3

我正在尝试在我的本地系统中设置 ssl。我正在使用带有sails js应用程序的Windows机器。

这是我所做的配置。

/**
 * Production environment settings
 * (sails.config.*)
 *
 * What you see below is a quick outline of the built-in settings you need
 * to configure your Sails app for production.  The configuration in this file
 * is only used in your production environment, i.e. when you lift your app using:
 *
 * ```
 * NODE_ENV=production node app
 * ```
 *
 * > If you're using git as a version control solution for your Sails app,
 * > this file WILL BE COMMITTED to your repository by default, unless you add
 * > it to your .gitignore file.  If your repository will be publicly viewable,
 * > don't add private/sensitive data (like API secrets / db passwords) to this file!
 *
 * For more best practices and tips, see:
 * https://sailsjs.com/docs/concepts/deployment
 */
// returns an instance of greenlock.js with additional helper methods
const glx = require('greenlock-express').create({
  server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
  version: 'draft-12', // Let's Encrypt v2 (ACME v2)
  telemetry: true,
  configDir: 'D:\\cert\\localhost',
  email: 'xuz@gmail.com',
  agreeTos: true,
  servername: 'localhost.com',
  domains: ['localhost', 'www.localhost'],
  debug: true
});

// handles acme-challenge and redirects to https
// require('http')
//   .createServer(glx.middleware(require('redirect-https')()))
//   .listen(80, function() {
//     console.log('Listening for ACME http-01 challenges on', this.address());
//   });

module.exports = {
  /**************************************************************************
   *                                                                         *
   * Tell Sails what database(s) it should use in production.                *
   *                                                                         *
   * (https://sailsjs.com/config/datastores)                                 *
   *                                                                         *
   **************************************************************************/
  datastores: {
    /***************************************************************************
     *                                                                          *
     * Configure your default production database.                              *
     *                                                                          *
     * 1. Choose an adapter:                                                    *
     *    https://sailsjs.com/plugins/databases                                 *
     *                                                                          *
     * 2. Install it as a dependency of your Sails app.                         *
     *    (For example:  npm install sails-mysql --save)                        *
     *                                                                          *
     * 3. Then set it here (`adapter`), along with a connection URL (`url`)     *
     *    and any other, adapter-specific customizations.                       *
     *    (See https://sailsjs.com/config/datastores for help.)                 *
     *                                                                          *
     ***************************************************************************/
    default: {
      adapter: 'sails-mysql',
      url: 'mysql://root:gs8jh3kj3w48xudf@35.197.96.87:3306/fulfil_db'

      // adapter: 'sails-mysql',
      // url: 'mysql://user:password@host:port/database',
      //--------------------------------------------------------------------------
      //  /\   To avoid checking it in to version control, you might opt to set
      //  ||   sensitive credentials like `url` using an environment variable.
      //
      //  For example:
      //  ```
      //  sails_datastores__default__url=mysql://admin:myc00lpAssw2D@db.example.com:3306/my_prod_db
      //  ```
      //--------------------------------------------------------------------------

      /****************************************************************************
       *                                                                           *
       * More adapter-specific options                                             *
       *                                                                           *
       * > For example, for some hosted PostgreSQL providers (like Heroku), the    *
       * > extra `ssl: true` option is mandatory and must be provided.             *
       *                                                                           *
       * More info:                                                                *
       * https://sailsjs.com/config/datastores                                     *
       *                                                                           *
       ****************************************************************************/
      // ssl: true,
    }
  },

  models: {
    /***************************************************************************
     *                                                                          *
     * To help avoid accidents, Sails automatically sets the automigration      *
     * strategy to "safe" when your app lifts in production mode.               *
     * (This is just here as a reminder.)                                       *
     *                                                                          *
     * More info:                                                               *
     * https://sailsjs.com/docs/concepts/models-and-orm/model-settings#?migrate *
     *                                                                          *
     ***************************************************************************/
    migrate: 'safe'

    /***************************************************************************
     *                                                                          *
     * If, in production, this app has access to physical-layer CASCADE         *
     * constraints (e.g. PostgreSQL or MySQL), then set those up in the         *
     * database and uncomment this to disable Waterline's `cascadeOnDestroy`    *
     * polyfill.  (Otherwise, if you are using a databse like Mongo, you might  *
     * choose to keep this enabled.)                                            *
     *                                                                          *
     ***************************************************************************/
    // cascadeOnDestroy: false,
  },

