#!/bin/bash # Trojan + Let's Encrypt 自动配置脚本 # 用途:为 Trojan 配置真实域名和 Let's Encrypt SSL 证书 # 适用于:Ubuntu 22.04+ # 前置条件:已配置 DNS A 记录指向服务器 IP set -e DOMAIN="${1:-hot13399.com}" TROJAN_CONFIG="/usr/local/etc/trojan/config.json" CERT_DIR="/etc/letsencrypt/live/$DOMAIN" BACKUP_DIR="/etc/trojan-cert-backup" echo "=== Trojan + Let's Encrypt 配置脚本 ===" echo "域名: $DOMAIN" echo "" # 1. 检查 DNS 解析 echo "1. 检查 DNS 解析..." DNS_IP=$(dig +short A $DOMAIN 2>/dev/null | head -1) if [ -z "$DNS_IP" ]; then echo " ❌ DNS 未解析,请先配置 DNS A 记录" echo " 确保配置:$DOMAIN → $(curl -s ifconfig.me)" exit 1 fi SERVER_IP=$(curl -s ifconfig.me) echo " DNS 解析 IP: $DNS_IP" echo " 服务器 IP: $SERVER_IP" if [ "$DNS_IP" != "$SERVER_IP" ]; then echo " ⚠️ DNS IP 与服务器 IP 不匹配" echo " 请检查 DNS 配置" exit 1 fi echo " ✅ DNS 解析正确" echo "" # 2. 备份现有证书 echo "2. 备份现有证书..." sudo mkdir -p $BACKUP_DIR if [ -f "/etc/trojan-cert/trojan.crt" ]; then sudo cp /etc/trojan-cert/trojan.crt $BACKUP_DIR/trojan.crt.backup sudo cp /etc/trojan-cert/trojan.key $BACKUP_DIR/trojan.key.backup echo " ✅ 备份完成" fi echo "" # 3. 安装 Certbot(如果未安装) echo "3. 检查 Certbot..." if ! command -v certbot &> /dev/null; then echo " 安装 Certbot..." sudo apt update -qq sudo apt install -y certbot fi echo " ✅ Certbot 已就绪" echo "" # 4. 申请证书 echo "4. 申请 Let's Encrypt 证书..." echo " 域名: $DOMAIN" echo " 使用 standalone 模式..." # 停止 Trojan(临时释放端口 443) if systemctl is-active --quiet trojan; then echo " 临时停止 Trojan 服务..." sudo systemctl stop trojan fi # 检查端口 80 是否被占用 if sudo ss -tlnp | grep -q ":80 "; then echo " ⚠️ 端口 80 被占用,尝试释放..." # 停止 WireGuard(如果在使用) if ip link show wg0 >/dev/null 2>&1; then sudo wg-quick down wg0 2>/dev/null || true fi # 停止其他 HTTP 服务 sudo pkill -f "python3 -m http.server" || true sleep 2 fi # 申请证书 sudo certbot certonly --standalone -d $DOMAIN --non-interactive --agree-tos --email admin@$DOMAIN --preferred-challenges http if [ $? -eq 0 ]; then echo " ✅ 证书申请成功" echo " 有效期: 90 天" else echo " ❌ 证书申请失败" # 重启 Trojan sudo systemctl start trojan exit 1 fi echo "" # 5. 更新 Trojan 配置 echo "5. 更新 Trojan 配置..." sudo cp $TROJAN_CONFIG $TROJAN_CONFIG.backup_$(date +%Y%m%d_%H%M%S) # 使用 Python 更新 JSON 配置 python3 << EOF import json config_path = "$TROJAN_CONFIG" cert_path = "$CERT_DIR/fullchain.pem" key_path = "$CERT_DIR/privkey.pem" with open(config_path, 'r') as f: config = json.load(f) config['ssl']['cert'] = cert_path config['ssl']['key'] = key_path config['ssl']['verify_hostname'] = True with open(config_path, 'w') as f: json.dump(config, f, indent=4) print(f"✅ 配置已更新") print(f" 证书: {cert_path}") print(f" 私钥: {key_path}") EOF # 确保 Trojan 可以读取证书 sudo chmod 644 $CERT_DIR/fullchain.pem sudo chmod 600 $CERT_DIR/privkey.pem echo " ✅ 权限设置完成" echo "" # 6. 重启 Trojan echo "6. 重启 Trojan 服务..." sudo systemctl daemon-reload sudo systemctl start trojan sleep 3 if sudo systemctl is-active --quiet trojan; then echo " ✅ Trojan 重启成功" else echo " ❌ Trojan 重启失败" sudo journalctl -u trojan -n 50 --no-pager exit 1 fi echo "" # 7. 验证证书 echo "7. 验证 SSL 证书..." EXPIRY=$(sudo openssl x509 -in $CERT_DIR/fullchain.pem -noout -enddate | sed 's/notAfter=有效期至: /') echo " 有效期至: $EXPIRY" # 测试 TLS 握手 echo " 测试 TLS 握手..." timeout 3 openssl s_client -connect 127.0.0.1:443 -servername $DOMAIN /dev/null | grep -E "Verify return code|Protocol|Cipher" | head -3 echo "" # 8. 配置证书自动续期 echo "8. 配置证书自动续期..." # 检查是否已有 cron 任务 if ! crontab -l 2>/dev/null | grep -q "certbot renew"; then (crontab -l 2>/dev/null | grep -v "certbot renew"; echo "0 3 * * * certbot renew --quiet --post-hook 'systemctl reload trojan'") | crontab - echo " ✅ 自动续期已配置 (每天 3:00 AM 检查)" else echo " ℹ️ 自动续期已配置" fi echo "" # 9. 重启 WireGuard(如果之前在运行) echo "9. 恢复 WireGuard 服务..." if ! ip link show wg0 >/dev/null 2>&1; then # 检查是否有 WireGuard 配置 if [ -f "/etc/wireguard/wg0.conf" ]; then echo " 重启 WireGuard (端口 80,作为备用)" sudo wg-quick up wg0 echo " ✅ WireGuard 已启动" fi fi echo "" # 10. 生成客户端配置模板 echo "10. 生成客户端配置模板..." # 生成随机密码(如果需要) NEW_PASSWORD=$(openssl rand -base64 32) echo " 新密码(如需添加设备): $NEW_PASSWORD" echo "" # 完成 echo "=== 配置完成 ===" echo "" echo "📡 新的连接信息:" echo " 服务器地址: $DOMAIN" echo " 端口: 443" echo " 密码: $(sudo cat $TROJAN_CONFIG | grep -oP '\"password\":\s*\[\K[^\]]*' | head -1)" echo " SNI: $DOMAIN" echo " 证书验证: ✅ 启用(不需要跳过)" echo "" echo "📱 客户端配置变化:" echo " ❌ 不再需要 'skip-cert-verify: true'" echo " ✅ 'verify: true'(默认)" echo " ✅ 'verify_hostname: true'(默认)" echo "" echo "🔧 服务管理:" echo " 检查状态: sudo systemctl status trojan" echo " 查看日志: sudo journalctl -u trojan -f" echo " 续期证书: sudo certbot renew" echo "" echo "✅ 配置成功!现在可以使用真实域名连接了!"