{"id":1068,"date":"2022-05-18T06:23:22","date_gmt":"2022-05-18T06:23:22","guid":{"rendered":"https:\/\/oimi.me\/?p=1068"},"modified":"2022-05-18T06:23:22","modified_gmt":"2022-05-18T06:23:22","slug":"%e4%bd%bf%e7%94%a8-github-actions-%e8%87%aa%e5%8a%a8%e7%94%b3%e8%af%b7%e4%b8%8e%e9%83%a8%e7%bd%b2-ssl-%e8%af%81%e4%b9%a6","status":"publish","type":"post","link":"https:\/\/myya.net\/index.php\/2022\/05\/18\/%e4%bd%bf%e7%94%a8-github-actions-%e8%87%aa%e5%8a%a8%e7%94%b3%e8%af%b7%e4%b8%8e%e9%83%a8%e7%bd%b2-ssl-%e8%af%81%e4%b9%a6\/","title":{"rendered":"\u4f7f\u7528 GitHub Actions \u81ea\u52a8\u7533\u8bf7\u4e0e\u90e8\u7f72 SSL \u8bc1\u4e66"},"content":{"rendered":"

\u5bf9\u4e8e\u4e00\u4e2a\u6709\u5f88\u591a\u670d\u52a1\u5668\u7684\u4eba\u6765\u8bf4\uff0c\u5728\u4e0d\u540c\u670d\u52a1\u5668\u4e0a\u540c\u6b65 SSL \u8bc1\u4e66\u662f\u4e00\u4ef6\u9ebb\u70e6\u4e8b\u3002\u7b14\u8005\u5c1d\u8bd5\u8fc7\u5f88\u591a\u79cd\u65b9\u5f0f\uff0c\u6700\u540e\u5728\u00a0Menci<\/a>\u00a0\u7684\u63a8\u8350\u4e0b\u9009\u5b9a\u4e86\u4f7f\u7528 GitHub Actions \u6765\u81ea\u52a8\u7533\u8bf7\u3001\u7eed\u671f SSL \u8bc1\u4e66\uff0c\u5e76\u81ea\u52a8\u63a8\u9001\u5230\u5404\u4e2a\u670d\u52a1\u5668\u4e0a\u3002<\/p>\n

\u672c\u535a\u5ba2\u7684\u8bc1\u4e66\u4e5f\u662f\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u8fdb\u884c\u7b7e\u53d1\u3001\u90e8\u7f72\u7684\uff0c\u53ef\u4ee5\u70b9\u51fb\u6d4f\u89c8\u5668\u5730\u5740\u680f\u4e0a\u7684\u6309\u94ae\u67e5\u770b\u8bc1\u4e66\u3002<\/p>\n

\u7533\u8bf7\u8bc1\u4e66<\/h2>\n

\u524d\u671f\u51c6\u5907<\/h3>\n

\u9996\u5148\u8bf7\u5728\u672c\u5730\uff08\u6216\u81ea\u5df1\u7684\u670d\u52a1\u5668\u4e0a\uff09\u6210\u529f\u4f7f\u7528\u00a0acme.sh<\/a>\u00a0\u7684\u00a0DNS-01<\/a> \u9a8c\u8bc1\u65b9\u5f0f\u6210\u529f\u7533\u8bf7\u4e00\u6b21\u8bc1\u4e66\uff0c<\/p>\n

    \n
  1. \u5411 CA \u6ce8\u518c ACME \u8d26\u6237\uff08\u5982\u679c\u4f7f\u7528 Let\u2019s Encrypt \u5219\u4f1a\u81ea\u52a8\u8fdb\u884c\uff0c\u8be6\u7ec6\u6b65\u9aa4\u8bf7\u53c2\u9605\u00a0acme.sh \u7684 Wiki<\/a>\uff09\u3002<\/li>\n
  2. \u901a\u8fc7\u73af\u5883\u53d8\u91cf\u6307\u5b9a DNS \u63d0\u4f9b\u5546\u7684\u51ed\u636e\uff0c\u7528\u4e8e\u6dfb\u52a0\/\u5220\u9664 ACME DNS-01 \u8ba4\u8bc1\u6240\u9700\u7684 TXT \u8bb0\u5f55\u3002<\/li>\n
  3. \u786e\u8ba4\u8bc1\u4e66\u7533\u8bf7\u53ef\u4ee5\u6210\u529f\uff0c\u4e3a\u540e\u7eed\u8c03\u8bd5\u6392\u9664\u53ef\u80fd\u7684\u95ee\u9898\u3002<\/li>\n<\/ol>\n

    \u7b2c\u4e00\u6b21\u7533\u8bf7\u8bc1\u4e66\u540e\uff0cCA \u7684 ACME \u8d26\u6237\u51ed\u636e\u5c06\u88ab\u5b58\u50a8\u5230\u00a0~\/.acme.sh\/ca<\/code>\u00a0\u4e2d\uff0cDNS \u63d0\u4f9b\u5546\u7684\u51ed\u636e\u5c06\u88ab\u5b58\u50a8\u5230\u00a0~\/.acme.sh\/account.conf<\/code>\u00a0\u4e2d\u3002\u5c06\u5b83\u4eec\u6253\u5305\u5e76\u4f7f\u7528 Base64 \u7f16\u7801\u5b58\u50a8\uff0c\u4ee5\u5907\u5728 GitHub Actions \u4e2d\u4f7f\u7528\uff1a<\/p>\n

    cd<\/span> ~\/.acme.sh\ntar cz ca account.conf | base64<\/span> -w0<\/code><\/pre>\n
    \u5c06\u8f93\u51fa\u5185\u5bb9\u6dfb\u52a0\u5230 GitHub \u4ed3\u5e93\u7684 Secrets \u4e2d\u3002\u6ce8\u610f\u4e0d\u8981\u590d\u5236\u8f93\u51fa\u4e2d\u7684\u591a\u4f59\u4fe1\u606f\u3002<\/p>\n
    \u81ea\u52a8\u5316<\/h3>\n
    \u5982\u679c\u6ca1\u6709\u7279\u6b8a\u9700\u6c42\uff0c\u53ef\u4ee5\u4f7f\u7528\u00a0Menci\/acme<\/a>\u00a0\u6765\u7b80\u5355\u5730\u7533\u8bf7\u8bc1\u4e66\uff1a<\/p>\n