  /**************************************************************************
   *                                                                         *
   * Always disable "shortcut" blueprint routes.                             *
   *                                                                         *
   * > You'll also want to disable any other blueprint routes if you are not *
   * > actually using them (e.g. "actions" and "rest") -- but you can do     *
   * > that in `config/blueprints.js`, since you'll want to disable them in  *
   * > all environments (not just in production.)                            *
   *                                                                         *
   ***************************************************************************/
  blueprints: {
    shortcuts: false
  },

  /***************************************************************************
   *                                                                          *
   * Configure your security settings for production.                         *
   *                                                                          *
   * IMPORTANT:                                                               *
   * If web browsers will be communicating with your app, be sure that        *
   * you have CSRF protection enabled.  To do that, set `csrf: true` over     *
   * in the `config/security.js` file (not here), so that CSRF app can be     *
   * tested with CSRF protection turned on in development mode too.           *
   *                                                                          *
   ***************************************************************************/
  security: {
    /***************************************************************************
     *                                                                          *
     * If this app has CORS enabled (see `config/security.js`) with the         *
     * `allowCredentials` setting enabled, then you should uncomment the        *
     * `allowOrigins` whitelist below.  This sets which "origins" are allowed   *
     * to send cross-domain (CORS) requests to your Sails app.                  *
     *                                                                          *
     * > Replace "https://example.com" with the URL of your production server.  *
     * > Be sure to use the right protocol!  ("http://" vs. "https://")         *
     *                                                                          *
     ***************************************************************************/
    cors: {
      allRoutes: true,
      allowOrigins: '*',
      allowCredentials: false
    }
  },

  /***************************************************************************
   *                                                                          *
   * Configure how your app handles sessions in production.                   *
   *                                                                          *
   * (https://sailsjs.com/config/session)                                     *
   *                                                                          *
   * > If you have disabled the "session" hook, then you can safely remove    *
   * > this section from your `config/env/production.js` file.                *
   *                                                                          *
   ***************************************************************************/
  session: {
    /***************************************************************************
     *                                                                          *
     * Production session store configuration.                                  *
     *                                                                          *
     * Uncomment the following lines to finish setting up a package called      *
     * "@sailshq/connect-redis" that will use Redis to handle session data.     *
     * This makes your app more scalable by allowing you to share sessions      *
     * across a cluster of multiple Sails/Node.js servers and/or processes.     *
     *                   *
     *                                                                          *
     * > While @sailshq/connect-redis is a popular choice for Sails apps, many  *
     * > other compatible packages (like "connect-mongo") are available on NPM. *
     * > (For a full list, see https://sailsjs.com/plugins/sessions)            *
     *                                                                          *
     ***************************************************************************/
    // adapter: '@sailshq/connect-redis',
    // url: 'redis://user:password@localhost:6379/databasenumber',
    //--------------------------------------------------------------------------
    // /\   OR, to avoid checking it in to version control, you might opt to
    // ||   set sensitive credentials like this using an environment variable.
    //
    // For example:
    // ```
    // sails_session__url=redis://admin:myc00lpAssw2D@bigsquid.redistogo.com:9562/0
    // ```
    //
    //--------------------------------------------------------------------------

    /***************************************************************************
     *                                                                          *
     * Production configuration for the session ID cookie.                      *
     *                                                                          *
     * Tell browsers (or other user agents) to ensure that session ID cookies   *
     * are always transmitted via HTTPS, and that they expire 24 hours after    *
     * they are set.                                                            *
     *                                                                          *
     * Note that with `secure: true` set, session cookies will _not_ be         *
     * transmitted over unsecured (HTTP) connections. Also, for apps behind     *
     * proxies (like Heroku), the `trustProxy` setting under `http` must be     *
     * configured in order for `secure: true` to work.                          *
     *                                                                          *
     * > While you might want to increase or decrease the `maxAge` or provide   *
     * > other options, you should always set `secure: true` in production      *
     * > if the app is being served over HTTPS.                                 *
     *                                                                          *
     * Read more:                                                               *
     * https://sailsjs.com/config/session#?the-session-id-cookie                *
     *                                                                          *
     ***************************************************************************/
    cookie: {
      // secure: true,
      maxAge: 24 * 60 * 60 * 1000 // 24 hours
    }
  },

