Certbot cloudflare 泛域名证书配置
1. 安装
| 1 | sudo apt update | 
2. 配置
Use of this plugin requires a configuration file containing Cloudflare API credentials, obtained from your Cloudflare account page.
Example credentials file:
2
3
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567The path to this file can be provided interactively or using the –dns-cloudflare-credentials command-line argument. Certbot records the path to this file for use during renewal, but does not store the file’s contents.
3. 获取
| 1 | sudo certbot -a dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -i nginx -d "*.coder17.com" -d coder17.com | 
注意不能完全信任其对 nginx 的修改
如果不需要自动修改 nginx 则:
| 1 | sudo certbot certonly -a dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d "home.coder17.com" -d "frph.coder17.com" -d "*.frph.coder17.com" -d "*.home.coder17.com" | 
4. 更新测试
| 1 | sudo certbot renew --dry-run | 
5. 部署自动更新
默认情况下会自动添加自动更新,每天两次。
使用 sudo systemctl list-timers 查看,配置文件位于 /etc/systemctl/system/timers.target.wants/certbot.timer
如果运行有问题,使用下面命令创建 crontab 任务,每两个月一次。
| 1 | sudo crontab -e | 
6. 转换证书格式
默认申请的是 pem 格式证书,位于 /etc/letsencrypt/live 中,需要转换为 Windows 使用的 pfx 格式时,使用:
| 1 | openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: | 
7. 复制
因为 live 目录中为软连接,复制时需要使用 -L 参数,如下:
| 1 | cp -Lr /etc/letsencrypt/live /mnt/hgfs/certs | 
Refer: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
All articles in this blog are licensed under CC BY-SA 4.0 unless stating additionally.
 Comment
