able to setup Let's Encrypt Certbot on one domain/machine with nginx. 我已经完成了一些研究工作，并且能够使用nginx在一个域/机器上设置“让我们加密Certbot”。

I have a web app on Azure which will serve multiple domains, so multiple custo domains from single IP. 我在Azure上有一个Web应用程序，它将为多个域提供服务，因此可以从单个IP提供多个托管域。 I want to generate SSL Certificates for custom domains on the fly. 我想即时为自定义域生成SSL证书。

I learnt that Openresty can help but I couldn't find any step-by-step article. 我了解到Openresty可以提供帮助，但是找不到任何循序渐进的文章。 How do I setup the SSL Management with Let's Encrypt. 如何使用“让我们加密”设置SSL管理。 At this point I'm not sure if I need a stand-alone VM or if it possible to run as a set of REST API Endpoint on a Web Server? 此时，我不确定是否需要独立VM或是否可以在Web服务器上作为一组REST API端点运行？ Any pointers? 有指针吗？ I appreciate any help! 感谢您的帮助！

1 个解决方案

Azure App Service does not currently include native support for Let's Encrypt, but there is a community-supported extension that gets the job done. Azure应用服务当前不包括对“加密”的本机支持，但是有一个社区支持的扩展可以完成工作。

https://github.com/sjkp/letsencrypt-siteextension/wiki/How-to-install https://github.com/sjkp/letsencrypt-siteextension/wiki/安装方法

This extension uses a webjob to facilitate automatic certificate renewal, so the app must be Always On for automatic renewal to work. 此扩展程序使用webjob来促进自动证书更新，因此该应用程序必须始终处于启用状态，才能进行自动更新。 If you are using deployment slots, be aware that you need to install the extension in each slot, and then add a WEBJOBS_STOPPED = 1 slot setting to each non-production slot (assuming you're not using other webjobs on non-production slots that need to run in their non-production environments). 如果您使用的是部署插槽，请注意，您需要在每个插槽中安装扩展，然后将WEBJOBS_STOPPED = 1插槽设置添加到每个非生产插槽（假设您没有在非生产插槽上使用其他webjob）需要在其非生产环境中运行）。 This ensures that the webjob is always present on the production slot, and only runs on the production slot. 这样可以确保Web作业始终存在于生产插槽中，并且仅在生产插槽上运行。

Also be aware that if you Web Deploy code to the app service from Visual Studio with the "Remove additional files at destination" file publish option checked, that doing so will remove the webjob from the slot to which you publish. 还应注意，如果选中了“在目标位置删除其他文件”文件发布选项，则将Web Deploy代码从Visual Studio Web部署到应用程序服务，这样做会从您发布的插槽中删除webjob。 You have a few choices if this applies to you: 如果这适用于您，则您有几种选择：

Manually refresh the certificates every three months. 每三个月手动刷新一次证书。
Reinstall the extension any time you publish (you do not have to reconfigure it). 每次发布时都重新安装该扩展名（不必重新配置）。
Clone the webjob into your solution and publish it along with your project. 将webjob克隆到您的解决方案中，然后将其与您的项目一起发布。

There may be other options, but those are the ones I've explored. 可能还有其他选择，但是这些是我探索过的。

Microsoft has asserted that this extension constitutes support for Let's Encrypt, but Microsoft does not support this extension. Microsoft宣称此扩展构成对Let's Encrypt的支持，但是Microsoft不支持此扩展。 Here's a place to vote for native support for Let's Encrypt on Azure if you think it's important: 如果您认为重要的话，可以在这里投票支持对“让我们在Azure上加密”的本机支持：

https://feedback.azure.com/forums/170024-additional-services/suggestions/16957756-add-integration-with-let-s-encrypt https://feedback.azure.com/forums/170024-additional-services/suggestions/16957756-add-integration-with-let-s-encrypt