{"id":1872,"date":"2025-11-15T18:00:25","date_gmt":"2025-11-15T15:00:25","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/acme-otomasyonunda-yedekli-ca-nasil-kurulur-acme-sh-ile-lets-encrypt-%e2%86%92-zerossl-fallback-oran-limitlerine-karsi-guvenli-olcekleme\/"},"modified":"2025-11-15T18:00:25","modified_gmt":"2025-11-15T15:00:25","slug":"acme-otomasyonunda-yedekli-ca-nasil-kurulur-acme-sh-ile-lets-encrypt-%e2%86%92-zerossl-fallback-oran-limitlerine-karsi-guvenli-olcekleme","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/acme-otomasyonunda-yedekli-ca-nasil-kurulur-acme-sh-ile-lets-encrypt-%e2%86%92-zerossl-fallback-oran-limitlerine-karsi-guvenli-olcekleme\/","title":{"rendered":"ACME Otomasyonunda Yedekli CA Nas\u0131l Kurulur? acme.sh ile Let\u2019s Encrypt \u2192 ZeroSSL Fallback, Oran Limitlerine Kar\u015f\u0131 G\u00fcvenli \u00d6l\u00e7ekleme"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Kahvede_Baslayan_Telas_Lets_Encrypt_Tikandi_Sonra_Ne_Oldu\"><span class=\"toc_number toc_depth_1\">1<\/span> Kahvede Ba\u015flayan Tela\u015f: Let\u2019s Encrypt T\u0131kand\u0131, Sonra Ne Oldu?<\/a><\/li><li><a href=\"#ACMEyi_Kafada_Netlestirelim_Neden_Yedekli_CA\"><span class=\"toc_number toc_depth_1\">2<\/span> ACME\u2019yi Kafada Netle\u015ftirelim: Neden Yedekli CA?<\/a><\/li><li><a href=\"#acmesh_Temelleri_Hesap_Kayitlari_Anahtarlar_Dosya_Duzeni\"><span class=\"toc_number toc_depth_1\">3<\/span> acme.sh Temelleri: Hesap Kay\u0131tlar\u0131, Anahtarlar, Dosya D\u00fczeni<\/a><ul><li><a href=\"#Iki_CA_icin_iki_hesap_tek_duzende_hayat\"><span class=\"toc_number toc_depth_2\">3.1<\/span> \u0130ki CA i\u00e7in iki hesap, tek d\u00fczende hayat<\/a><\/li><li><a href=\"#Varsayilan_CAyi_secmek\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Varsay\u0131lan CA\u2019y\u0131 se\u00e7mek<\/a><\/li><\/ul><\/li><li><a href=\"#Sertifika_Alma_DNS-01_ile_Cok_Alan_Adi_Rakipsiz_Esneklik\"><span class=\"toc_number toc_depth_1\">4<\/span> Sertifika Alma: DNS-01 ile \u00c7ok Alan Ad\u0131, Rakipsiz Esneklik<\/a><ul><li><a href=\"#Webroot_mu_DNS-01_mi\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Webroot mu, DNS-01 mi?<\/a><\/li><li><a href=\"#ECDSA_RSA_ikilisi\"><span class=\"toc_number toc_depth_2\">4.2<\/span> ECDSA + RSA ikilisi<\/a><\/li><\/ul><\/li><li><a href=\"#Asil_Numara_Lets_Encrypt_ZeroSSL_Otomatik_Fallback\"><span class=\"toc_number toc_depth_1\">5<\/span> As\u0131l Numara: Let\u2019s Encrypt \u2192 ZeroSSL Otomatik Fallback<\/a><ul><li><a href=\"#Neyi_tetik_sayacagiz\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Neyi tetik sayaca\u011f\u0131z?<\/a><\/li><li><a href=\"#Basit_bir_wrapper_Once_Lets_Encrypt_olmazsa_ZeroSSL\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Basit bir wrapper: \u00d6nce Let\u2019s Encrypt, olmazsa ZeroSSL<\/a><\/li><li><a href=\"#Staging_ile_prova\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Staging ile prova<\/a><\/li><\/ul><\/li><li><a href=\"#Oran_Limitlerine_Sakin_Kalmak_Zaman_Dalga_ve_Jitter\"><span class=\"toc_number toc_depth_1\">6<\/span> Oran Limitlerine Sakin Kalmak: Zaman, Dalga ve Jitter<\/a><ul><li><a href=\"#Hepsi_ayni_dakikada_yenilenmesin\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Hepsi ayn\u0131 dakikada yenilenmesin<\/a><\/li><li><a href=\"#SAN_ve_wildcard_ile_az_sayida_anlamli_sertifika\"><span class=\"toc_number toc_depth_2\">6.2<\/span> SAN ve wildcard ile \u201caz say\u0131da, anlaml\u0131 sertifika\u201d<\/a><\/li><\/ul><\/li><li><a href=\"#Dagitim_ve_Guvenlik_Dosya_Yollari_Yetkiler_Sirlarin_Saklanmasi\"><span class=\"toc_number toc_depth_1\">7<\/span> Da\u011f\u0131t\u0131m ve G\u00fcvenlik: Dosya Yollar\u0131, Yetkiler, S\u0131rlar\u0131n Saklanmas\u0131<\/a><ul><li><a href=\"#Dosya_duzenini_bastan_kur\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Dosya d\u00fczenini ba\u015ftan kur<\/a><\/li><li><a href=\"#Ortam_degiskenleri_ve_sir_yonetimi\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Ortam de\u011fi\u015fkenleri ve s\u0131r y\u00f6netimi<\/a><\/li><\/ul><\/li><li><a href=\"#Gozlemleme_Log_Metrik_ve_Kucuk_Alarmciklar\"><span class=\"toc_number toc_depth_1\">8<\/span> G\u00f6zlemleme: Log, Metrik ve K\u00fc\u00e7\u00fck Alarmc\u0131klar<\/a><ul><li><a href=\"#Gece_iyi_gecti_mi_sorusunun_cevabi\"><span class=\"toc_number toc_depth_2\">8.1<\/span> \u201cGece iyi ge\u00e7ti mi?