前阵子测试Caddy自动申请Let’s Encrypt证书的时候,因为其DNS插件不支持NameSilo,鬼使神差的把个人域名给转移到了Namecheap,回头换回Nginx发现他家的API调用需要收费,不能再使用acme.sh脚本或者certbot这种第三方工具renew证书,所以干脆在前面再套一层CloudFlare,通过他家的domain API实现DNS challenge,成功的把简单问题复杂化了。

准备工作

CloudFlare设置

  • 点击网站右上角Add site,输入自己的站点域名并确认 Add site

  • CloudFlare会自动抓取网站现有的DNS记录 Query DNS records

    检查没有问题就点击继续

  • 选择收费方案,这里我们可以使用免费的就足够了 Select a plan

  • 继续后会被分配两个nameserver,需要自行在域名注册替换默认的 Change the nameservers

    我这里域名托管在Namecheap,参考官方文档修改Custom DNS为上面拿到的ns

  • 保存后等待结果生效,CloudFlare在后台定时检查,成功了会发邮件通知的 Activated

申请证书

好了,一切准备就绪,可以开始正式工作了:

  • 命令行调用

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    
    $ acme.sh --issue --dns dns_cf --dnssleep 30 --force -d josta.me -d *.josta.me
    [Wed Aug 29 01:06:58 CST 2018] Multi domain='DNS:josta.me,DNS:*.josta.me'
    [Wed Aug 29 01:06:58 CST 2018] Getting domain auth token for each domain
    [Wed Aug 29 01:06:59 CST 2018] Getting webroot for domain='josta.me'
    [Wed Aug 29 01:06:59 CST 2018] Getting webroot for domain='*.josta.me'
    [Wed Aug 29 01:06:59 CST 2018] Found domain api file: /home/yee/.acme.sh/dnsapi/dns_cf.sh
    [Wed Aug 29 01:07:00 CST 2018] Adding record
    [Wed Aug 29 01:07:00 CST 2018] Added, OK
    [Wed Aug 29 01:07:00 CST 2018] Found domain api file: /home/yee/.acme.sh/dnsapi/dns_cf.sh
    [Wed Aug 29 01:07:01 CST 2018] Adding record
    [Wed Aug 29 01:07:01 CST 2018] Added, OK
    [Wed Aug 29 01:07:01 CST 2018] Sleep 30 seconds for the txt records to take effect
    [Wed Aug 29 01:07:22 CST 2018] Verifying:josta.me
    [Wed Aug 29 01:07:25 CST 2018] Success
    [Wed Aug 29 01:07:25 CST 2018] Verifying:*.josta.me
    [Wed Aug 29 01:07:27 CST 2018] Success
    [Wed Aug 29 01:07:27 CST 2018] Removing DNS records.
    [Wed Aug 29 01:07:29 CST 2018] Verify finished, start to sign.
    [Wed Aug 29 01:07:31 CST 2018] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIGCDCCBPCgAwIBAgISA21QBrLKNQVywh3qlQQ4ZLRZMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjgxNjA3MzBaFw0x
    ODExMjYxNjA3MzBaMBMxETAPBgNVBAMTCGpvc3RhLm1lMIIBIjANBgkqhkiG9w0B
    AQEFAAOCAQ8AMIIBCgKCAQEAvnRkby+4AZW5Iu9JNYtV8gjj64JV3T05gTuKiDxm
    ...
    Vy0bJYw4lO9e/QMhPQ6xgknj5xK6B5JspKH3Iq35baAiILqvOTZWzzVohdNZyuhT
    qs44lXmWjgLfiZAu0cgpY93Hgwus8esJPz9dR9ysm2uLkAJKvEQ+qaCrdjanpXnn
    RgK/vGpC7TGOamAgm+q0vb1xahGF0b2KjfWNVihD7hwQM2GPR3Z5JTqjVdbUkdgR
    IylhoS8rL8oM1VjIgpW1Ks3YkxZtFBO96qRz996GKVU1NQbSRe3YqinoG27Iwp79
    igLnYt5bDkm7NuhCC/TTgtobfaNCdARKazBRANHmx9SdfcwAkWvPxG47FAqqhrh9
    MHaF9MtRonqdWhX6
    -----END CERTIFICATE-----
    [Wed Aug 29 01:07:31 CST 2018] Your cert is in  /home/yee/.acme.sh/josta.me/josta.me.cer
    [Wed Aug 29 01:07:31 CST 2018] Your cert key is in  /home/yee/.acme.sh/josta.me/josta.me.key
    [Wed Aug 29 01:07:31 CST 2018] The intermediate CA cert is in  /home/yee/.acme.sh/josta.me/ca.cer
    [Wed Aug 29 01:07:31 CST 2018] And the full chain certs is there:  /home/yee/.acme.sh/josta.me/fullchain.cer
