前阵子测试Caddy自动申请Let’s Encrypt证书的时候,因为其DNS插件不支持NameSilo,鬼使神差的把个人域名给转移到了Namecheap,回头换回Nginx发现他家的API调用需要收费,不能再使用acme.sh脚本或者certbot这种第三方工具renew证书,所以干脆在前面再套一层CloudFlare,通过他家的domain API实现DNS challenge,成功的把简单问题复杂化了。
准备工作
获取自己的Global API Key,记录下来
设置acme.sh要用的环境变量,在
~/.acme.sh/acme.sh.env
加上:1 2
export CF_Key="$API_KEY" export CF_Email="$CLOUDFLARE_EMAIL"
CloudFlare设置
点击网站右上角
Add site
,输入自己的站点域名并确认CloudFlare会自动抓取网站现有的DNS记录
检查没有问题就点击继续
选择收费方案,这里我们可以使用免费的就足够了
继续后会被分配两个nameserver,需要自行在域名注册替换默认的
我这里域名托管在Namecheap,参考官方文档修改
Custom DNS
为上面拿到的ns保存后等待结果生效,CloudFlare在后台定时检查,成功了会发邮件通知的
申请证书
好了,一切准备就绪,可以开始正式工作了:
命令行调用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
$ acme.sh --issue --dns dns_cf --dnssleep 30 --force -d josta.me -d *.josta.me [Wed Aug 29 01:06:58 CST 2018] Multi domain='DNS:josta.me,DNS:*.josta.me' [Wed Aug 29 01:06:58 CST 2018] Getting domain auth token for each domain [Wed Aug 29 01:06:59 CST 2018] Getting webroot for domain='josta.me' [Wed Aug 29 01:06:59 CST 2018] Getting webroot for domain='*.josta.me' [Wed Aug 29 01:06:59 CST 2018] Found domain api file: /home/yee/.acme.sh/dnsapi/dns_cf.sh [Wed Aug 29 01:07:00 CST 2018] Adding record [Wed Aug 29 01:07:00 CST 2018] Added, OK [Wed Aug 29 01:07:00 CST 2018] Found domain api file: /home/yee/.acme.sh/dnsapi/dns_cf.sh [Wed Aug 29 01:07:01 CST 2018] Adding record [Wed Aug 29 01:07:01 CST 2018] Added, OK [Wed Aug 29 01:07:01 CST 2018] Sleep 30 seconds for the txt records to take effect [Wed Aug 29 01:07:22 CST 2018] Verifying:josta.me [Wed Aug 29 01:07:25 CST 2018] Success [Wed Aug 29 01:07:25 CST 2018] Verifying:*.josta.me [Wed Aug 29 01:07:27 CST 2018] Success [Wed Aug 29 01:07:27 CST 2018] Removing DNS records. [Wed Aug 29 01:07:29 CST 2018] Verify finished, start to sign. [Wed Aug 29 01:07:31 CST 2018] Cert success. -----BEGIN CERTIFICATE----- MIIGCDCCBPCgAwIBAgISA21QBrLKNQVywh3qlQQ4ZLRZMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjgxNjA3MzBaFw0x ODExMjYxNjA3MzBaMBMxETAPBgNVBAMTCGpvc3RhLm1lMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvnRkby+4AZW5Iu9JNYtV8gjj64JV3T05gTuKiDxm ... Vy0bJYw4lO9e/QMhPQ6xgknj5xK6B5JspKH3Iq35baAiILqvOTZWzzVohdNZyuhT qs44lXmWjgLfiZAu0cgpY93Hgwus8esJPz9dR9ysm2uLkAJKvEQ+qaCrdjanpXnn RgK/vGpC7TGOamAgm+q0vb1xahGF0b2KjfWNVihD7hwQM2GPR3Z5JTqjVdbUkdgR IylhoS8rL8oM1VjIgpW1Ks3YkxZtFBO96qRz996GKVU1NQbSRe3YqinoG27Iwp79 igLnYt5bDkm7NuhCC/TTgtobfaNCdARKazBRANHmx9SdfcwAkWvPxG47FAqqhrh9 MHaF9MtRonqdWhX6 -----END CERTIFICATE----- [Wed Aug 29 01:07:31 CST 2018] Your cert is in /home/yee/.acme.sh/josta.me/josta.me.cer [Wed Aug 29 01:07:31 CST 2018] Your cert key is in /home/yee/.acme.sh/josta.me/josta.me.key [Wed Aug 29 01:07:31 CST 2018] The intermediate CA cert is in /home/yee/.acme.sh/josta.me/ca.cer [Wed Aug 29 01:07:31 CST 2018] And the full chain certs is there: /home/yee/.acme.sh/josta.me/fullchain.cer