\u201d sorusunun cevab\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Operasyonel_Ipuclari_Kucuk_Dokunuslar_Buyuk_Rahatlik\"><span class=\"toc_number toc_depth_1\">9<\/span> Operasyonel \u0130pu\u00e7lar\u0131: K\u00fc\u00e7\u00fck Dokunu\u015flar, B\u00fcy\u00fck Rahatl\u0131k<\/a><ul><li><a href=\"#Test_ortami_uretim_ortami_ve_hesap_ayrimi\"><span class=\"toc_number toc_depth_2\">9.1<\/span> Test ortam\u0131, \u00fcretim ortam\u0131 ve hesap ayr\u0131m\u0131<\/a><\/li><li><a href=\"#Retry_politikasi_ve_nezaket\"><span class=\"toc_number toc_depth_2\">9.2<\/span> Retry politikas\u0131 ve nezaket<\/a><\/li><li><a href=\"#Degisim_gunleri\"><span class=\"toc_number toc_depth_2\">9.3<\/span> De\u011fi\u015fim g\u00fcnleri<\/a><\/li><\/ul><\/li><li><a href=\"#Gercekci_Bir_Akis_Bastan_Sona_Mini_Senaryo\"><span class=\"toc_number toc_depth_1\">10<\/span> Ger\u00e7ek\u00e7i Bir Ak\u0131\u015f: Ba\u015ftan Sona Mini Senaryo<\/a><\/li><li><a href=\"#Kaynaklar_Kisa_Kisa_Dogru_Kapilar\"><span class=\"toc_number toc_depth_1\">11<\/span> Kaynaklar: K\u0131sa K\u0131sa, Do\u011fru Kap\u0131lar<\/a><\/li><li><a href=\"#Kapanis_Yedekli_CA_Sakin_Otomasyon_ve_Rahat_Bir_Gece_Uykusu\"><span class=\"toc_number toc_depth_1\">12<\/span> Kapan\u0131\u015f: Yedekli CA, Sakin Otomasyon ve Rahat Bir Gece Uykusu<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Kahvede_Baslayan_Telas_Lets_Encrypt_Tikandi_Sonra_Ne_Oldu\">Kahvede Ba\u015flayan Tela\u015f: Let\u2019s Encrypt T\u0131kand\u0131, Sonra Ne Oldu?<\/span><\/h2>\n<p>Hi\u00e7 sabah kahveni al\u0131p g\u00fcne sakince ba\u015flamak isterken, monit\u00f6rde k\u0131rm\u0131z\u0131 bir uyar\u0131 g\u00f6z\u00fcn\u00fcze \u00e7arpmad\u0131 m\u0131? Benim ge\u00e7ti\u011fimiz hafta ba\u015f\u0131ma geldi. Gece \u00e7al\u0131\u015fan bir da\u011f\u0131t\u0131mda, onlarca alan ad\u0131n\u0131n sertifikas\u0131 planland\u0131\u011f\u0131 gibi yenilenecekti. Cron saatini bilin\u00e7li se\u00e7mi\u015fim, sistemde kilit dosyas\u0131 var, her \u015fey kitab\u0131na uygun. Derken birden loglar pe\u015f pe\u015fe f\u0131rlamaya ba\u015flad\u0131: 429 hatalar\u0131, s\u00fcre a\u015f\u0131m\u0131 uyar\u0131lar\u0131, \u201c\u00e7ok fazla istek\u201d imalar\u0131\u2026 K\u0131sacas\u0131 Let\u2019s Encrypt taraf\u0131nda bir s\u00fcr\u00fc k\u00fc\u00e7\u00fck ama moral bozan i\u015faret. O anda kafamda tek bir d\u00fc\u015f\u00fcnce d\u00f6n\u00fcp durdu: Ya \u015fu an m\u00fc\u015fterilerin bir k\u0131sm\u0131 sertifikas\u0131z kal\u0131rsa?<\/p>\n<p>O an anlad\u0131m ki as\u0131l mesele otomasyonun varl\u0131\u011f\u0131 de\u011fil, otomasyonun <strong>dayan\u0131kl\u0131l\u0131\u011f\u0131<\/strong>ym\u0131\u015f. Birincil Sertifika Otoritesi (CA) olarak Let\u2019s Encrypt harika; fakat y\u00fck anlar\u0131nda, altyap\u0131n\u0131z b\u00fcy\u00fcd\u00fck\u00e7e, baz\u0131 g\u00fcnler i\u015fler s\u0131k\u0131\u015fabiliyor. Tam da bu y\u00fczden, acme.sh ile ikinci bir CA\u2019y\u0131 cepte tutmak \u015fahane bir sigorta. Benim tercihim ZeroSSL oldu. Plan \u015f\u00f6yle: Birincil Let\u2019s Encrypt, t\u0131kan\u0131rsak, otomatik ve kibar bir ge\u00e7i\u015fle ZeroSSL. Bu yaz\u0131da o plan\u0131 ad\u0131m ad\u0131m, basit \u00f6rneklerle ve canl\u0131 deneyim tad\u0131nda anlataca\u011f\u0131m.<\/p>\n<p>Birlikte, acme.sh ile \u00e7ok alan ad\u0131n\u0131 ak\u0131ll\u0131ca y\u00f6neten, oran limitlerine sakin kalan, olas\u0131 kesintilerde panik yerine prosed\u00fcrle y\u00fcr\u00fcyen \u201cye-dek-li CA\u201d kurulumunu konu\u015faca\u011f\u0131z. Arada birka\u00e7 pratik script payla\u015faca\u011f\u0131m, k\u00fc\u00e7\u00fck tuzaklardan bahsedece\u011fim, sonunda da \u201ctamam, ben bunu yar\u0131n uygulayabilirim\u201d rahatl\u0131\u011f\u0131yla kapan\u0131\u015f yapaca\u011f\u0131z.<\/p>\n<h2 id=\"section-2\"><span id=\"ACMEyi_Kafada_Netlestirelim_Neden_Yedekli_CA\">ACME\u2019yi Kafada Netle\u015ftirelim: Neden Yedekli CA?