Skip to content

Commit

Permalink
ssl: Update deployment docs
Browse files Browse the repository at this point in the history
  • Loading branch information
iBug committed Mar 8, 2024
1 parent f793d1e commit 0456c1f
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/assets/sync-cert
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
SRC="/etc/pve/nodes/pv1"
DSTROOT="/etc/pve/nodes"

scp web:/etc/acme.sh/ibuglab.com/ibuglab.com.key "$SRC/pveproxy-ssl.key"
scp web:/etc/acme.sh/ibuglab.com/fullchain.cer "$SRC/pveproxy-ssl.pem"
scp web:/etc/ssl/private/ibuglab.com/ibuglab.com.key "$SRC/pveproxy-ssl.key"
scp web:/etc/ssl/private/ibuglab.com/fullchain.cer "$SRC/pveproxy-ssl.pem"
systemctl reload pveproxy.service vlab-pve-agent.service

for DST in "$DSTROOT"/*; do
Expand Down
4 changes: 4 additions & 0 deletions docs/changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ icon: material/clock-outline

### 2024 年

3 月 8 日

: 调整了 SSL 证书的部署方式。

2 月 18 日

: 修复了 KVM 虚拟机默认不带 `zram.ko` 的问题(通过 `cloud.cfg` 加装 `linux-image-extra-virtual`),并更新了虚拟机镜像。
Expand Down
33 changes: 33 additions & 0 deletions docs/servers/ct101.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,39 @@ location /.well-known {
}
```

### 更新与部署

需要使用 SSL 证书的服务主要是 Nginx 和 vnc-multiplexer。由于 acme.sh [不推荐][2035]直接从 `/etc/acme.sh` 目录中使用证书,因此我们用 `acme.sh --install-cert` 命令将证书安装到 `/etc/ssl/private` 目录中,并指定 `--reloadcmd` 来 reload 相关服务:

[2035]: https://github.com/acmesh-official/acme.sh/issues/2035

```shell
# Main cert is used by both services
/etc/acme.sh/acme.sh --install-cert \
-d vlab.ustc.edu.cn \
--key-file /etc/ssl/private/vlab.ustc.edu.cn.key\
--fullchain-file /etc/ssl/private/vlab.ustc.edu.cn.fullchain.cer \
--reloadcmd "systemctl reload nginx vnc-multiplexer"

# Auxilary certs are used by Nginx only
/etc/acme.sh/acme.sh --install-cert \
-d soc.ustc.edu.cn \
--key-file /etc/ssl/private/soc.ustc.edu.cn.key \
--fullchain-file /etc/ssl/private/soc.ustc.edu.cn.fullchain.cer \
--reloadcmd "systemctl reload nginx"
/etc/acme.sh/acme.sh --install-cert \
-d verilogoj.ustc.edu.cn \
--key-file /etc/ssl/private/verilogoj.ustc.edu.cn.key \
--fullchain-file /etc/ssl/private/verilogoj.ustc.edu.cn.fullchain.cer \
--reloadcmd "systemctl reload nginx"

# For PVE hosts to pick up with cron
/etc/acme.sh/acme.sh --install-cert \
-d ibuglab.com \
--key-file /etc/ssl/private/ibuglab.com/ibuglab.com.key \
--fullchain-file /etc/ssl/private/ibuglab.com/fullchain.cer
```

## Django web 应用与 Nginx {#web}

文档记录在 Django 仓库中,见 <https://github.com/USTC-vlab/cslab/tree/master/docs>
Expand Down

0 comments on commit 0456c1f

Please sign in to comment.