    # \u5168\u5c40\u73af\u5883\u53d8\u91cf<\/span>\nenv:<\/span>\n  # Checkout \u5230\u7684\u76ee\u5f55<\/span>\n  CERTS_OUTPUT_BASE:<\/span> certs<\/span>\n  # \u8bc1\u4e66\u8f93\u51fa\u76ee\u5f55<\/span>\n  CERTS_OUTPUT_DIRECTORY:<\/span> example.com<\/span>\n  # \u8bc1\u4e66\u6587\u4ef6\u540d<\/span>\n  FILE_FULLCHAIN:<\/span> fullchain.pem<\/span>\n  # \u79c1\u94a5\u6587\u4ef6\u540d<\/span>\n  FILE_KEY:<\/span> privatekey.key<\/span>\n\njobs:<\/span>\n  issue-ssl-certificate:<\/span>\n    name:<\/span> Issue<\/span> SSL<\/span> certificate<\/span>\n    runs-on:<\/span> ubuntu-latest<\/span>\n    steps:<\/span>\n      -<\/span> uses:<\/span> Menci\/acme@v1<\/span>\n        with:<\/span>\n          # \u6307\u5b9a acme.sh \u7684\u7248\u672c<\/span>\n          version:<\/span> 3.0<\/span>.2<\/span>\n\n          # \u4e0a\u65b9\u4fdd\u5b58\u7684\u4ee5 Base64 \u7f16\u7801\u5b58\u50a8\u7684\u51ed\u636e<\/span>\n          account-tar:<\/span> ${{<\/span> secrets.ACME_SH_ACCOUNT_TAR<\/span> }}<\/span>\n\n          # \u57df\u540d\u5217\u8868\uff0c\u4ee5\u7a7a\u683c\u5206\u9694<\/span>\n          domains:<\/span> example.com<\/span> example.net<\/span> example.org<\/span> example.edu<\/span>\n          # \u662f\u5426\u7533\u8bf7\u901a\u914d\u7b26<\/span>\n          append-wildcard:<\/span> true<\/span>\n\n          # \u4f20\u9012\u7ed9 acme.sh \u7684\u989d\u5916\u53c2\u6570<\/span>\n          arguments:<\/span> --dns<\/span> dns_cf<\/span> --challenge-alias<\/span> example.com<\/span>\n\n          # \u5bfc\u51fa\u7684\u8bc1\u4e66\u8def\u5f84<\/span>\n          output-fullchain:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_FULLCHAIN<\/span> }}<\/span>\n          output-key:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_KEY<\/span> }}<\/span><\/code><\/pre>\n
    # \u5168\u5c40\u73af\u5883\u53d8\u91cf<\/span>\nenv:<\/span>\n  # Checkout \u5230\u7684\u76ee\u5f55<\/span>\n  CERTS_OUTPUT_BASE:<\/span> certs<\/span>\n  # \u8bc1\u4e66\u8f93\u51fa\u76ee\u5f55<\/span>\n  CERTS_OUTPUT_DIRECTORY:<\/span> example.com<\/span>\n  # \u8bc1\u4e66\u6587\u4ef6\u540d<\/span>\n  FILE_FULLCHAIN:<\/span> fullchain.pem<\/span>\n  # \u79c1\u94a5\u6587\u4ef6\u540d<\/span>\n  FILE_KEY:<\/span> privatekey.key<\/span>\n\njobs:<\/span>\n  issue-ssl-certificate:<\/span>\n    name:<\/span> Issue<\/span> SSL<\/span> certificate<\/span>\n    runs-on:<\/span> ubuntu-latest<\/span>\n    steps:<\/span>\n      -<\/span> name:<\/span> Checkout<\/span>\n        uses:<\/span> actions\/checkout@v2<\/span>\n        with:<\/span>\n          ref:<\/span> master<\/span>\n\n      -<\/span> name:<\/span> Checkout<\/span> output<\/span> branch<\/span>\n        uses:<\/span> actions\/checkout@v2<\/span>\n        with:<\/span>\n          ref:<\/span> certs<\/span>\n          path:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}<\/span>\n\n      # \u5b89\u88c5 acme.sh<\/span>\n      -<\/span> name:<\/span> Install<\/span> acme.sh<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> curl<\/span> -s<\/span> https:\/\/get.acme.sh<\/span> |<\/span> sh<\/span>\n\n      # \u89e3\u538b acme.sh \u914d\u7f6e\u4fe1\u606f<\/span>\n      -<\/span> name:<\/span> Extract<\/span> account<\/span> files<\/span> for<\/span> acme.sh<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> |<\/span>\n          echo \"$ACME_SH_ACCOUNT_TAR\" | base64 -d | tar -C ~\/.acme.sh -xz<\/span>\n        env:<\/span>\n          # Base64 \u7f16\u7801\u7684 acme.sh \u914d\u7f6e\u4fe1\u606f<\/span>\n          ACME_SH_ACCOUNT_TAR:<\/span> ${{<\/span> secrets.ACME_SH_ACCOUNT_TAR<\/span> }}<\/span>\n\n      # \u7533\u8bf7\u8bc1\u4e66<\/span>\n      -<\/span> name:<\/span> Issue<\/span> SSL<\/span> certificates<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> |<\/span>\n          ~\/.acme.sh\/acme.sh --issue        \\<\/span>\n            -d \"example.com\"   --dns dns_cf \\<\/span>\n            -d \"*.example.com\" --dns dns_cf \\<\/span>\n            -d \"example.net\"   --dns dns_dp \\<\/span>\n            -d \"*.example.net\" --dns dns_dp \\<\/span>\n            --server letsencrypt<\/span>\n\n      # \u5bfc\u51fa\u8bc1\u4e66<\/span>\n      -<\/span> name:<\/span> Copy<\/span> certificate<\/span> to<\/span> output<\/span> paths<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> |<\/span>\n          ACME_SH_TEMP_DIR=\"$(mktemp -d)\"<\/span>\n          ACME_SH_TEMP_FILE_FULLCHAIN=\"$ACME_SH_TEMP_DIR\/fullchain.pem\"<\/span>\n          ACME_SH_TEMP_FILE_KEY=\"$ACME_SH_TEMP_DIR\/key.pem\"<\/span>\n\n          ~\/.acme.sh\/acme.sh<\/span> --install-cert<\/span> -d<\/span> \"$ACME_SH_FIRST_DOMAIN\"<\/span> --fullchain-file<\/span> \"$ACME_SH_TEMP_FILE_FULLCHAIN\"<\/span> --key-file<\/span> \"$ACME_SH_TEMP_FILE_KEY\"<\/span>\n\n          [[ -z<\/span> \"$ACME_SH_OUTPUT_FULLCHAIN\"<\/span> ]] ||<\/span> (mkdir<\/span> -p<\/span> \"$(dirname \"<\/span>$ACME_SH_OUTPUT_FULLCHAIN\")\"<\/span> &&<\/span> cp<\/span> \"$ACME_SH_TEMP_FILE_FULLCHAIN\"<\/span> \"$ACME_SH_OUTPUT_FULLCHAIN\"<\/span>)<\/span>\n          [[ -z<\/span> \"$ACME_SH_OUTPUT_KEY\"<\/span> ]] ||<\/span> (mkdir<\/span> -p<\/span> \"$(dirname \"<\/span>$ACME_SH_OUTPUT_KEY\")\"<\/span> &&<\/span> cp<\/span> \"$ACME_SH_TEMP_FILE_KEY\"<\/span> \"$ACME_SH_OUTPUT_KEY\"<\/span>)<\/span>\n\n          rm<\/span> -rf<\/span> \"$ACME_SH_TEMP_DIR\"<\/span>\n        env:<\/span>\n          # \u4fee\u6539\u6b64\u5904\u7684 example.com \u4e3a\u7533\u8bf7\u65f6\u586b\u5199\u7684\u7b2c\u4e00\u4e2a\u57df\u540d<\/span>\n          ACME_SH_FIRST_DOMAIN:<\/span> example.com<\/span>\n          ACME_SH_OUTPUT_FULLCHAIN:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_FULLCHAIN<\/span> }}<\/span>\n          ACME_SH_OUTPUT_KEY:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_KEY<\/span> }}<\/span><\/code><\/pre>\n
    \u4e0a\u4f20\u8bc1\u4e66\u81f3\u4ed3\u5e93<\/h3>\n
    # \u4e0a\u4f20\u8bc1\u4e66<\/span>\n-<\/span> name:<\/span> Push<\/span> to<\/span> GitHub<\/span>\n  run:<\/span> |<\/span>\n    git config --global user.name \"BaoshuoBot\"<\/span>\n    git config --global user.email \"79077260+BaoshuoBot@users.noreply.github.com\"<\/span>\n\n    cd<\/span> \"$CERTS_DIRECTORY\"<\/span>\n\n    git<\/span> add<\/span> \"$FILE_FULLCHAIN\"<\/span> \"$FILE_KEY\"<\/span>\n    git<\/span> commit<\/span> -m<\/span> \"Upload certificates on $(date '+%Y-%m-%d %H:%M:%S')\"<\/span>\n    git<\/span> push<\/span>\n  env:<\/span>\n    TZ:<\/span> Asia\/Shanghai<\/span>\n    CERTS_DIRECTORY:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}<\/span><\/code><\/pre>\n
    \u90e8\u7f72\u8bc1\u4e66<\/h2>\n
    \u5728\u7533\u8bf7\u8bc1\u4e66\u7684 Job \u6267\u884c\u5b8c\u6210\u540e\uff0c\u53ef\u4ee5\u6267\u884c\u4e00\u7cfb\u5217\u5176\u4ed6\u7684 Job \u6765\u5c06\u8bc1\u4e66\u90e8\u7f72\u5230\u5404\u4e2a\u670d\u52a1\u5668\u6216\u4e91\u670d\u52a1\u3002<\/p>\n
    \u670d\u52a1\u5668<\/h3>\n
