XINJH
网络有趣资源收集分享

通过Cloudflare API配置certbot基于DNS验证的自动更新

今天花了很多时间在设置 Let’s Encrypt 的证书更新上。

因为我把网站cdn放到了CloudflareDNS 也换到了Cloudflare上,所以之前的自动更新就不管用了,需要重新配置。
我之前这个文章:设置 Let’s encrypt 里的相关配置,可以用在DNSGodaddy网站

DNS更新到了Cloudflare,certbot的renew需要一个新的hook,在这个hook中要提供cloudflare的API相关信息。

所以,在这儿,我建立了三个文件:
setup_hook.sh
cleanup_hook_python.py
cleanup_hook.sh

setup_hook.sh
用来创建renew所需的DNS信息,并且记录相关的id到临时文件。

cleanup_hook_python.py
我的主机无法直接使用python -c处理Cloudflare API 返回的JSON,所以就单独写了一个文件去处理。

cleanup_hook.sh
清理临时文件,删除DNS记录。

具体文件内容如下:

setup_hook.sh

#!/bin/bash

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="your_api_key"
EMAIL="your_email_used_in_cloudflare"

# Strip only the top domain to get the zone id
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
echo $DOMAIN
# SET the Cloudflare zone id

ZONE_ID="your_cloudflare_ZONE_ID"

# Create TXT record
CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_JSON=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H     "X-Auth-Email: $EMAIL" \
     -H     "X-Auth-Key: $API_KEY" \
     -H     "Content-Type: application/json" \
     --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' )

# Save info for cleanup
if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
        mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi

echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_JSON > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON

MY_RECORD_ID=$((python3 /home/admin/certbot-script/cleanup_hook_python.py) 2>&1)

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON ]; then
        #RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON)
        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON
fi

echo $MY_RECORD_ID >> /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID
# Sleep to make sure the change has time to propagate over to DNS
sleep 30

cleanup_hook_python.py

import json
with open("/tmp/CERTBOT_domain.com/RECORD_ID") as file:
        result=json.load(file)
print(result['result']['id'])

cleanup_hook.sh

#!/bin/bash

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="your_api_key"
EMAIL="your_email_used_in_cloudflare"

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then
        ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID)
        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
fi

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID ]; then
        RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID)
        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID
fi

# Remove the challenge TXT record from the zone
if [ -n "${ZONE_ID}" ]; then
    if [ -n "${RECORD_ID}" ]; then
        for RECORD in $RECORD_ID
        do
                curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD" \
                        -H "X-Auth-Email: $EMAIL" \
                        -H "X-Auth-Key: $API_KEY" \
                        -H "Content-Type: application/json"
        done
    fi
fi

完成后可以使用命令:

certbot renew --cert-name domain.com --dry-run --manual-auth-hook "~/certbot-script/setup_hook.sh" --manual-cleanup-hook "~/certbot-script/cleanup_hook.sh" 

来测试

返回以下信息表明配置成功,然后把renew的命令添加到crontab即可

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
赞(0) 打赏
本文链接:信聚合 » 通过Cloudflare API配置certbot基于DNS验证的自动更新
本文链接: https://xinjh.info/通过cloudflare-api配置certbot基于dns验证的自动更新/

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址