<\/span><\/h2>\n<p>ACME dedi\u011fimiz \u015fey, sertifika al\u0131p yenilemeyi otomati\u011fe ba\u011flayan ak\u0131ll\u0131 bir anla\u015fma. \u0130stemci arac\u0131 (bizim i\u00e7in acme.sh) ile CA aras\u0131nda konu\u015fma ge\u00e7iyor, alan ad\u0131n\u0131n sana ait oldu\u011funu kan\u0131tl\u0131yorsun, CA da sana sertifika veriyor. Burada kritik olan, bu konu\u015fman\u0131n <strong>her zaman<\/strong> akmas\u0131. \u00c7\u00fcnk\u00fc trafik ak\u0131yor, kullan\u0131c\u0131lar beklemez. Bir de \u00fcretimde i\u015fler b\u00fcy\u00fcy\u00fcnce, tek bir hareketle bir s\u00fcr\u00fc alan ad\u0131na sertifika al\u0131yorsun; i\u015fte orada k\u00fc\u00e7\u00fck gecikmeler koca bir domino etkisine d\u00f6n\u00fc\u015febiliyor.<\/p>\n<p>Yedekli CA fikri \u015furadan do\u011fuyor: Birincil CA\u2019n\u0131n taraf\u0131nda yo\u011funluk olabilir, senin g\u00fcnl\u00fck s\u0131ran biraz uzayabilir, ya da sen ayn\u0131 anda \u00e7ok fazla sertifika talep ediyor olabilirsin. B\u00f6yle bir durumda \u201ctamam, o zaman ikinci CA\u2019dan alal\u0131m\u201d demek kadar rahatlat\u0131c\u0131 bir \u015fey olmuyor. Bu sadece i\u015f s\u00fcreklili\u011fi de\u011fil, ayn\u0131 zamanda <strong>\u00f6l\u00e7eklenebilirlik<\/strong> re\u00e7etesi. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Bir pazar g\u00fcn\u00fc sosyal medya kampanyas\u0131 patlad\u0131, m\u00fc\u015fteriler yeni alt alan adlar\u0131n\u0131 panelden eklemeye ba\u015flad\u0131. Sistem otomatik sertifika veriyor. Derken bir yerde minik bir t\u0131kan\u0131kl\u0131k; e\u011fer yede\u011fin yoksa, k\u00fc\u00e7\u00fck bir uyar\u0131 bir anda b\u00fcy\u00fck bir yang\u0131na d\u00f6n\u00fc\u015febilir.<\/p>\n<p>Benim tecr\u00fcbemde, bunu \u00f6nlemek i\u00e7in at\u0131lacak ilk ad\u0131m, acme.sh\u2019yi iki CA\u2019y\u0131 da tan\u0131yacak \u015fekilde haz\u0131rlamak. Let\u2019s Encrypt birincil, ZeroSSL yedek. B\u00f6ylece normal g\u00fcnlerde bildi\u011fimiz d\u00fczen devam ediyor; ola\u011fan\u00fcst\u00fc g\u00fcnlerdeyse, arka planda zarif bir ge\u00e7i\u015fle bak\u0131m yapar gibi ilerliyoruz. Bunu kurarken en \u00e7ok sevdi\u011fim \u015fey, mimarinin sade kalmas\u0131. Ekstra karma\u015fa yok, yaln\u0131zca ihtiyatl\u0131 bir \u201cB plan\u0131\u201d.<\/p>\n<h2 id=\"section-3\"><span id=\"acmesh_Temelleri_Hesap_Kayitlari_Anahtarlar_Dosya_Duzeni\">acme.sh Temelleri: Hesap Kay\u0131tlar\u0131, Anahtarlar, Dosya D\u00fczeni<\/span><\/h2>\n<h3><span id=\"Iki_CA_icin_iki_hesap_tek_duzende_hayat\">\u0130ki CA i\u00e7in iki hesap, tek d\u00fczende hayat<\/span><\/h3>\n<p>\u00d6nce arac\u0131dan ba\u015flayal\u0131m. acme.sh hafif, ta\u015f gibi \u00e7al\u0131\u015fan bir komut sat\u0131r\u0131 arac\u0131. Kurulumdan sonra kendi dizininde hesap anahtarlar\u0131n\u0131, sertifikalar\u0131 ve loglar\u0131 sakl\u0131yor. En sevdi\u011fim taraf\u0131, farkl\u0131 CA\u2019larla rahat konu\u015fmas\u0131. Let\u2019s Encrypt i\u00e7in bir hesap kayd\u0131, ZeroSSL i\u00e7in de ayr\u0131 bir hesap kayd\u0131 a\u00e7\u0131yoruz. B\u00f6ylece her CA ile ileti\u015fimin kimli\u011fi, kullan\u0131m limitleri ve imza ak\u0131\u015f\u0131 tertemiz ayr\u0131\u015f\u0131yor.<\/p>\n<p>Let\u2019s Encrypt hesab\u0131n\u0131 a\u00e7mak i\u00e7in basit\u00e7e \u015f\u00f6yle bir komut yeterli:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">acme.sh --register-account -m ops@example.com --server letsencrypt<\/code><\/pre>\n<p>ZeroSSL\u2019nin k\u00fc\u00e7\u00fck bir fark\u0131 var: Hesap yarat\u0131rken EAB (External Account Binding) bilgisi veriyoruz. Bu bilgileri ZeroSSL panelinden veya API sayfalar\u0131ndan alabilirsiniz. Komut \u015fu \u015fekilde ilerliyor:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">export ZEROSSL_EAB_KID=&quot;&lt;EAB_KID&gt;&quot;\nexport ZEROSSL_EAB_HMAC_KEY=&quot;&lt;EAB_HMAC_KEY&gt;&quot;\nacme.sh --register-account \n  -m ops@example.com \n  --server zerossl \n  --eab-kid &quot;$ZEROSSL_EAB_KID&quot; \n  --eab-hmac-key &quot;$ZEROSSL_EAB_HMAC_KEY&quot;<\/code><\/pre>\n<p>Bu a\u015famada dikkat edilecek iki \u015fey var. Birincisi, e-posta adresi operasyonel bir adres olsun; bildirimler kaybolmas\u0131n. \u0130kincisi, EAB anahtarlar\u0131n\u0131 ortam de\u011fi\u015fkenlerinde tutun, loglara d\u00fc\u015fmesin. K\u00fc\u00e7\u00fck bir not: acme.sh ile isterseniz EAB de\u011ferlerini do\u011frudan parametrelerle de verebilirsiniz, fakat ortam de\u011fi\u015fkenleri hem okunakl\u0131 hem de g\u00fcvenli kal\u0131yor.