    \u53ef\u4ee5\u4f7f\u7528\u00a0easingthemes\/ssh-deploy<\/code><\/a>\u00a0\u6765\u4f7f\u7528 rsync \u5c06\u8bc1\u4e66\u540c\u6b65\u5230\u670d\u52a1\u5668\u4e0a\u3002\u540c\u6b65\u5b8c\u6210\u540e\u518d\u4f7f\u7528\u00a0appleboy\/ssh-action<\/code><\/a>\u00a0\u8fdc\u7a0b\u6267\u884c\u547d\u4ee4\u91cd\u8f7d Nginx \/ Apache\u3002<\/p>\n
    # \u90e8\u7f72\u5230\u670d\u52a1\u5668<\/span>\ndeploy-to-server:<\/span>\n  name:<\/span> Deploy<\/span> Certificate<\/span> to<\/span> Server<\/span>\n  runs-on:<\/span> ubuntu-latest<\/span>\n  needs:<\/span> issue-ssl-certificate<\/span>\n\n  strategy:<\/span>\n    matrix:<\/span>\n      host:<\/span>\n        -<\/span> 174.136<\/span>.239<\/span>.1<\/span> # Server 1<\/span>\n        -<\/span> 174.136<\/span>.239<\/span>.2<\/span> # Server 2<\/span>\n        # ...<\/span>\n        -<\/span> 174.136<\/span>.239<\/span>.254<\/span> # Server N<\/span>\n\n  steps:<\/span>\n    -<\/span> name:<\/span> Checkout<\/span>\n      uses:<\/span> actions\/checkout@v2<\/span>\n      with:<\/span>\n        ref:<\/span> certs<\/span>\n\n    # \u4e0a\u4f20\u8bc1\u4e66<\/span>\n    -<\/span> name:<\/span> Upload<\/span> certificate<\/span> to<\/span> server<\/span>\n      uses:<\/span> easingthemes\/ssh-deploy@v2.1.5<\/span>\n      env:<\/span>\n        SSH_PRIVATE_KEY:<\/span> ${{<\/span> secrets.SSH_PRIVATE_KEY<\/span> }}<\/span>\n        ARGS:<\/span> '-avz --delete'<\/span>\n        REMOTE_HOST:<\/span> ${{<\/span> matrix.host<\/span> }}<\/span>\n        REMOTE_USER:<\/span> ${{<\/span> secrets.REMOTE_USER<\/span> }}<\/span>\n        SOURCE:<\/span> ${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/<\/span>\n        TARGET:<\/span> \/path\/to\/ssl\/certs\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/<\/span>\n\n    # \u91cd\u8f7d Nginx<\/span>\n    -<\/span> name:<\/span> Force-reload<\/span> nginx<\/span>\n      uses:<\/span> appleboy\/ssh-action@v0.1.4<\/span>\n      with:<\/span>\n        host:<\/span> ${{<\/span> matrix.host<\/span> }}<\/span>\n        username:<\/span> ${{<\/span> secrets.REMOTE_USER<\/span> }}<\/span>\n        key:<\/span> ${{<\/span> secrets.SSH_PRIVATE_KEY<\/span> }}<\/span>\n        script:<\/span> |<\/span>\n          sudo<\/span> \/opt\/hooks\/reload-nginx.sh<\/span><\/code><\/pre>\n
    \u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u91cd\u8f7d Nginx \/ Apache \u7684\u547d\u4ee4\u9700\u8981 root \u6743\u9650\u624d\u80fd\u6267\u884c\uff0c\u53ef\u4ee5\u91c7\u7528\u53ea\u5141\u8bb8\u90e8\u7f72\u7528\u6237\u4ee5 root \u6743\u9650\u6267\u884c\u91cd\u8f7d\u811a\u672c\u7684\u65b9\u5f0f\u6765\u907f\u514d\u51fa\u73b0\u5b89\u5168\u95ee\u9898\u3002<\/p>\n
    \u5728\u00a0\/opt\/hooks<\/code>\u00a0\u76ee\u5f55\u4e0b\u65b0\u5efa\u4e00\u4e2a\u6587\u4ef6\u00a0reload-nginx.sh<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
    #!\/bin\/bash<\/span>\nsudo systemctl force-reload nginx<\/code><\/pre>\n
    \u7136\u540e\u65b0\u5efa\u4e00\u4e2a\u540d\u4e3a\u00a0actions-cert<\/code>\u00a0\u7684\u7528\u6237\uff0c\u7136\u540e\u5728\u00a0\/etc\/sudoers<\/code>\u00a0\u6587\u4ef6\u4e2d\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n
    actions-cert ALL<\/span>=(ALL<\/span>) NOPASSWD: \/opt\/<\/span>hooks\/reload-nginx.sh<\/code><\/pre>\n
    \u8fd9\u4e2a\u914d\u7f6e\u53ef\u4ee5\u4f7f\u00a0actions-cert<\/code>\u00a0\u7528\u6237\u514d\u5bc6\u7801\u4ee5 root \u7528\u6237\u7684\u6743\u9650\u6267\u884c\u00a0\/opt\/hooks\/reload-nginx.sh<\/code>\u3002<\/p>\n