  • 测试crontab的renew是否正常:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    
    $ "/home/yee/.acme.sh"/acme.sh --cron --home "/home/yee/.acme.sh" "--force" "--staging"
    [Wed Aug 29 01:09:12 CST 2018] ===Starting cron===
    [Wed Aug 29 01:09:12 CST 2018] Installing from online archive.
    [Wed Aug 29 01:09:12 CST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
    [Wed Aug 29 01:09:13 CST 2018] Extracting master.tar.gz
    [Wed Aug 29 01:09:13 CST 2018] Installing to /home/yee/.acme.sh
    [Wed Aug 29 01:09:13 CST 2018] Installed to /home/yee/.acme.sh/acme.sh
    [Wed Aug 29 01:09:13 CST 2018] Good, bash is found, so change the shebang to use bash as preferred.
    [Wed Aug 29 01:09:14 CST 2018] OK
    [Wed Aug 29 01:09:14 CST 2018] Install success!
    [Wed Aug 29 01:09:14 CST 2018] Upgrade success!
    [Wed Aug 29 01:09:14 CST 2018] Auto upgraded to: 2.8.0
    [Wed Aug 29 01:09:14 CST 2018] Renew: 'josta.me'
    [Wed Aug 29 01:09:14 CST 2018] Multi domain='DNS:josta.me,DNS:*.josta.me'
    [Wed Aug 29 01:09:14 CST 2018] Getting domain auth token for each domain
    [Wed Aug 29 01:09:15 CST 2018] Getting webroot for domain='josta.me'
    [Wed Aug 29 01:09:15 CST 2018] Getting webroot for domain='*.josta.me'
    [Wed Aug 29 01:09:15 CST 2018] josta.me is already verified, skip dns-01.
    [Wed Aug 29 01:09:15 CST 2018] *.josta.me is already verified, skip dns-01.
    [Wed Aug 29 01:09:15 CST 2018] Verify finished, start to sign.
    [Wed Aug 29 01:09:17 CST 2018] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIGCDCCBPCgAwIBAgISA6pcY39wrfLkZmWNnEP7CEt4MA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjgxNjA5MTZaFw0x
    ODExMjYxNjA5MTZaMBMxETAPBgNVBAMTCGpvc3RhLm1lMIIBIjANBgkqhkiG9w0B
    AQEFAAOCAQ8AMIIBCgKCAQEAvnRkby+4AZW5Iu9JNYtV8gjj64JV3T05gTuKiDxm
    ...
    Uri4ick537vyTgmYJNU9bcQsqnrMYBK1TAfARpNOmvNbQ04YHfrKK1dp6D8pjBzn
    1QxNg028mOZ+qE1VfFbsq7lyHGR/Yn7VOAChJhAUfqgt4bvPFTM7jGsGyGC1zYSo
    XJdBj9vw1aoYpn3oMi76bVs3ix3Vfq9+3mbDRgYWtnDca2QcxohpKKaim3uo/R3f
    ApxHeV+3mya1cHOmwQwdHlJHuoUZlyv2WSC0UiJV+FP/9Ey7I1/6eETSyLHCu9Pn
    WADVlO6mFIfqqE18FWL1LBq9grqMHJEyccliUJ2G3Gg5YFJQDBEiWwuYfBlsOg4W
    +HZYLRriUi/PKqNO
    -----END CERTIFICATE-----
    [Wed Aug 29 01:09:17 CST 2018] Your cert is in  /home/yee/.acme.sh/josta.me/josta.me.cer
    [Wed Aug 29 01:09:17 CST 2018] Your cert key is in  /home/yee/.acme.sh/josta.me/josta.me.key
    [Wed Aug 29 01:09:17 CST 2018] The intermediate CA cert is in  /home/yee/.acme.sh/josta.me/ca.cer
    [Wed Aug 29 01:09:17 CST 2018] And the full chain certs is there:  /home/yee/.acme.sh/josta.me/fullchain.cer
    [Wed Aug 29 01:09:17 CST 2018] ===End cron===
  • 没问题,更新crontab任务

    1
    2
    3
    4
    
    contab -e
    32 0 * * * "/home/yee/.acme.sh"/acme.sh --cron --home "/home/yee/.acme.sh" > /dev/null
    sudo crontab -u root -e
    05 07 1 * * root systemctl reload nginx
  • 其它还与之前的方式保持不变,又可以继续使用全站HTTPS了

History

Version Action Time
1.0 Initial commit Aug 31, 2018