<\/p>\n<h3><span id=\"Varsayilan_CAyi_secmek\">Varsay\u0131lan CA\u2019y\u0131 se\u00e7mek<\/span><\/h3>\n<p>acme.sh\u2019de varsay\u0131lan CA\u2019y\u0131 belirlemek gayet d\u00fcz. Ben genelde Let\u2019s Encrypt\u2019i varsay\u0131lan tutuyorum, \u00e7\u00fcnk\u00fc d\u00fczenli i\u015f ak\u0131\u015f\u0131nda onu kullanmak istiyorum. \u015e\u00f6yle i\u015fliyor:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">acme.sh --set-default-ca --server letsencrypt<\/code><\/pre>\n<p>Bu, \u201cher zamanki yol Let\u2019s Encrypt, ama dilersem komut baz\u0131nda ZeroSSL kullan\u0131r\u0131m\u201d anlam\u0131na geliyor. Birazdan fallback script\u2019inde de g\u00f6receksiniz; otomatik kararlar\u0131 k\u00fc\u00e7\u00fck kontrollerle tatt\u0131raca\u011f\u0131z.<\/p>\n<h2 id=\"section-4\"><span id=\"Sertifika_Alma_DNS-01_ile_Cok_Alan_Adi_Rakipsiz_Esneklik\">Sertifika Alma: DNS-01 ile \u00c7ok Alan Ad\u0131, Rakipsiz Esneklik<\/span><\/h2>\n<h3><span id=\"Webroot_mu_DNS-01_mi\">Webroot mu, DNS-01 mi?<\/span><\/h3>\n<p>Webroot y\u00f6ntemi ufak projelerde pratik, ancak \u00e7ok alan ad\u0131, \u00e7ok kirac\u0131l\u0131 SaaS ve k\u00fcme i\u00e7i servislerde DNS-01 d\u00fcnyan\u0131n en tatl\u0131 esnekli\u011fi. Tek bir do\u011frulama ile wildcard\u2019a uzan\u0131rs\u0131n\u0131z, arka u\u00e7 da\u011f\u0131tarak y\u00fck\u00fc payla\u015ft\u0131r\u0131rs\u0131n\u0131z, uygulama katman\u0131na mecbur kalmazs\u0131n\u0131z. Ben kalabal\u0131k ortamlarda API destekli DNS-01&#8217;i tercih ediyorum.<\/p>\n<p>acme.sh, pek \u00e7ok DNS sa\u011flay\u0131c\u0131s\u0131n\u0131n API\u2019sini do\u011frudan destekliyor. Uygun ortam de\u011fi\u015fkenlerini verip, sa\u011flay\u0131c\u0131y\u0131 se\u00e7ti\u011finizde, gerisini o hallediyor. \u00d6rne\u011fin bulut DNS\u2019lerden biri i\u00e7in \u015f\u00f6yle bir kal\u0131p d\u00fc\u015f\u00fcn\u00fcn:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">export CF_Token=&quot;&lt;TOKEN&gt;&quot;\nexport CF_Account_ID=&quot;&lt;ACCOUNT&gt;&quot;\nacme.sh --issue -d example.com -d &quot;*.example.com&quot; \n  --dns dns_cf \n  --server letsencrypt \n  --keylength ec-256 \n  --log --debug 2<\/code><\/pre>\n<p>Burada hem \u00e7\u0131plak alan ad\u0131 hem wildcard birlikte al\u0131n\u0131yor. <strong>\u00d6nemli bir al\u0131\u015fkanl\u0131k<\/strong>: Log\u2019u ve gerekirse debug seviyesini a\u00e7\u0131k tutun. Sertifika yenilemeleri gece yar\u0131s\u0131 sessiz sedas\u0131z ko\u015fuyor; ne olup bitti\u011fini h\u0131zl\u0131 g\u00f6r\u00fcrs\u00fcn\u00fcz.<\/p>\n<h3><span id=\"ECDSA_RSA_ikilisi\">ECDSA + RSA ikilisi<\/span><\/h3>\n<p>Uyumluluk kayg\u0131s\u0131 olan ortamlarda ECDSA ve RSA\u2019y\u0131 birlikte yay\u0131nlamak rahat ettirir. acme.sh ile \u00f6nce ECDSA, ard\u0131ndan RSA sertifika al\u0131p ayn\u0131 domain klas\u00f6r\u00fcnde y\u00f6netebilirsiniz. \u00d6rnek olarak, \u00f6nce ECDSA\u2019y\u0131 alal\u0131m:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">acme.sh --issue -d example.com -d &quot;*.example.com&quot; \n  --dns dns_cf \n  --server letsencrypt \n  --keylength ec-256<\/code><\/pre>\n<p>Ard\u0131ndan RSA:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">acme.sh --issue -d example.com -d &quot;*.example.com&quot; \n  --dns dns_cf \n  --server letsencrypt \n  --keylength 2048<\/code><\/pre>\n<p>Kurulum s\u0131ras\u0131nda iki anahtar tipini de servisinizde ayr\u0131 dosya yollar\u0131yla g\u00f6sterebilir, web sunucusunda her ikisini ayn\u0131 anda y\u00fckleyebilirsiniz. Bu yakla\u015f\u0131m\u0131 anlat\u0131rken detaya bo\u011fmayay\u0131m; \u00f6nemli olan yap\u0131 ta\u015flar\u0131. \u0130ki anahtar tipi, iki sertifika, tek alan ad\u0131nda uyumlu sunum.<\/p>\n<h2 id=\"section-5\"><span id=\"Asil_Numara_Lets_Encrypt_ZeroSSL_Otomatik_Fallback\">As\u0131l Numara: Let\u2019s Encrypt \u2192 ZeroSSL Otomatik Fallback<\/span><\/h2>\n<h3><span id=\"Neyi_tetik_sayacagiz\">Neyi tetik sayaca\u011f\u0131z?<\/span><\/h3>\n<p>Fallback demek, planl\u0131 bir geri \u00e7ekilme demek. Peki hangi \u015fartlarda devreye girmeli? Ben \u00fc\u00e7 pratik tetik belirliyorum. Birincisi, <strong>oran limitine yakalanma sinyalleri<\/strong>. acme.sh loglar\u0131nda \u201c\u00e7ok fazla istek\u201d tad\u0131nda mesajlar, 429 kodlar\u0131, tekrarl\u0131 \u00e7ak\u0131lmalar. \u0130kincisi, <strong>a\u011f sorunlar\u0131 ve zaman a\u015f\u0131m\u0131<\/strong>. \u00dc\u00e7\u00fcnc\u00fcs\u00fc, <strong>bak\u0131m ve planl\u0131 kesintiler<\/strong>, bazen CA taraf\u0131ndan k\u0131sa s\u00fcreli pencereler olur. Bu durumda beklemek yerine yede\u011fe ge\u00e7mek, \u00f6zellikle ciddi trafik ta\u015f\u0131yan sistemlerde rahatlat\u0131yor.