    \u6700\u540e\u4f7f\u7528\u00a0chmod 755 \/opt\/hooks\/reload-nginx.sh<\/code>\u00a0\u547d\u4ee4\u5c06\u00a0reload-nginx.sh<\/code>\u00a0\u6587\u4ef6\u8bbe\u7f6e\u4e3a\u53ef\u6267\u884c\uff0c\u540c\u65f6\u7981\u6b62\u975e\u6240\u6709\u8005\u5bf9\u5176\u8fdb\u884c\u5199\u5165\u64cd\u4f5c\u3002<\/p>\n
    \u5982\u679c\u670d\u52a1\u5668\u4f4d\u4e8e NAT \u540e\uff0c\u6216\u8005\u7981\u6b62\u4e86 SSH \u8fde\u63a5\uff0c\u8fd8\u6709\u4e24\u4e2a\u65b9\u6cd5\u53ef\u4ee5\u5c06\u8bc1\u4e66\u90e8\u7f72\u5230\u5185\u7f51\u670d\u52a1\u5668\u4e0a\uff1a<\/p>\n
      \n
    1. \u5c06\u8bc1\u4e66\u5148\u90e8\u7f72\u5230\u6709\u90e8\u7f72\u6761\u4ef6\u7684\u670d\u52a1\u5668\u4e0a\uff0c\u7136\u540e\u518d\u5728\u5185\u7f51\u670d\u52a1\u5668\u4e0a\u4f7f\u7528 rsync \u4ece\u90e8\u7f72\u597d\u7684\u670d\u52a1\u5668\u4e0a\u62c9\u53d6\u8bc1\u4e66\u3002<\/li>\n
    2. \u5c06\u8bc1\u4e66\u4e0a\u4f20\u5230\u00a0Azure Key Vault<\/a>\u00a0\u7b49\u6258\u7ba1\u670d\u52a1\u4e2d\uff0c\u518d\u5728\u670d\u52a1\u5668\u4e0a\u6309\u7167\u00a0Menci \u7684\u6587\u7ae0<\/a>\u00a0\u4e2d\u7684\u6559\u7a0b\u62c9\u53d6\u5373\u53ef\u3002<\/li>\n<\/ol>\n
      \u963f\u91cc\u4e91<\/h3>\n
      \u963f\u91cc\u4e91\u7684\u00a0SSL \u8bc1\u4e66\u670d\u52a1<\/a>\u00a0\u652f\u6301\u4e0a\u4f20\u81ea\u5b9a\u4e49\u8bc1\u4e66\uff0c\u8be5\u8bc1\u4e66\u53ef\u4ee5\u7528\u4e8e\u00a0\u963f\u91cc\u4e91 CDN\u3002\u963f\u91cc\u4e91\u6682\u672a\u63d0\u4f9b\u5c06\u8bc1\u4e66\u90e8\u7f72\u81f3 OSS \u7684 API\uff0c\u5efa\u8bae OSS \u7528\u6237\u4f7f\u7528 CDN \u56de\u6e90 OSS \u6765\u4ee3\u66ff\u3002<\/p>\n
      \u4f7f\u7528\u00a0Menci\/deploy-certificate-to-aliyun<\/a>\u00a0\u5c06\u8bc1\u4e66\u90e8\u7f72\u5230\u963f\u91cc\u4e91\uff1a<\/p>\n
      # \u90e8\u7f72\u5230\u963f\u91cc\u4e91<\/span>\ndeploy-to-server:<\/span>\n  name:<\/span> Deploy<\/span> Certificate<\/span> to<\/span> Aliyun<\/span>\n  runs-on:<\/span> ubuntu-latest<\/span>\n  needs:<\/span> issue-ssl-certificate<\/span>\n\n  steps:<\/span>\n    # \u62c9\u53d6\u8bc1\u4e66\u5b58\u50a8\u5206\u652f<\/span>\n    -<\/span> name:<\/span> Checkout<\/span>\n      uses:<\/span> actions\/checkout@v2<\/span>\n      with:<\/span>\n        ref:<\/span> certs<\/span>\n\n    # \u4e0a\u4f20\u8bc1\u4e66<\/span>\n    -<\/span> name:<\/span> Deploy<\/span> certificate<\/span> to<\/span> aliyun<\/span>\n      uses:<\/span> Menci\/deploy-certificate-to-aliyun@beta-v1<\/span>\n      with:<\/span>\n        access-key-id:<\/span> ${{<\/span> secrets.ALIYUN_ACCESS_KEY_ID<\/span> }}<\/span>\n        access-key-secret:<\/span> ${{<\/span> secrets.ALIYUN_ACCESS_KEY_SECRET<\/span> }}<\/span>\n        fullchain-file:<\/span> ${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_FULLCHAIN<\/span> }}<\/span>\n        key-file:<\/span> ${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_KEY<\/span> }}<\/span>\n        certificate-name:<\/span> example.com<\/span>\n        cdn-domains:<\/span> |<\/span>\n          example.com<\/span>\n          example.net<\/span><\/code><\/pre>\n
      \u5176\u4e2d\u00a0certificate-name<\/code>\u00a0\u6307\u5b9a\u4e0a\u4f20\u7684\u8bc1\u4e66\u5728\u8bc1\u4e66\u670d\u52a1\u4e2d\u7684\u540d\u79f0\uff08\u5c06\u81ea\u52a8\u66ff\u6362\u65e7\u7248\u672c\uff09\uff0ccdn-domain<\/code>\u00a0\u6307\u5b9a\u9700\u8981\u5c06\u8be5\u8bc1\u4e66\u90e8\u7f72\u5230\u7684 CDN \u57df\u540d\u5217\u8868\uff08\u7528\u7a7a\u767d\u5b57\u7b26\u9694\u5f00\uff09\u3002<\/p>\n
