acme DNSapi
The role of acme DNSapi is to use dns transactions when applying for certificates. acme can submit the corresponding dns records in the corresponding dns management platform through dnsapi. Friends who have played with certificates know that there are three types of verification when applying for certificates
- Email verification: requires email to be bound to the domain (I haven't tried the details of the requirements)
- File Verification: During file verification, the certificate administrator will ask you to open a specified file in the specified path of the server (the content is also set by them), and then develop port 80, they will go to download the file to verify your identity. When applying for a domain name, you need to go to your server and open the specified port.
- DNS authentication: DNS authentication only requires that you add a TXT record to the dns record
What we use here is DNS authentication, DNS authentication is convenient, but each application needs to add a DNS record (which can be deleted after the application is complete, acme seems to automatically help delete it), if you want to automate, acme needs to have permission to submit records to the dns record side.
acme dns api doce
cloudflare DNSapi
According to the documentation above you can see that there are two ways to get the cloudflare dns api
- Generate global token for cloudflare (global token has all the permissions of cloudflare, most of which are not used by acme)
- Generate DNS permission token for cloudflare (recommended, enough for acme)
Generate DNS permission token for cloudflare
Let's start with cloudflare's Apiapplication page
Click here to create a token
Select Edit Area DNS This template (generally the first one)
Fill in the fields below the installation
privilege selectionshore
-> DNS
-> compiler
Regional resourcesincluding through
-> particular region
-> select your domain name in the drop-down list (you can also select it in the second box)All regions
)
Leave everything as it is, click continue, and you'll be redirected to this page.
Click to generate a token, a token will be generated, the token generated the first time to record, this token is only displayed once, after refreshing the page can not be seen
Getting user information for cloudflare
Go to the corresponding web management page in cloudflare, and in the api place you can see two api keys
Now we have three pieces of information
- A TOKEN generated above to manage DNS
- Here's the area ID
- Account ID here
Generate a certificate on the corresponding server
Setting environment variables
export CF_Token="(of a form etc) fill inDNS token"
export CF_Zone_ID="(of a form etc) fill in区域ID"
export CF_Account_ID="(of a form etc) fill in账户ID"
Install acme
apt update -y #Updating the system
apt install -y curl #mountingcurl
apt install -y socat #mountingsocat
curl | sh
Generating Certificates
--issue --dns dns_cf -d -d "*."
If it says it can't be found, you can use the following command
~/./ --issue --dns dns_cf -d -d "*."
He'll tell you where the certificates are when he's done with the yardage.
The key is the top two linesyour cert
your cert key
The certificate generated above is*.
The certificates, all of which are based onDomains ending with this certificate can be used
Recommended Use: Because acme normal 2 months will automatically update the certificate, so I do not recommend that you move the certificate to another location, because acme next time to generate will still be placed in this location, either you specify acme certificate generation path, you can use the
--help
Check out how to specify the path. The method I use is (there are two)
Use this path directly
Linking the certificate over a soft connection
For example, I'd like to put the certificates in /etc/nginx/ssl under the names
I can do that.
cd /etc/naginx/ssl ln -s /home/ivhu/. /home/ivhu/. ln -s /home/ivhu//certificate private key.key
After the certificate is generated, a new cron timer is created to maintain the certificate guarantee period.
This can be done bycrontab -e
command to view it, and here's what I got:
It means that the certificate will be checked at 3:28 am every day
If your certificate is fornginx
The ones you use can be found in theroot
run undercrontab -e
Edit root's cron automation commands
Add the following:
0 4 * * * systemctl reload nginx
It means that nginx is restarted at 4:00 every day, because nginx certificates need to be restarted before they can be reloaded.