<\/p>\n<p>Bunun alt\u0131na bir de <strong>y\u00fck plan\u0131<\/strong> koyuyorum. Yenilemeleri t\u00fcm filoda ayn\u0131 dakika ko\u015fturmazs\u0131n\u0131z; dalga dalga, k\u00fc\u00e7\u00fck gruplar halinde. B\u00f6ylece fall-back gerekirse bile sakin bir ge\u00e7i\u015f ya\u015fan\u0131r. Bir anda y\u00fczlerce iste\u011fi ZeroSSL\u2019ye de y\u0131\u011fmazs\u0131n\u0131z; k\u00fc\u00e7\u00fck dozlarla tatl\u0131 tatl\u0131 ilerlersiniz.<\/p>\n<h3><span id=\"Basit_bir_wrapper_Once_Lets_Encrypt_olmazsa_ZeroSSL\">Basit bir wrapper: \u00d6nce Let\u2019s Encrypt, olmazsa ZeroSSL<\/span><\/h3>\n<p>Gelelim mutfa\u011fa. Mant\u0131k \u015fu: \u00dcretim cron\u2019una bir wrapper script koyuyoruz. Script, \u00f6nce Let\u2019s Encrypt ile deniyor, hata tipini anlamaya \u00e7al\u0131\u015f\u0131yor; e\u011fer belirledi\u011fimiz hatalardan biriyse, ayn\u0131 komutu ZeroSSL ile tekrar deniyor. Her iki durumda da log\u2019lan\u0131yor, metriklere i\u015fleniyor. A\u015fa\u011f\u0131ya bir \u00e7ekirdek \u00f6rnek b\u0131rak\u0131yorum; fikir versin, kendi ortam\u0131n\u0131za g\u00f6re g\u00fczelle\u015ftirin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">#!\/usr\/bin\/env bash\nset -euo pipefail\n\nDOMAIN=&quot;$1&quot;   # \u00f6rn: example.com\nALT_DOMAINS=(&quot;*.example.com&quot;)\nDNS_PLUGIN=&quot;dns_cf&quot;  # sa\u011flay\u0131c\u0131n\u0131za g\u00f6re g\u00fcncelleyin\nRELOAD_CMD=&quot;systemctl reload nginx&quot;\nLOG_FILE=&quot;\/var\/log\/acme-fallback.log&quot;\nLOCK_FILE=&quot;\/var\/lock\/acme-$DOMAIN.lock&quot;\n\nissue_with() {\n  local server=&quot;$1&quot; # letsencrypt | zerossl\n  acme.sh --issue -d &quot;$DOMAIN&quot; ${ALT_DOMAINS[@]\/#\/-d } \n    --dns &quot;$DNS_PLUGIN&quot; \n    --server &quot;$server&quot; \n    --keylength ec-256 \n    --log || return $?\n\n  # Ba\u015far\u0131l\u0131ysa kur ve reload\n  acme.sh --install-cert -d &quot;$DOMAIN&quot; \n    --ecc \n    --key-file      \/etc\/ssl\/private\/$DOMAIN-ecc.key \n    --fullchain-file \/etc\/ssl\/certs\/$DOMAIN-ecc.fullchain \n    --reloadcmd &quot;$RELOAD_CMD&quot;\n}\n\nshould_fallback() {\n  local err=&quot;$1&quot;\n  # Basit sezgisel: 429, rate, timeout gibi i\u015faretler\n  echo &quot;$err&quot; | grep -qiE &quot;429|rate|too many|timeout|temporarily|retry&quot; &amp;&amp; return 0\n  return 1\n}\n\n{\n  flock -n 9 || { echo &quot;$(date -Is) lock bekleniyor&quot; &gt;&gt; &quot;$LOG_FILE&quot;; exit 0; }\n  echo &quot;$(date -Is) $DOMAIN LE ile deniyorum&quot; &gt;&gt; &quot;$LOG_FILE&quot;\n  if issue_with &quot;letsencrypt&quot; 2&gt;&amp;1; then\n    echo &quot;$(date -Is) $DOMAIN LE ba\u015far\u0131l\u0131&quot; &gt;&gt; &quot;$LOG_FILE&quot;\n    exit 0\n  else\n    ERR_MSG=$(tail -n 50 ~\/.acme.sh\/acme.sh.log || true)\n    if should_fallback &quot;$ERR_MSG&quot;; then\n      echo &quot;$(date -Is) $DOMAIN ZeroSSL fallback deniyorum&quot; &gt;&gt; &quot;$LOG_FILE&quot;\n      if issue_with &quot;zerossl&quot; 2&gt;&amp;1; then\n        echo &quot;$(date -Is) $DOMAIN ZeroSSL ba\u015far\u0131l\u0131&quot; &gt;&gt; &quot;$LOG_FILE&quot;\n        exit 0\n      else\n        echo &quot;$(date -Is) $DOMAIN ZeroSSL de ba\u015far\u0131s\u0131z&quot; &gt;&gt; &quot;$LOG_FILE&quot;\n        exit 2\n      fi\n    else\n      echo &quot;$(date -Is) $DOMAIN Hata fallback tetiklemiyor&quot; &gt;&gt; &quot;$LOG_FILE&quot;\n      exit 1\n    fi\n  fi\n} 9&gt;&quot;$LOCK_FILE&quot;<\/code><\/pre>\n<p>Bu kadar. Basit ama i\u015f g\u00f6r\u00fcr. Burada birka\u00e7 detay var. Birincisi, <strong>flock<\/strong> ile tek seferde tek i\u015flem ko\u015fmas\u0131n\u0131 sa\u011flad\u0131m. \u0130kincisi, <strong>hata metni<\/strong> \u00fczerinden sezgisel bir kontrol var; elbette kendi log format\u0131n\u0131za g\u00f6re daha ak\u0131ll\u0131 kurallar yazabilirsiniz. \u00dc\u00e7\u00fcnc\u00fcs\u00fc, kurulum ve sunucu reload\u2019u her iki yolda da ayn\u0131.