      \u5efa\u8bae\u4f7f\u7528\u5b50\u8d26\u6237 Access Key\uff0c\u4e3a\u5176\u8d4b\u4e88\u4ee5\u4e0b\u6743\u9650\uff08\u5e76\u6309\u9700\u4f7f\u7528\u8d44\u6e90\u7ec4\u9694\u79bb\uff09\uff1a<\/p>\n
        \n
      • AliyunYundunCertFullAccess<\/li>\n
      • AliyunCDNFullAccess<\/li>\n
      • AliyunPCDNFullAccess<\/li>\n
      • AliyunSCDNFullAccess<\/li>\n
      • AliyunDCDNFullAccess<\/li>\n<\/ul>\n
        \u5b8c\u6574\u4f8b\u5b50<\/h2>\n
        \u8fd9\u4e2a Action \u5b8c\u6210\u4e86\u4ee5\u4e0b\u64cd\u4f5c\uff1a<\/p>\n
          \n
        1. \u7533\u8bf7\u8bc1\u4e66\uff0c\u5e76\u4e0a\u4f20\u5230\u4ed3\u5e93\u7684\u00a0certs<\/code>\u00a0\u5206\u652f\u3002<\/li>\n
        2. \u5728\u7533\u8bf7\u8bc1\u4e66\u540e\u5c06\u00a0certs<\/code>\u00a0\u5206\u652f\u4e2d\u7684\u8bc1\u4e66\u90e8\u7f72\u5230\u670d\u52a1\u5668\u4e0a\u3002<\/li>\n<\/ol>\n
          # \u540d\u79f0<\/span>\nname:<\/span> Issue<\/span> SSL<\/span> Certificates<\/span>\n\n# \u89e6\u53d1\u6761\u4ef6<\/span>\non:<\/span>\n  # \u624b\u52a8\u8fd0\u884c<\/span>\n  workflow_dispatch:<\/span>\n  # \u5b9a\u65f6\u8fd0\u884c<\/span>\n  schedule:<\/span>\n    # \u6bcf\u4e24\u4e2a\u6708\u8fd0\u884c\u4e00\u6b21<\/span>\n    -<\/span> cron:<\/span> '0 0 1 *\/2 *'<\/span>\n\n# \u5168\u5c40\u73af\u5883\u53d8\u91cf<\/span>\nenv:<\/span>\n  # Checkout \u5230\u7684\u76ee\u5f55<\/span>\n  CERTS_OUTPUT_BASE:<\/span> certs<\/span>\n  # \u8bc1\u4e66\u8f93\u51fa\u76ee\u5f55<\/span>\n  CERTS_OUTPUT_DIRECTORY:<\/span> example.com<\/span>\n  # \u8bc1\u4e66\u6587\u4ef6\u540d<\/span>\n  FILE_FULLCHAIN:<\/span> fullchain.pem<\/span>\n  # \u79c1\u94a5\u6587\u4ef6\u540d<\/span>\n  FILE_KEY:<\/span> privatekey.key<\/span>\n\njobs:<\/span>\n  issue-ssl-certificate:<\/span>\n    # \u7533\u8bf7\u8bc1\u4e66\u5e76 push \u5230 certs \u5206\u652f<\/span>\n    name:<\/span> Issue<\/span> SSL<\/span> certificate<\/span>\n    runs-on:<\/span> ubuntu-latest<\/span>\n    steps:<\/span>\n      -<\/span> name:<\/span> Checkout<\/span>\n        uses:<\/span> actions\/checkout@v2<\/span>\n        with:<\/span>\n          ref:<\/span> master<\/span>\n\n      -<\/span> name:<\/span> Checkout<\/span> output<\/span> branch<\/span>\n        uses:<\/span> actions\/checkout@v2<\/span>\n        with:<\/span>\n          ref:<\/span> certs<\/span>\n          path:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}<\/span>\n\n      # \u5b89\u88c5 acme.sh<\/span>\n      -<\/span> name:<\/span> Install<\/span> acme.sh<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> curl<\/span> -s<\/span> https:\/\/get.acme.sh<\/span> |<\/span> sh<\/span>\n\n      # \u89e3\u538b acme.sh \u914d\u7f6e\u4fe1\u606f<\/span>\n      -<\/span> name:<\/span> Extract<\/span> account<\/span> files<\/span> for<\/span> acme.sh<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> |<\/span>\n          echo \"$ACME_SH_ACCOUNT_TAR\" | base64 -d | tar -C ~\/.acme.sh -xz<\/span>\n        env:<\/span>\n          # Base64 \u7f16\u7801\u7684 acme.sh \u914d\u7f6e\u4fe1\u606f<\/span>\n          ACME_SH_ACCOUNT_TAR:<\/span> ${{<\/span> secrets.ACME_SH_ACCOUNT_TAR<\/span> }}<\/span>\n\n      # \u7533\u8bf7\u8bc1\u4e66<\/span>\n      -<\/span> name:<\/span> Issue<\/span> SSL<\/span> certificates<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> |<\/span>\n          ~\/.acme.sh\/acme.sh --issue            \\<\/span>\n            -d \"example.com\" -d \"*.example.com\" \\<\/span>\n            --dns dns_cf --server letsencrypt<\/span>\n\n      # \u5bfc\u51fa\u8bc1\u4e66<\/span>\n      -<\/span> name:<\/span> Copy<\/span> certificate<\/span> to<\/span> output<\/span> paths<\/span>\n        shell:<\/span> bash<\/span>\n        run:<\/span> |<\/span>\n          ACME_SH_TEMP_DIR=\"$(mktemp -d)\"<\/span>\n          ACME_SH_TEMP_FILE_FULLCHAIN=\"$ACME_SH_TEMP_DIR\/fullchain.pem\"<\/span>\n          ACME_SH_TEMP_FILE_KEY=\"$ACME_SH_TEMP_DIR\/key.pem\"<\/span>\n\n          # \u4e0d\u8981\u5fd8\u8bb0\u4fee\u6539\u8fd9\u91cc\u7684 -d \u53c2\u6570\u503c\u4e3a\u4e0a\u65b9\u7684\u7b2c\u4e00\u4e2a\u57df\u540d<\/span>\n          ~\/.acme.sh\/acme.sh<\/span> --install-cert<\/span> -d<\/span> \"example.com\"<\/span> --fullchain-file<\/span> \"$ACME_SH_TEMP_FILE_FULLCHAIN\"<\/span> --key-file<\/span> \"$ACME_SH_TEMP_FILE_KEY\"<\/span>\n\n          [[ -z<\/span> \"$ACME_SH_OUTPUT_FULLCHAIN\"<\/span> ]] ||<\/span> (mkdir<\/span> -p<\/span> \"$(dirname \"<\/span>$ACME_SH_OUTPUT_FULLCHAIN\")\"<\/span> &&<\/span> cp<\/span> \"$ACME_SH_TEMP_FILE_FULLCHAIN\"<\/span> \"$ACME_SH_OUTPUT_FULLCHAIN\"<\/span>)<\/span>\n          [[ -z<\/span> \"$ACME_SH_OUTPUT_KEY\"<\/span> ]] ||<\/span> (mkdir<\/span> -p<\/span> \"$(dirname \"<\/span>$ACME_SH_OUTPUT_KEY\")\"<\/span> &&<\/span> cp<\/span> \"$ACME_SH_TEMP_FILE_KEY\"<\/span> \"$ACME_SH_OUTPUT_KEY\"<\/span>)<\/span>\n\n          rm<\/span> -rf<\/span> \"$ACME_SH_TEMP_DIR\"<\/span>\n        env:<\/span>\n          ACME_SH_OUTPUT_FULLCHAIN:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_FULLCHAIN<\/span> }}<\/span>\n          ACME_SH_OUTPUT_KEY:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/${{<\/span> env.FILE_KEY<\/span> }}<\/span>\n\n      # \u4e0a\u4f20\u8bc1\u4e66<\/span>\n      -<\/span> name:<\/span> Push<\/span> to<\/span> GitHub<\/span>\n        run:<\/span> |<\/span>\n          git config --global user.name \"BaoshuoBot\"<\/span>\n          git config --global user.email \"79077260+BaoshuoBot@users.noreply.github.com\"<\/span>\n\n          cd<\/span> \"$CERTS_DIRECTORY\"<\/span>\n\n          git<\/span> add<\/span> \"$FILE_FULLCHAIN\"<\/span> \"$FILE_KEY\"<\/span>\n          git<\/span> commit<\/span> -m<\/span> \"Upload certificates on $(date '+%Y-%m-%d %H:%M:%S')\"<\/span>\n          git<\/span> push<\/span>\n        env:<\/span>\n          TZ:<\/span> Asia\/Shanghai<\/span>\n          CERTS_DIRECTORY:<\/span> ${{<\/span> env.CERTS_OUTPUT_BASE<\/span> }}\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}<\/span>\n\n  # \u90e8\u7f72\u8bc1\u4e66\u5230\u670d\u52a1\u5668<\/span>\n  deploy-to-server:<\/span>\n    name:<\/span> Deploy<\/span> Certificate<\/span> to<\/span> Server<\/span>\n    runs-on:<\/span> ubuntu-latest<\/span>\n    needs:<\/span> issue-ssl-certificate<\/span>\n\n    strategy:<\/span>\n      matrix:<\/span>\n        host:<\/span>\n          -<\/span> 174.136<\/span>.239<\/span>.1<\/span> # Server 1<\/span>\n          -<\/span> 174.136<\/span>.239<\/span>.2<\/span> # Server 2<\/span>\n          # ...