测试crontab的renew是否正常:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
$ "/home/yee/.acme.sh"/acme.sh --cron --home "/home/yee/.acme.sh" "--force" "--staging" [Wed Aug 29 01:09:12 CST 2018] ===Starting cron=== [Wed Aug 29 01:09:12 CST 2018] Installing from online archive. [Wed Aug 29 01:09:12 CST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz [Wed Aug 29 01:09:13 CST 2018] Extracting master.tar.gz [Wed Aug 29 01:09:13 CST 2018] Installing to /home/yee/.acme.sh [Wed Aug 29 01:09:13 CST 2018] Installed to /home/yee/.acme.sh/acme.sh [Wed Aug 29 01:09:13 CST 2018] Good, bash is found, so change the shebang to use bash as preferred. [Wed Aug 29 01:09:14 CST 2018] OK [Wed Aug 29 01:09:14 CST 2018] Install success! [Wed Aug 29 01:09:14 CST 2018] Upgrade success! [Wed Aug 29 01:09:14 CST 2018] Auto upgraded to: 2.8.0 [Wed Aug 29 01:09:14 CST 2018] Renew: 'josta.me' [Wed Aug 29 01:09:14 CST 2018] Multi domain='DNS:josta.me,DNS:*.josta.me' [Wed Aug 29 01:09:14 CST 2018] Getting domain auth token for each domain [Wed Aug 29 01:09:15 CST 2018] Getting webroot for domain='josta.me' [Wed Aug 29 01:09:15 CST 2018] Getting webroot for domain='*.josta.me' [Wed Aug 29 01:09:15 CST 2018] josta.me is already verified, skip dns-01. [Wed Aug 29 01:09:15 CST 2018] *.josta.me is already verified, skip dns-01. [Wed Aug 29 01:09:15 CST 2018] Verify finished, start to sign. [Wed Aug 29 01:09:17 CST 2018] Cert success. -----BEGIN CERTIFICATE----- MIIGCDCCBPCgAwIBAgISA6pcY39wrfLkZmWNnEP7CEt4MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjgxNjA5MTZaFw0x ODExMjYxNjA5MTZaMBMxETAPBgNVBAMTCGpvc3RhLm1lMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvnRkby+4AZW5Iu9JNYtV8gjj64JV3T05gTuKiDxm ... Uri4ick537vyTgmYJNU9bcQsqnrMYBK1TAfARpNOmvNbQ04YHfrKK1dp6D8pjBzn 1QxNg028mOZ+qE1VfFbsq7lyHGR/Yn7VOAChJhAUfqgt4bvPFTM7jGsGyGC1zYSo XJdBj9vw1aoYpn3oMi76bVs3ix3Vfq9+3mbDRgYWtnDca2QcxohpKKaim3uo/R3f ApxHeV+3mya1cHOmwQwdHlJHuoUZlyv2WSC0UiJV+FP/9Ey7I1/6eETSyLHCu9Pn WADVlO6mFIfqqE18FWL1LBq9grqMHJEyccliUJ2G3Gg5YFJQDBEiWwuYfBlsOg4W +HZYLRriUi/PKqNO -----END CERTIFICATE----- [Wed Aug 29 01:09:17 CST 2018] Your cert is in /home/yee/.acme.sh/josta.me/josta.me.cer [Wed Aug 29 01:09:17 CST 2018] Your cert key is in /home/yee/.acme.sh/josta.me/josta.me.key [Wed Aug 29 01:09:17 CST 2018] The intermediate CA cert is in /home/yee/.acme.sh/josta.me/ca.cer [Wed Aug 29 01:09:17 CST 2018] And the full chain certs is there: /home/yee/.acme.sh/josta.me/fullchain.cer [Wed Aug 29 01:09:17 CST 2018] ===End cron===
没问题,更新crontab任务
1 2 3 4
contab -e 32 0 * * * "/home/yee/.acme.sh"/acme.sh --cron --home "/home/yee/.acme.sh" > /dev/null sudo crontab -u root -e 05 07 1 * * root systemctl reload nginx
其它还与之前的方式保持不变,又可以继续使用全站HTTPS了
History
Version | Action | Time |
---|---|---|
1.0 | Initial commit | Aug 31, 2018 |