Location>code7788 >text

acme+cloudflare generate free certificates (auto-renewal)

Popularity:36 ℃/2024-09-23 12:00:36

acme DNSapi

The role of acme DNSapi is to use dns transactions when applying for certificates. acme can submit the corresponding dns records in the corresponding dns management platform through dnsapi. Friends who have played with certificates know that there are three types of verification when applying for certificates

  • Email verification: requires email to be bound to the domain (I haven't tried the details of the requirements)
  • File Verification: During file verification, the certificate administrator will ask you to open a specified file in the specified path of the server (the content is also set by them), and then develop port 80, they will go to download the file to verify your identity. When applying for a domain name, you need to go to your server and open the specified port.
  • DNS authentication: DNS authentication only requires that you add a TXT record to the dns record

What we use here is DNS authentication, DNS authentication is convenient, but each application needs to add a DNS record (which can be deleted after the application is complete, acme seems to automatically help delete it), if you want to automate, acme needs to have permission to submit records to the dns record side.

acme dns api doce

cloudflare DNSapi

According to the documentation above you can see that there are two ways to get the cloudflare dns api

  • Generate global token for cloudflare (global token has all the permissions of cloudflare, most of which are not used by acme)
  • Generate DNS permission token for cloudflare (recommended, enough for acme)

Generate DNS permission token for cloudflare

Let's start with cloudflare's Apiapplication page

image-20240923085901516

Click here to create a token

Select Edit Area DNS This template (generally the first one)

image-20240923085941855

Fill in the fields below the installation

image-20240923090119372

privilege selectionshore -> DNS -> compiler

Regional resourcesincluding through -> particular region -> select your domain name in the drop-down list (you can also select it in the second box)All regions

Leave everything as it is, click continue, and you'll be redirected to this page.

image-20240923090358443

Click to generate a token, a token will be generated, the token generated the first time to record, this token is only displayed once, after refreshing the page can not be seen

Getting user information for cloudflare

Go to the corresponding web management page in cloudflare, and in the api place you can see two api keys

image-20240923090719587

Now we have three pieces of information

  • A TOKEN generated above to manage DNS
  • Here's the area ID
  • Account ID here

Generate a certificate on the corresponding server

Setting environment variables

export CF_Token="(of a form etc) fill inDNS token"
export CF_Zone_ID="(of a form etc) fill in区域ID"
export CF_Account_ID="(of a form etc) fill in账户ID"

Install acme

 apt update -y #Updating the system
 
 apt install -y curl #mountingcurl
 
 apt install -y socat #mountingsocat
 
 curl | sh

Generating Certificates

 --issue --dns dns_cf -d  -d "*."

If it says it can't be found, you can use the following command

~/./ --issue --dns dns_cf -d  -d "*."

He'll tell you where the certificates are when he's done with the yardage.

image-20240923092443069

The key is the top two linesyour cert your cert key

The certificate generated above is*. The certificates, all of which are based onDomains ending with this certificate can be used

Recommended Use: Because acme normal 2 months will automatically update the certificate, so I do not recommend that you move the certificate to another location, because acme next time to generate will still be placed in this location, either you specify acme certificate generation path, you can use the --help Check out how to specify the path. The method I use is (there are two)

  • Use this path directly

  • Linking the certificate over a soft connection

    For example, I'd like to put the certificates in /etc/nginx/ssl under the names I can do that.

    cd /etc/naginx/ssl
    ln -s /home/ivhu/. /home/ivhu/.
    ln -s /home/ivhu//certificate private key.key
    

After the certificate is generated, a new cron timer is created to maintain the certificate guarantee period.

This can be done bycrontab -ecommand to view it, and here's what I got:

image-20240923091717497

It means that the certificate will be checked at 3:28 am every day

If your certificate is fornginxThe ones you use can be found in therootrun undercrontab -e Edit root's cron automation commands

Add the following:

0 4 * * * systemctl reload nginx

It means that nginx is restarted at 4:00 every day, because nginx certificates need to be restarted before they can be reloaded.