<\/p>\n<h3><span id=\"Staging_ile_prova\">Staging ile prova<\/span><\/h3>\n<p>Ben her yeni ak\u0131\u015fa staging ile prova yapt\u0131r\u0131r\u0131m. Let\u2019s Encrypt\u2019in test ortam\u0131 i\u015finizi g\u00f6r\u00fcr; ZeroSSL taraf\u0131nda da test u\u00e7lar\u0131n\u0131 g\u00f6zden ge\u00e7irin. B\u00f6ylece her \u015fey ger\u00e7ek d\u00fcnyaya \u00e7\u0131kmadan, DNS izinleriniz, env de\u011fi\u015fkenleriniz, reload komutlar\u0131n\u0131z prova al\u0131r. <a href=\"https:\/\/letsencrypt.org\/docs\/rate-limits\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt oran limitleri dok\u00fcman\u0131<\/a> elinizin alt\u0131nda olsun; baz\u0131 ipu\u00e7lar\u0131 plan yaparken \u00e7ok yard\u0131mc\u0131.<\/p>\n<h2 id=\"section-6\"><span id=\"Oran_Limitlerine_Sakin_Kalmak_Zaman_Dalga_ve_Jitter\">Oran Limitlerine Sakin Kalmak: Zaman, Dalga ve Jitter<\/span><\/h2>\n<h3><span id=\"Hepsi_ayni_dakikada_yenilenmesin\">Hepsi ayn\u0131 dakikada yenilenmesin<\/span><\/h3>\n<p>\u0130\u015fin s\u0131rr\u0131, yenileme takvimini ak\u0131ll\u0131 kurmak. Mesela t\u00fcm sertifikalar\u0131 ay\u0131n ayn\u0131 g\u00fcn\u00fcnde, ayn\u0131 dakikada yenilemeye kalkmay\u0131n. K\u00fc\u00e7\u00fck gruplar, farkl\u0131 saatler, hatta birka\u00e7 dakikal\u0131k <strong>jitter<\/strong> eklemek bile mucize gibi i\u015fliyor. B\u00f6ylece ne birincil CA\u2019y\u0131 ne yede\u011fi bunalt\u0131yorsunuz. Yedekli CA\u2019ya ge\u00e7ti\u011finiz anlarda bile trafik nazik ak\u0131yor.<\/p>\n<p>Bir di\u011fer ufak ayar, <strong>yenileme e\u015fi\u011fini<\/strong> biraz yukar\u0131da tutmak. Y\u00fczde y\u00fcz bitti\u011fi g\u00fcn de\u011fil de, birka\u00e7 g\u00fcn \u00f6ncesinden planl\u0131 yenileme sizi rahatlat\u0131r. acme.sh zaten otomatik cron ekliyor; ama b\u00fcy\u00fck filolarda kendi scheduling katman\u0131n\u0131z\u0131 da koyup dalga dalga yay\u0131nlama fikri \u00e7ok ho\u015f \u00e7al\u0131\u015f\u0131yor.<\/p>\n<h3><span id=\"SAN_ve_wildcard_ile_az_sayida_anlamli_sertifika\">SAN ve wildcard ile \u201caz say\u0131da, anlaml\u0131 sertifika\u201d<\/span><\/h3>\n<p>Ayn\u0131 domain grubu i\u00e7in birden \u00e7ok sertifika \u00e7\u0131karmak yerine, mant\u0131kl\u0131 SAN setleri ve wildcard\u2019larla ak\u0131ll\u0131 paketler olu\u015fturmak hem keyifli hem verimli. Bu sayede gereksiz sertifika say\u0131s\u0131 azal\u0131r, oran limitleriyle aran\u0131za tatl\u0131 bir mesafe koyars\u0131n\u0131z. \u015eu yaz\u0131da, bu yakla\u015f\u0131m\u0131 daha detayl\u0131 anlatt\u0131m: <a href=\"https:\/\/www.dchost.com\/blog\/lets-encrypt-rate-limitlerine-takilmadan-cok-alan-adinda-ssl-san-wildcard-acme-challenge-ve-tatli-stratejiler\/\">Let\u2019s Encrypt rate limit\u2019lerine tak\u0131lmadan \u00e7ok alan ad\u0131nda SSL almak i\u00e7in tatl\u0131 stratejiler<\/a>. Bir g\u00f6z at\u0131n, \u00f6zellikle \u00e7ok alan ad\u0131 olan ekipler i\u00e7in ufuk a\u00e7\u0131c\u0131 oluyor.<\/p>\n<h2 id=\"section-7\"><span id=\"Dagitim_ve_Guvenlik_Dosya_Yollari_Yetkiler_Sirlarin_Saklanmasi\">Da\u011f\u0131t\u0131m ve G\u00fcvenlik: Dosya Yollar\u0131, Yetkiler, S\u0131rlar\u0131n Saklanmas\u0131<\/span><\/h2>\n<h3><span id=\"Dosya_duzenini_bastan_kur\">Dosya d\u00fczenini ba\u015ftan kur<\/span><\/h3>\n<p>\u00dcretimde i\u015fler stabil kals\u0131n istiyorsan\u0131z, sertifika ve anahtar yollar\u0131n\u0131z\u0131 ba\u015ftan netle\u015ftirin. Ben genelde \/etc\/ssl alt\u0131nda alan ad\u0131 ba\u015f\u0131na klas\u00f6rler kullan\u0131yorum, anahtar dosyalar\u0131n\u0131n yetkilerini en k\u0131s\u0131tl\u0131 \u015fekilde tutuyorum. acme.sh\u2019nin <code>--install-cert<\/code> ad\u0131m\u0131yla bu yollar\u0131 sabitleyip web sunucusuna reload verince, yay\u0131n katman\u0131 hi\u00e7 dokunulmadan temiz bir ak\u0131\u015f elde ediliyor.<\/p>\n<h3><span id=\"Ortam_degiskenleri_ve_sir_yonetimi\">Ortam de\u011fi\u015fkenleri ve s\u0131r y\u00f6netimi<\/span><\/h3>\n<p>DNS API token\u2019lar\u0131, EAB bilgileri\u2026 Bunlar\u0131n hepsi k\u0131ymetli. CI\/CD pipelinelar\u0131nda maskelenmi\u015f de\u011fi\u015fkenler, prod sunucularda da sadece acme.sh\u2019nin aksesine izin verilen servis hesaplar\u0131 kullanmak optimum. Log seviyesini a\u00e7arken de bir an durup d\u00fc\u015f\u00fcn\u00fcn; debug k\u00fclt\u00fcr\u00fc g\u00fczel ama gizli bilgi s\u0131zd\u0131rmas\u0131n. Hatta baz\u0131 ortamlarda, s\u0131rlar\u0131n de\u011fi\u015fim s\u0131kl\u0131\u011f\u0131n\u0131 art\u0131r\u0131p k\u0131sa \u00f6m\u00fcrl\u00fc eri\u015fim belirte\u00e7lerine ge\u00e7mek de iyi geliyor.