Certbot cloudflare 泛域名证书配置
1. 安装
1 | sudo apt update |
2. 配置
Use of this plugin requires a configuration file containing Cloudflare API credentials, obtained from your Cloudflare account page.
1 vim /etc/letsencrypt/cloudflare.iniExample credentials file:
1
2
3 # Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567The path to this file can be provided interactively or using the –dns-cloudflare-credentials command-line argument. Certbot records the path to this file for use during renewal, but does not store the file’s contents.
1 sudo chmod 600 /etc/letsencrypt/cloudflare.ini
3. 获取
1 | sudo certbot -a dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -i nginx -d "*.coder17.com" -d coder17.com |
注意不能完全信任其对 nginx 的修改
如果不需要自动修改 nginx 则:
1 | sudo certbot certonly -a dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d "home.coder17.com" -d "frph.coder17.com" -d "*.frph.coder17.com" -d "*.home.coder17.com" |
4. 更新测试
1 | sudo certbot renew --dry-run |
5. 部署自动更新
默认情况下会自动添加自动更新,每天两次。
使用 sudo systemctl list-timers
查看,配置文件位于 /etc/systemctl/system/timers.target.wants/certbot.timer
如果运行有问题,使用下面命令创建 crontab 任务,每两个月一次。
1 | sudo crontab -e |
6. 转换证书格式
默认申请的是 pem 格式证书,位于 /etc/letsencrypt/live
中,需要转换为 Windows 使用的 pfx 格式时,使用:
1 | openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: |
7. 复制
因为 live 目录中为软连接,复制时需要使用 -L
参数,如下:
1 | cp -Lr /etc/letsencrypt/live /mnt/hgfs/certs |
Refer: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
All articles in this blog are licensed under CC BY-SA 4.0 unless stating additionally.
Comment