  /**************************************************************************
   *                                                                          *
   * Set up Socket.io for your production environment.                        *
   *                                                                          *
   * (https://sailsjs.com/config/sockets)                                     *
   *                                                                          *
   * > If you have disabled the "sockets" hook, then you can safely remove    *
   * > this section from your `config/env/production.js` file.                *
   *                                                                          *
   ***************************************************************************/
  sockets: {
    onlyAllowOrigins: []
    /***************************************************************************
     *                                                                          *
     * Uncomment the `onlyAllowOrigins` whitelist below to configure which      *
     * "origins" are allowed to open socket connections to your Sails app.      *
     *                                                                          *
     * > Replace "https://example.com" etc. with the URL(s) of your app.        *
     * > Be sure to use the right protocol!  ("http://" vs. "https://")         *
     *                                                                          *
     ***************************************************************************/
    // onlyAllowOrigins: [
    //   'https://example.com',
    //   'https://staging.example.com',
    // ],

    /***************************************************************************
     *                                                                          *
     * If you are deploying a cluster of multiple servers and/or processes,     *
     * then uncomment the following lines.  This tells Socket.io about a Redis  *
     * server it can use to help it deliver broadcasted socket messages.        *
     *                                                                          *
     * > Be sure a compatible version of @sailshq/socket.io-redis is installed! *
     * > (See https://sailsjs.com/config/sockets for the latest version info)   *
     *                                                                          *
     * (https://sailsjs.com/docs/concepts/deployment/scaling)                   *
     *                                                                          *
     ***************************************************************************/
    // adapter: '@sailshq/socket.io-redis',
    // url: 'redis://user:password@bigsquid.redistogo.com:9562/databasenumber',
    //--------------------------------------------------------------------------
    // /\   OR, to avoid checking it in to version control, you might opt to
    // ||   set sensitive credentials like this using an environment variable.
    //
    // For example:
    // ```
    // sails_sockets__url=redis://admin:myc00lpAssw2D@bigsquid.redistogo.com:9562/0
    // ```
    //--------------------------------------------------------------------------
  },

  /**************************************************************************
   *                                                                         *
   * Set the production log level.                                           *
   *                                                                         *
   * (https://sailsjs.com/config/log)                                        *
   *                                                                         *
   ***************************************************************************/
  log: {
    level: 'debug'
  },

  http: {
    serverOptions: glx.httpsOptions,
    /***************************************************************************
     *                                                                          *
     * The number of milliseconds to cache static assets in production.         *
     * (the "max-age" to include in the "Cache-Control" response header)        *
     *                                                                          *
     ***************************************************************************/
    cache: 365.25 * 24 * 60 * 60 * 1000 // One year

    /***************************************************************************
     *                                                                          *
     * Proxy settings                                                           *
     *                                                                          *
     * If your app will be deployed behind a proxy/load balancer - for example, *
     * on a PaaS like Heroku - then uncomment the `trustProxy` setting below.   *
     * This tells Sails/Express how to interpret X-Forwarded headers.           *
     *                                                                          *
     * This setting is especially important if you are using secure cookies     *
     * (see the `cookies: secure` setting under `session` above) or if your app *
     * relies on knowing the original IP address that a request came from.      *
     *                                                                          *
     * (https://sailsjs.com/config/http)                                        *
     *                                                                          *
     ***************************************************************************/
    // trustProxy: true,
  },

  /**************************************************************************
   *                                                                         *
   * Lift the server on port 80.                                             *
   * (if deploying behind a proxy, or to a PaaS like Heroku or Deis, you     *
   * probably don't need to set a port here, because it is oftentimes        *
   * handled for you automatically.  If you are not sure if you need to set  *
   * this, just try deploying without setting it and see if it works.)       *
   *                                                                         *
   ***************************************************************************/
  host: '127.0.0.1',
  port: 443,
  ssl: true,