<\/p>\n<h2 id=\"section-8\"><span id=\"Gozlemleme_Log_Metrik_ve_Kucuk_Alarmciklar\">G\u00f6zlemleme: Log, Metrik ve K\u00fc\u00e7\u00fck Alarmc\u0131klar<\/span><\/h2>\n<h3><span id=\"Gece_iyi_gecti_mi_sorusunun_cevabi\">\u201cGece iyi ge\u00e7ti mi?\u201d sorusunun cevab\u0131<\/span><\/h3>\n<p>Benim k\u00fc\u00e7\u00fck bir gecelik rit\u00fcelim var: Sabah kahveyle birlikte gecenin log \u00f6zetine bir g\u00f6z atar\u0131m. acme.sh kendi log dosyas\u0131n\u0131 tutuyor; fallback wrapper\u2019\u0131n\u0131z da ayr\u0131 bir log yazs\u0131n. Oradan basit bir metrik toplay\u0131p \u201cka\u00e7 deneme Let\u2019s Encrypt ile oldu, ka\u00e7 tanesi yede\u011fe ge\u00e7ti?\u201d sorusuna cevap \u00fcretmek hem sa\u011fl\u0131k raporu gibi hem de erken uyar\u0131 sistemi.<\/p>\n<p>Hata oran\u0131 art\u0131yorsa, tetik ko\u015fullar\u0131n\u0131 g\u00f6zden ge\u00e7irirsiniz. Ya \u00e7ok s\u0131k aral\u0131klarla deniyorsunuzdur, ya da bir grubu ayn\u0131 dakikaya y\u0131\u011fm\u0131\u015fs\u0131n\u0131zd\u0131r. Bazen de sadece internet taraf\u0131nda k\u00fc\u00e7\u00fck \u00e7alkant\u0131lar. Alarm seviyelerini makul tutun; sabaha kadar telefon \u00e7als\u0131n istemeyiz. Birka\u00e7 ba\u015far\u0131s\u0131z denemeden sonra toplu alarm \u00fcretmek iyi bir denge sa\u011fl\u0131yor.<\/p>\n<h2 id=\"section-9\"><span id=\"Operasyonel_Ipuclari_Kucuk_Dokunuslar_Buyuk_Rahatlik\">Operasyonel \u0130pu\u00e7lar\u0131: K\u00fc\u00e7\u00fck Dokunu\u015flar, B\u00fcy\u00fck Rahatl\u0131k<\/span><\/h2>\n<h3><span id=\"Test_ortami_uretim_ortami_ve_hesap_ayrimi\">Test ortam\u0131, \u00fcretim ortam\u0131 ve hesap ayr\u0131m\u0131<\/span><\/h3>\n<p>Staging, test, preprod ve prod i\u00e7in hesaplar\u0131 ve EAB bilgilerinin sakland\u0131\u011f\u0131 yerleri ayr\u0131 tutmak, kafay\u0131 m\u00fcthi\u015f rahatlat\u0131yor. B\u00f6ylece yanl\u0131\u015f ortamda yanl\u0131\u015f CA hesab\u0131n\u0131 kullanma riski ortadan kalk\u0131yor. Ayr\u0131ca staging\u2019de bol bol deneyip prod\u2019daki yenileme dalgalar\u0131na dokunmadan \u00f6\u011frenme \u015fans\u0131n\u0131z oluyor.<\/p>\n<h3><span id=\"Retry_politikasi_ve_nezaket\">Retry politikas\u0131 ve nezaket<\/span><\/h3>\n<p>Her ba\u015far\u0131s\u0131z denemede saniyede bir tekrar etmek yerine, nazik bir geri \u00e7ekilme uygulay\u0131n. Birka\u00e7 dakika bekleyip yeniden deneyin; e\u011fer fallback tetiklenecekse zaten edecek. Bu, hem birincil CA\u2019ya hem de yede\u011fe olan sayg\u0131n\u0131z\u0131 g\u00f6sterir. Unutmay\u0131n: \u0130yi vatanda\u015f olmak, uzun vadede altyap\u0131n\u0131z\u0131n dost kazanmas\u0131 demek.<\/p>\n<h3><span id=\"Degisim_gunleri\">De\u011fi\u015fim g\u00fcnleri<\/span><\/h3>\n<p>Arada bir, \u00f6zellikle yo\u011fun sezonlardan \u00f6nce, fallback senaryosunu canl\u0131ya yak\u0131n ko\u015fullarda prova edin. Bir iki alan ad\u0131 \u00fczerinde Let\u2019s Encrypt\u2019i bilin\u00e7li olarak ba\u015far\u0131s\u0131z say\u0131p ZeroSSL\u2019ye ge\u00e7isin. Script\u2019in kilitleri tutuyor mu, log\u2019da istedi\u011finiz veriyi g\u00f6r\u00fcyor musunuz, reload sonras\u0131 servis ayakta m\u0131? K\u00fc\u00e7\u00fck bir ak\u015fam seans\u0131yla b\u00fcy\u00fck stresleri s\u0131f\u0131rlars\u0131n\u0131z.<\/p>\n<h2 id=\"section-10\"><span id=\"Gercekci_Bir_Akis_Bastan_Sona_Mini_Senaryo\">Ger\u00e7ek\u00e7i Bir Ak\u0131\u015f: Ba\u015ftan Sona Mini Senaryo<\/span><\/h2>\n<p>\u015e\u00f6yle d\u00fc\u015f\u00fcn\u00fcn. Pazartesi sabah\u0131, saat ba\u015f\u0131nda yenileme dalgas\u0131n\u0131n ilki ko\u015facak. Cron, wrapper script\u2019i \u00e7a\u011f\u0131r\u0131yor. \u0130lk alan adlar\u0131 Let\u2019s Encrypt\u2019ten tatl\u0131 tatl\u0131 d\u00fc\u015f\u00fcyor. Derken, \u00fc\u00e7\u00fcnc\u00fc grupta birka\u00e7 alan ad\u0131 429 yemeye ba\u015fl\u0131yor. Script, log sat\u0131r\u0131nda bunu fark ediyor. \u201cTamam,\u201d diyor, \u201csakin olal\u0131m, ZeroSSL\u2019yi yoklayal\u0131m.\u201d Deneme ba\u015far\u0131l\u0131. Sertifika kuruldu, web sunucusu reload oldu. Son kullan\u0131c\u0131 hi\u00e7bir \u015fey fark etmeden yoluna devam ediyor.