使用Cloudflare为博客增加Let's Encrypt免费SSL支持

前阵子测试Caddy自动申请Let’s Encrypt证书的时候，因为其DNS插件不支持NameSilo，鬼使神差的把个人域名给转移到了Namecheap，回头换回Nginx发现他家的API调用需要收费，不能再使用acme.sh脚本或者certbot这种第三方工具renew证书，所以干脆在前面再套一层CloudFlare，通过他家的domain API实现DNS challenge，成功的把简单问题复杂化了。

准备工作

• 注册CloudFlare账号

• 获取自己的Global API Key，记录下来

• 设置acme.sh要用的环境变量，在 ~/.acme.sh/acme.sh.env 加上：

  1 2	export CF_Key="$API_KEY" export CF_Email="$CLOUDFLARE_EMAIL"

CloudFlare设置

• 点击网站右上角Add site，输入自己的站点域名并确认

• CloudFlare会自动抓取网站现有的DNS记录

  检查没有问题就点击继续

• 选择收费方案，这里我们可以使用免费的就足够了

• 继续后会被分配两个nameserver，需要自行在域名注册替换默认的

  我这里域名托管在Namecheap，参考官方文档修改Custom DNS为上面拿到的ns

• 保存后等待结果生效，CloudFlare在后台定时检查，成功了会发邮件通知的

申请证书

好了，一切准备就绪，可以开始正式工作了：

• 命令行调用

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

  $ acme.sh --issue --dns dns_cf --dnssleep 30 --force -d josta.me -d *.josta.me [Wed Aug 29 01:06:58 CST 2018] Multi domain='DNS:josta.me,DNS:*.josta.me' [Wed Aug 29 01:06:58 CST 2018] Getting domain auth token for each domain [Wed Aug 29 01:06:59 CST 2018] Getting webroot for domain='josta.me' [Wed Aug 29 01:06:59 CST 2018] Getting webroot for domain='*.josta.me' [Wed Aug 29 01:06:59 CST 2018] Found domain api file: /home/yee/.acme.sh/dnsapi/dns_cf.sh [Wed Aug 29 01:07:00 CST 2018] Adding record [Wed Aug 29 01:07:00 CST 2018] Added, OK [Wed Aug 29 01:07:00 CST 2018] Found domain api file: /home/yee/.acme.sh/dnsapi/dns_cf.sh [Wed Aug 29 01:07:01 CST 2018] Adding record [Wed Aug 29 01:07:01 CST 2018] Added, OK [Wed Aug 29 01:07:01 CST 2018] Sleep 30 seconds for the txt records to take effect [Wed Aug 29 01:07:22 CST 2018] Verifying:josta.me [Wed Aug 29 01:07:25 CST 2018] Success [Wed Aug 29 01:07:25 CST 2018] Verifying:*.josta.me [Wed Aug 29 01:07:27 CST 2018] Success [Wed Aug 29 01:07:27 CST 2018] Removing DNS records. [Wed Aug 29 01:07:29 CST 2018] Verify finished, start to sign. [Wed Aug 29 01:07:31 CST 2018] Cert success. -----BEGIN CERTIFICATE----- MIIGCDCCBPCgAwIBAgISA21QBrLKNQVywh3qlQQ4ZLRZMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjgxNjA3MzBaFw0x ODExMjYxNjA3MzBaMBMxETAPBgNVBAMTCGpvc3RhLm1lMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvnRkby+4AZW5Iu9JNYtV8gjj64JV3T05gTuKiDxm ... Vy0bJYw4lO9e/QMhPQ6xgknj5xK6B5JspKH3Iq35baAiILqvOTZWzzVohdNZyuhT qs44lXmWjgLfiZAu0cgpY93Hgwus8esJPz9dR9ysm2uLkAJKvEQ+qaCrdjanpXnn RgK/vGpC7TGOamAgm+q0vb1xahGF0b2KjfWNVihD7hwQM2GPR3Z5JTqjVdbUkdgR IylhoS8rL8oM1VjIgpW1Ks3YkxZtFBO96qRz996GKVU1NQbSRe3YqinoG27Iwp79 igLnYt5bDkm7NuhCC/TTgtobfaNCdARKazBRANHmx9SdfcwAkWvPxG47FAqqhrh9 MHaF9MtRonqdWhX6 -----END CERTIFICATE----- [Wed Aug 29 01:07:31 CST 2018] Your cert is in /home/yee/.acme.sh/josta.me/josta.me.cer [Wed Aug 29 01:07:31 CST 2018] Your cert key is in /home/yee/.acme.sh/josta.me/josta.me.key [Wed Aug 29 01:07:31 CST 2018] The intermediate CA cert is in /home/yee/.acme.sh/josta.me/ca.cer [Wed Aug 29 01:07:31 CST 2018] And the full chain certs is there: /home/yee/.acme.sh/josta.me/fullchain.cer