  /**************************************************************************
   *                                                                         *
   * Configure an SSL certificate                                            *
   *                                                                         *
   * For the safety of your users' data, you should use SSL in production.   *
   * ...But in many cases, you may not actually want to set it up _here_.    *
   *                                                                         *
   * Normally, this setting is only relevant when running a single-process   *
   * deployment, with no proxy/load balancer in the mix.  But if, on the     *
   * other hand, you are using a PaaS like Heroku, you'll want to set up     *
   * SSL in your load balancer settings (usually somewhere in your hosting   *
   * provider's dashboard-- not here.)                                       *
   *                                                                         *
   * > For more information about configuring SSL in Sails, see:             *
   * > https://sailsjs.com/config/*#?sailsconfigssl                          *
   *                                                                         *
   **************************************************************************/
  // ssl: undefined,

  lifejacket: {
    // Disabled by default. (e.g. for local dev)
    // So you'll want to override this in your config/env/production.js file,
    // setting it to `true`.
    ensureHttps: true

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    // If you don't already have the conventional `sails.config.custom.baseUrl` set,
    // then uncomment the following `host` config.  This must be set manually if `ensureHttps`
    // is enabled.
    // > Should be provided as a string, like `foo.example.com`.
    // host: 'mysweetsite.com',
    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  }
};

当我在命令下方启动时,它会显示这样的图像,在此处输入图像描述 但是当我在浏览器https://localhost中运行此应用程序时,它会显示错误。

错误:

[gl/index.js] gl.getCertificates called for localhost with certs for NONE
[gl/index.js] gl.approveDomains called with certs for NONE and options:
[gl/index.js] { domain: 'localhost',
  domains: [ 'localhost' ],
  certs: null,
  certificate: {},
  account: {},
  wildname: '*.' }
[gl/index.js] gl getting from disk or registering new
[le-store-certbot]
[le-store-certbot]
[greenlock/lib/core.js] checkAsync failed to find certificates
[le-store-certbot] success reading arg.accountsDir
[le-store-certbot] regrs.length 1
[le-store-certbot] accountId: 7deec612c26a9f3163c582e4ea6a972d
[greenlock/lib/core.js] calling greenlock.acme.getCertificateAsync localhost [ 'localhost' ]
[acme-v2] DEBUG get cert 1
[acme-v2] accounts.create
[acme-v2] agreeToTerms
[acme-v2] accounts.create JSON body:
{ protected:
   'eyJub25jZSI6IjAwMDJOU2o2eXpYRlB6SWhMekRLT1lwc1R6bTdlcXhtMWVBMzBNdFJqZ3VFSlU4IiwiYWxnIjoiUlMyNTYiLCJ1cmwiOiJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0IiwiandrIjp7Imt0eSI6IlJTQSIsIm4iOiJ4ZXB4b2RyempSdi1nUERpaUg3ZFhFQklYR3pvXy16bXkyNzNDeEN6TFRIUkx4ZFBpb29idXRtNzZHbkxpRzV4QzN0eHoyS1k2Tk1qSXNERWJRNk1mM1BCc3RLVnp1V01HLWxvZ0ducDZqOXFyVHVpSloyRk1VYkQwRVk2R3R6ZzRNQzVRNnJqM1BqUDIyOXNnQjJ3UWlGLWtNMzBHSU9KOE14T1c0RGhlMHRaQ1JpVHpnQmt0Qy1EUFRMUGdDMTRYR0RfTC10QVN6OW5SUlBGbDZNdGljWjkwQktNbG16OUFQalNiajBpclloV3VJVmNyN1l6SnhBakFod015OE9BRVFjbTJXbldjN3YyZXVPa2RZSkZpNEpEelM5cmppZWlSZTItR05kNmFpbHdhdzZVdkRnZVFFY2N3VllqblVJcUdGUlFMNE55RlZQVEZlT2lDT1FGelEiLCJlIjoiQVFBQiJ9fQ',
  payload:
   'eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwib25seVJldHVybkV4aXN0aW5nIjpmYWxzZX0',
  signature:
   'niurbbdEwbyPPXdLEWw_Qi1iQSHQ2otsqZPUEUAZ4HN3BNDo2ugknJMQdvPEzMrsfyntxMyX6hqiM5sgYcbaPX5TErolPebmITXC3lqgBn8nZaMx2JInqD0s8OQM71l-N95PqAmbOpTykGPaEASwN95acm47gQdbjLu6nBsnF6sfzFghRDTVhk8xpGhUTqhKjQ7vIrH6QlpPVi8N5WTabfCQDWeaNCFjq6vKiCvbfjFPmLZn2junDwAe4utIpuP3FqZYMlCvXFCmr_o7qyyQZWxWWZbajHJO75HBkrqKx_fbI5ogj3wuLikddQmzDqPARV0F8coEaYqmQsfh24h43A' }
[DEBUG] new account location:
https://acme-staging-v02.api.letsencrypt.org/acme/acct/11074181
{ statusCode: 200,
  body:
   { key:
      { kty: 'RSA',
        n:
         'xepxodrzjRv-gPDiiH7dXEBIXGzo_-zmy273CxCzLTHRLxdPioobutm76GnLiG5xC3txz2KY6NMjIsDEbQ6Mf3PBstKVzuWMG-logGnp6j9qrTuiJZ2FMUbD0EY6Gtzg4MC5Q6rj3PjP229sgB2wQiF-kM30GIOJ8MxOW4Dhe0tZCRiTzgBktC-DPTLPgC14XGD_L-tASz9nRRPFl6MticZ90BKMlmz9APjSbj0irYhWuIVcr7YzJxAjAhwMy8OAEQcm2WnWc7v2euOkdYJFi4JDzS9rjieiRe2-GNd6ailwaw6UvDgeQEccwVYjnUIqGFRQL4NyFVPTFeOiCOQFzQ',
        e: 'AQAB' },
     contact: [ 'mailto:baj9032@gmail.com' ],
     initialIp: '103.238.110.39',
     createdAt: '2019-09-20T08:07:38Z',
     status: 'valid' },
  headers:
   { server: 'nginx',
     date: 'Fri, 20 Sep 2019 08:11:39 GMT',
     'content-type': 'application/json',
     'content-length': '551',
     connection: 'close',
     'cache-control': 'public, max-age=0, no-cache',
     link:
      '<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"',
     location:
      'https://acme-staging-v02.api.letsencrypt.org/acme/acct/11074181',
     'replay-nonce': '00027sSdL_GbUp842Yw5P-69vfX0wI1vzkxBJGo6_9o6jwY',
     'x-frame-options': 'DENY',
     'strict-transport-security': 'max-age=604800' },
  request:
   { uri:
      Url {
        protocol: 'https:',
        slashes: true,
        auth: null,
        host: 'acme-staging-v02.api.letsencrypt.org',
        port: null,
        hostname: 'acme-staging-v02.api.letsencrypt.org',
        hash: null,
        search: null,
        query: null,
        pathname: '/acme/new-acct',
        path: '/acme/new-acct',
        href: 'https://acme-staging-v02.api.letsencrypt.org/acme/new-acct' },
     method: 'POST',
     headers:
      { 'Content-Type': 'application/jose+json',
        'Content-Length': 1155 } } }
[acme-v2] DEBUG get cert 1
[greenlock/lib/core.js] setChallenge called for 'localhost'

[DEBUG] waitChallengeDelay 500

[acme-v2] handled(?) rejection as errback:
Error: connect ECONNREFUSED 127.0.0.1:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
Error loading/registering certificate for 'localhost':
{ Error: connect ECONNREFUSED 127.0.0.1:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '127.0.0.1',
  port: 80 }
4

1 回答 1

2

localhost不允许使用主机名

您可以将 Greenlock 与 Let's Encrypt 与本地证书一起使用,但不能专门用于 hostname localhost

改用本地/私有域

相反,使用一个域,例如myapp.local.mydomain.com(可能具有 IP 地址 127.0.0.1)和 Let's Encrypt DNS 验证插件之一:

或者为您的 DNS 提供商编写一个插件:

泊坞窗

对于您的 CI/CD 环境,请务必使用 Let's Encrypt Staging URL

在生产中,请务必在已安装的卷上找到证书(并相应地设置 Greenlock 配置)。

如果您不这样做,您将达到Let's Encrypt 的证书生成速率限制,因为您每次启动临时 docker 实例时都会获得新证书(例如当您在云提供商的控制面板中更改环境变量时)。

于 2019-09-21T20:45:53.983 回答