In this notes I will write on English, I just learn and get used to English.
First thing first this my notes with Cloudflare domain management.
Let’s start, I have problem to generate ssl on local network. Because local network don’t have public IP to be called from certbot, to authenticate that domain is valid.
So from my boss I have knowledge to solve the problem with generate certificate from certbot with authenticate challange with DNS.
The command is particulary like this
sudo certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path_to_execute/authenticator.sh --manual-cleanup-hook /path_to_execute/cleanup.sh -d domain_name
Description:
- certonly : Obtain or renew a certificate, but do not install it
- –prefered-challenges : A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first (Eg, “dns” or “http,dns”).
- –manual-auth-hook : script will be run before generate ssl
- –manual-cleanup-hook : script will be run after generate ssl
- -d : domain name which generate certificates
Based on above command we know that exist script to execute, and here it is
to generate dns with authenticator.sh
#!/bin/bash
# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="api_token_cloudflare"
EMAIL="your_email"
# Strip only the top domain to get the zone id
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
# Get the Cloudflare zone id
ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all"
ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \
-H "X-Auth-Email: $EMAIL" \
-H "X-Auth-Key: $API_KEY" \
-H "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])")
# Create TXT record
CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
-H "X-Auth-Email: $EMAIL" \
-H "X-Auth-Key: $API_KEY" \
-H "Content-Type: application/json" \
--data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \
| python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])")
# Save info for cleanup
if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi
echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID
# Sleep to make sure the change has time to propagate over to DNS
sleep 25
to clean dns already generated with cleanup.sh
#!/bin/bash
# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="api_toke_cloudflare"
EMAIL="your_email"
if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then
ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID)
rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
fi
if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID ]; then
RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID)
rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID
fi
# Remove the challenge TXT record from the zone
if [ -n "${ZONE_ID}" ]; then
if [ -n "${RECORD_ID}" ]; then
curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
-H "X-Auth-Email: $EMAIL" \
-H "X-Auth-Key: $API_KEY" \
-H "Content-Type: application/json"
fi
fi
When you already done with execute the command, you must already have certificates at /etc/letsencrypt/live/domain_name/ and just add the certificates to your nginx config.
Example like this
server {
....................
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/your_domain_name/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your_domain_name/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
taraaaa
reference: https://eff-certbot.readthedocs.io/en/stable/using.html#pre-and-post-validation-hooks