<\/span>\n          -<\/span> 174.136<\/span>.239<\/span>.254<\/span> # Server N<\/span>\n\n    steps:<\/span>\n      -<\/span> name:<\/span> Checkout<\/span>\n        uses:<\/span> actions\/checkout@v2<\/span>\n        with:<\/span>\n          ref:<\/span> certs<\/span>\n\n      # \u4e0a\u4f20\u8bc1\u4e66<\/span>\n      -<\/span> name:<\/span> Upload<\/span> certificate<\/span> to<\/span> server<\/span>\n        uses:<\/span> easingthemes\/ssh-deploy@v2.1.5<\/span>\n        env:<\/span>\n          SSH_PRIVATE_KEY:<\/span> ${{<\/span> secrets.SSH_PRIVATE_KEY<\/span> }}<\/span>\n          ARGS:<\/span> '-avz --delete'<\/span>\n          REMOTE_HOST:<\/span> ${{<\/span> matrix.host<\/span> }}<\/span>\n          REMOTE_USER:<\/span> ${{<\/span> secrets.REMOTE_USER<\/span> }}<\/span>\n          SOURCE:<\/span> ${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/<\/span>\n          TARGET:<\/span> \/path\/to\/ssl\/certs\/${{<\/span> env.CERTS_OUTPUT_DIRECTORY<\/span> }}\/<\/span>\n\n      # \u91cd\u8f7d Nginx<\/span>\n      -<\/span> name:<\/span> Force-reload<\/span> nginx<\/span>\n        uses:<\/span> appleboy\/ssh-action@v0.1.4<\/span>\n        with:<\/span>\n          host:<\/span> ${{<\/span> matrix.host<\/span> }}<\/span>\n          username:<\/span> ${{<\/span> secrets.REMOTE_USER<\/span> }}<\/span>\n          key:<\/span> ${{<\/span> secrets.SSH_PRIVATE_KEY<\/span> }}<\/span>\n          script:<\/span> |<\/span>\n            sudo<\/span> \/opt\/hooks\/reload-nginx.sh<\/span><\/code><\/pre>\n
          \u6742\u9879<\/h2>\n
          \u90e8\u5206\u60c5\u51b5\u4e0b\uff0cGitHub Actions \u4e2d\u7684\u00a0GITHUB_TOKEN<\/code>\u00a0\u53ea\u6709 Read repository contents permission\uff0c\u800c\u672c\u6587\u4e2d\u7684 Actions \u8981\u6c42\u8fd9\u4e2a Token \u5177\u6709 Read and write permissions\uff0c\u90a3\u4e48\u9700\u8981\u5728\u4ed3\u5e93\u7684 Settings > Actions > General \u9875\u9762\u7684\u5e95\u90e8\u8d4b\u4e88\u5176\u5199\u5165\u6743\u9650\uff0c\u5982\u56fe\u6240\u793a\uff1a<\/p>\n
          \"WA5tTau3mnBLIqZ\"<\/p>\n
          \u8bbe\u7f6e\u597d\u540e\u70b9\u51fb Save \u6309\u94ae\u5373\u53ef\u3002<\/p>\n
            \n
          1. <\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
            \u5bf9\u4e8e\u4e00\u4e2a\u6709\u5f88\u591a\u670d\u52a1\u5668\u7684\u4eba\u6765\u8bf4\uff0c\u5728\u4e0d\u540c\u670d\u52a1\u5668\u4e0a\u540c\u6b65 SSL \u8bc1\u4e66\u662f\u4e00\u4ef6\u9ebb\u70e6\u4e8b\u3002\u7b14\u8005\u5c1d\u8bd5\u8fc7\u5f88\u591a\u79cd\u65b9\u5f0f\uff0c\u6700\u540e\u5728\u00a0Me […]<\/p>\n","protected":false},"author":2,"featured_media":1069,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1068","post","type-post","status-publish","format-image","has-post-thumbnail","hentry","category-lab","post_format-post-format-image"],"_links":{"self":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts\/1068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/comments?post=1068"}],"version-history":[{"count":0,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts\/1068\/revisions"}],"wp:attachment":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/media?parent=1068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/categories?post=1068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/tags?post=1068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
    \u5982\u679c\u9700\u8981\u9ad8\u5ea6\u81ea\u5b9a\u4e49\u00a0acme.sh<\/a>\u00a0\u7684\u53c2\u6570\uff0c\u6bd4\u5982\u4e3a\u4e0d\u540c\u7684\u57df\u540d\u8bbe\u7f6e\u4e0d\u540c\u7684 DNS \u63d0\u4f9b\u5546\uff0c\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684\u65b9\u5f0f\u624b\u52a8\u7f16\u5199\u547d\u4ee4\u6765\u6267\u884c\uff1a<\/p>\n