今天花了很多时间在设置 Let's Encrypt 的证书更新上。
因为我把网站cdn放到了Cloudflare,DNS 也换到了Cloudflare上,所以之前的自动更新就不管用了,需要重新配置。
我之前这个文章:设置 Let’s encrypt 里的相关配置,可以用在DNS是Godaddy的网站。
当DNS更新到了Cloudflare,certbot的renew需要一个新的hook,在这个hook中要提供cloudflare的API相关信息。
所以,在这儿,我建立了三个文件:
setup_hook.sh
cleanup_hook_python.py
cleanup_hook.sh
setup_hook.sh
用来创建renew所需的DNS信息,并且记录相关的id到临时文件。
cleanup_hook_python.py
我的主机无法直接使用python -c处理Cloudflare API 返回的JSON,所以就单独写了一个文件去处理。
cleanup_hook.sh
清理临时文件,删除DNS记录。
具体文件内容如下:
setup_hook.sh
#!/bin/bash
# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="your_api_key"
EMAIL="your_email_used_in_cloudflare"
# Strip only the top domain to get the zone id
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
echo $DOMAIN
# SET the Cloudflare zone id
ZONE_ID="your_cloudflare_ZONE_ID"
# Create TXT record
CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_JSON=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
-H "X-Auth-Email: $EMAIL" \
-H "X-Auth-Key: $API_KEY" \
-H "Content-Type: application/json" \
--data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' )
# Save info for cleanup
if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi
echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_JSON > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON
MY_RECORD_ID=$((python3 /home/admin/certbot-script/cleanup_hook_python.py) 2>&1)
if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON ]; then
#RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON)
rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_JSON
fi
echo $MY_RECORD_ID >> /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID
# Sleep to make sure the change has time to propagate over to DNS
sleep 30
cleanup_hook_python.py
import json
with open("/tmp/CERTBOT_domain.com/RECORD_ID") as file:
result=json.load(file)
print(result['result']['id'])
cleanup_hook.sh
#!/bin/bash
# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="your_api_key"
EMAIL="your_email_used_in_cloudflare"
if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then
ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID)
rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
fi
if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID ]; then
RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID)
rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/MY_RECORD_ID
fi
# Remove the challenge TXT record from the zone
if [ -n "${ZONE_ID}" ]; then
if [ -n "${RECORD_ID}" ]; then
for RECORD in $RECORD_ID
do
curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD" \
-H "X-Auth-Email: $EMAIL" \
-H "X-Auth-Key: $API_KEY" \
-H "Content-Type: application/json"
done
fi
fi
完成后可以使用命令:
certbot renew --cert-name domain.com --dry-run --manual-auth-hook "~/certbot-script/setup_hook.sh" --manual-cleanup-hook "~/certbot-script/cleanup_hook.sh"
来测试
返回以下信息表明配置成功,然后把renew的命令添加到crontab即可
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/domain.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/domain.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
最新评论
挂了
Teambition网盘,不是阿里云盘。Teambition网盘是阿里Teambition工作套件里面的,听说体验感不太好,我也不清楚
标记一下
良心在海外
RIP
Good it's working now and testing comments