<\/p>\n<p>\u0130lerleyen saatlerde trafik normale d\u00f6n\u00fcyor. Bir sonraki dalgada sistem Let\u2019s Encrypt\u2019e geri d\u00f6n\u00fcyor. Yani fallback bir ge\u00e7i\u015f bileti, kal\u0131c\u0131 ta\u015f\u0131nma de\u011fil. Ak\u015fam\u00fcst\u00fc raporlar\u0131na bak\u0131nca g\u00f6r\u00fcyorsunuz: Bug\u00fcn 120 sertifika ba\u015far\u0131yla yenilenmi\u015f, 7\u2019si ZeroSSL\u2019ye d\u00fc\u015fm\u00fc\u015f. Bu, i\u015fte tam olarak g\u00f6rmek istedi\u011fimiz resim. Planl\u0131, \u00f6l\u00e7\u00fcl\u00fc, nazik bir \u00f6l\u00e7eklenme.<\/p>\n<h2 id=\"section-11\"><span id=\"Kaynaklar_Kisa_Kisa_Dogru_Kapilar\">Kaynaklar: K\u0131sa K\u0131sa, Do\u011fru Kap\u0131lar<\/span><\/h2>\n<p>acme.sh\u2019nin kendisi \u00e7ok g\u00fczel belgelenmi\u015f. Vakit ay\u0131r\u0131p g\u00f6z atmak, k\u00fc\u00e7\u00fck bayraklar\u0131 ezberlemek inan\u0131lmaz h\u0131z kazand\u0131r\u0131yor: <a href=\"https:\/\/github.com\/acmesh-official\/acme.sh\" rel=\"nofollow noopener\" target=\"_blank\">acme.sh resmi deposu ve dok\u00fcmantasyonu<\/a>. Let\u2019s Encrypt taraf\u0131nda, oran limitlerinin mant\u0131\u011f\u0131n\u0131, istisnalar\u0131 ve g\u00fczel ipu\u00e7lar\u0131n\u0131 \u015furadan okuyabilirsiniz: <a href=\"https:\/\/letsencrypt.org\/docs\/rate-limits\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt rate limits dok\u00fcman\u0131<\/a>. ZeroSSL cephesinde ise EAB ak\u0131\u015f\u0131, u\u00e7 noktalar ve \u00f6rnekler i\u015finizi kolayla\u015ft\u0131r\u0131r: <a href=\"https:\/\/zerossl.com\/documentation\/acme\/\" rel=\"nofollow noopener\" target=\"_blank\">ZeroSSL ACME dok\u00fcmantasyonu ve EAB detaylar\u0131<\/a>.<\/p>\n<h2 id=\"section-12\"><span id=\"Kapanis_Yedekli_CA_Sakin_Otomasyon_ve_Rahat_Bir_Gece_Uykusu\">Kapan\u0131\u015f: Yedekli CA, Sakin Otomasyon ve Rahat Bir Gece Uykusu<\/span><\/h2>\n<p>Toparlayal\u0131m. Sertifika otomasyonu, basit bir komutla ba\u015flayan ama \u00f6l\u00e7ek b\u00fcy\u00fcd\u00fck\u00e7e ince ayar isteyen bir i\u015f. acme.sh ile Let\u2019s Encrypt\u2019i birincil, ZeroSSL\u2019yi yedek tuttu\u011funuz bir kurgu, sizi hem oran limitleri hem de beklenmedik kesintiler kar\u015f\u0131s\u0131nda g\u00fc\u00e7l\u00fc k\u0131l\u0131yor. K\u00fc\u00e7\u00fck bir wrapper, nazik bir retry politikas\u0131, iyi se\u00e7ilmi\u015f yenileme takvimi ve d\u00fczg\u00fcn log\/metric d\u00fczeni\u2026 Hepsi bir araya gelince, \u201cofiste panik yok, kahve s\u0131cak\u201d g\u00fcnler art\u0131yor.<\/p>\n<p>E\u011fer \u00e7ok alan ad\u0131 y\u00f6netiyorsan\u0131z, wildcard ve SAN stratejileriyle gereksiz yo\u011funlu\u011fu ba\u015ftan buday\u0131n. DNS-01 ile do\u011frulama otomatik akarken, s\u0131r y\u00f6netimini s\u0131k\u0131 tutun, staging ile prova yapmay\u0131 ihmal etmeyin. Unutmay\u0131n: Bazen mesele sertifikay\u0131 almak de\u011fil, <strong>her defas\u0131nda<\/strong> g\u00fcvenle almak. Bu yaz\u0131daki \u00f6rnekleri kendi ortam\u0131n\u0131za uyarlarken, k\u00fc\u00e7\u00fck deneylerle yolunuzu bulman\u0131z i\u015finizi kolayla\u015ft\u0131r\u0131r.<\/p>\n<p>Umar\u0131m bu rehber g\u00fcn\u00fcn bir yerinde size nefes ald\u0131r\u0131r. Bir g\u00fcn, sabah kahvesinde loglarda k\u0131rm\u0131z\u0131 sat\u0131rlar g\u00f6r\u00fcrseniz, akl\u0131n\u0131za \u015fu c\u00fcmle gelsin: \u201cSakin ol, fallback var.\u201d Bir dahaki yaz\u0131da, bu ak\u0131\u015f\u0131 daha da tatland\u0131ran k\u00fc\u00e7\u00fck otomasyon hilelerinden konu\u015fal\u0131m. \u015eimdilik ho\u015f\u00e7a kal\u0131n, kuyruktaki sertifikalar\u0131n\u0131z g\u00f6ky\u00fcz\u00fcndeki bulutlar kadar yumu\u015fak olsun.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Kahvede Ba\u015flayan Tela\u015f: Let\u2019s Encrypt T\u0131kand\u0131, Sonra Ne Oldu?2 ACME\u2019yi Kafada Netle\u015ftirelim: Neden Yedekli CA?3 acme.sh Temelleri: Hesap Kay\u0131tlar\u0131, Anahtarlar, Dosya D\u00fczeni3.1 \u0130ki CA i\u00e7in iki hesap, tek d\u00fczende hayat3.2 Varsay\u0131lan CA\u2019y\u0131 se\u00e7mek4 Sertifika Alma: DNS-01 ile \u00c7ok Alan Ad\u0131, Rakipsiz Esneklik4.1 Webroot mu, DNS-01 mi?4.2 ECDSA + RSA ikilisi5 As\u0131l Numara: Let\u2019s Encrypt [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1873,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1872"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1872\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1873"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}