• 测试crontab的renew是否正常：

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

  $ "/home/yee/.acme.sh"/acme.sh --cron --home "/home/yee/.acme.sh" "--force" "--staging" [Wed Aug 29 01:09:12 CST 2018] ===Starting cron=== [Wed Aug 29 01:09:12 CST 2018] Installing from online archive. [Wed Aug 29 01:09:12 CST 2018] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz [Wed Aug 29 01:09:13 CST 2018] Extracting master.tar.gz [Wed Aug 29 01:09:13 CST 2018] Installing to /home/yee/.acme.sh [Wed Aug 29 01:09:13 CST 2018] Installed to /home/yee/.acme.sh/acme.sh [Wed Aug 29 01:09:13 CST 2018] Good, bash is found, so change the shebang to use bash as preferred. [Wed Aug 29 01:09:14 CST 2018] OK [Wed Aug 29 01:09:14 CST 2018] Install success! [Wed Aug 29 01:09:14 CST 2018] Upgrade success! [Wed Aug 29 01:09:14 CST 2018] Auto upgraded to: 2.8.0 [Wed Aug 29 01:09:14 CST 2018] Renew: 'josta.me' [Wed Aug 29 01:09:14 CST 2018] Multi domain='DNS:josta.me,DNS:*.josta.me' [Wed Aug 29 01:09:14 CST 2018] Getting domain auth token for each domain [Wed Aug 29 01:09:15 CST 2018] Getting webroot for domain='josta.me' [Wed Aug 29 01:09:15 CST 2018] Getting webroot for domain='*.josta.me' [Wed Aug 29 01:09:15 CST 2018] josta.me is already verified, skip dns-01. [Wed Aug 29 01:09:15 CST 2018] *.josta.me is already verified, skip dns-01. [Wed Aug 29 01:09:15 CST 2018] Verify finished, start to sign. [Wed Aug 29 01:09:17 CST 2018] Cert success. -----BEGIN CERTIFICATE----- MIIGCDCCBPCgAwIBAgISA6pcY39wrfLkZmWNnEP7CEt4MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjgxNjA5MTZaFw0x ODExMjYxNjA5MTZaMBMxETAPBgNVBAMTCGpvc3RhLm1lMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvnRkby+4AZW5Iu9JNYtV8gjj64JV3T05gTuKiDxm ... Uri4ick537vyTgmYJNU9bcQsqnrMYBK1TAfARpNOmvNbQ04YHfrKK1dp6D8pjBzn 1QxNg028mOZ+qE1VfFbsq7lyHGR/Yn7VOAChJhAUfqgt4bvPFTM7jGsGyGC1zYSo XJdBj9vw1aoYpn3oMi76bVs3ix3Vfq9+3mbDRgYWtnDca2QcxohpKKaim3uo/R3f ApxHeV+3mya1cHOmwQwdHlJHuoUZlyv2WSC0UiJV+FP/9Ey7I1/6eETSyLHCu9Pn WADVlO6mFIfqqE18FWL1LBq9grqMHJEyccliUJ2G3Gg5YFJQDBEiWwuYfBlsOg4W +HZYLRriUi/PKqNO -----END CERTIFICATE----- [Wed Aug 29 01:09:17 CST 2018] Your cert is in /home/yee/.acme.sh/josta.me/josta.me.cer [Wed Aug 29 01:09:17 CST 2018] Your cert key is in /home/yee/.acme.sh/josta.me/josta.me.key [Wed Aug 29 01:09:17 CST 2018] The intermediate CA cert is in /home/yee/.acme.sh/josta.me/ca.cer [Wed Aug 29 01:09:17 CST 2018] And the full chain certs is there: /home/yee/.acme.sh/josta.me/fullchain.cer [Wed Aug 29 01:09:17 CST 2018] ===End cron===

• 没问题，更新crontab任务

  1 2 3 4

  contab -e 32 0 * * * "/home/yee/.acme.sh"/acme.sh --cron --home "/home/yee/.acme.sh" > /dev/null sudo crontab -u root -e 05 07 1 * * root systemctl reload nginx

• 其它还与之前的方式保持不变，又可以继续使用全站HTTPS了

History