之前用caddy 作為反向代理,其中一個優勢就是caddy 會自動處理Letsencrypt 憑證的問題
也不用煩惱怎麼去更新一堆有的沒的
不過,實際應用上,還是偶爾會拿這些憑證檔案來用的狀況
雖然可以從caddy 上面取得這些檔案
但是基本上這些檔案都是綁定一個特定的hostname
可是我想要有一個憑證,可以給同網域底下的機器用 ( Wildcard certificates )
<!--more-->
要申請Wildcard certificates ,必須要採用 DNS 驗證的方式
一般手動操作的步驟,會先產生一組亂數字串,然後更新 DNS 上面去
如果要改成自動化,要多一些步驟
安裝 certbot 及 Cloudflare 外掛
首先,先來安裝會用到的套件
sudo apt install certbot letsencrypt python3-certbot-dns-cloudflare
設定 cloudflare API
這個步驟我測了好久,網路上的說明似乎都過期了,造成cloudflare API 那邊會發生錯誤
先登入 cloudflare 管理界面的API token 設定
https://dash.cloudflare.com/profile/api-tokens
建立一組token
內容如下
在權限設定的地方,選擇三個項目
zone-zone settings-edit zone-zone-edit zone-DNS-edit
在下一個 zone resources 選擇 include-All zones
存檔後會產生一組 API token ,接著就是用這組 token 來做DNS更新
編輯 cloudflare 設定檔
在 /etc底下新增一個 cloudflare.ini
內容如下
sudo vim /etc/cloudflare.ini
dns_cloudflare_email = #[email protected]
dns_cloudflare_api_key = #API token here
存檔後離開,然後改一下權限,不然等一下certbot 會跳警告
sudo chmod 0600 /etc/cloudflare.ini
執行certbot 取得憑證
執行以下的指令
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
正常的話,會是這樣的結果
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for abc.com
dns-01 challenge for abc.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/abc.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/abc.com/privkey.pem
Your cert will expire on 2020-12-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
這樣子就取得了全域通用的SSL 憑證檔案
如果看到底下這種錯誤
administrator@ubuntu:~$ sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for abc.com
dns-01 challenge for abc.com
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API key?)
那就是cloudflare API 那邊的權限設定錯了,我就是在這邊卡很久...
請參照上面的步驟和圖片正確的設定
可以用 certbot certificates 來驗證看看
administrator@ubuntu:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: abc.com
Domains: abc.com *.abc.com
Expiry Date: 2020-12-01 05:31:31+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/abc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/abc.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
之後就可以用
sudo certbot renew
來更新憑證
寫到/etc/crontab 去排程每個月的1號自動更新
administrator@ubuntu:~$ echo "* * 1 * * root /usr/bin/certbot renew" |sudo tee -a /etc/crontab
* * 1 * * root /usr/bin/certbot renew
administrator@ubuntu:~$
接下來就等三個月之後,檢查看看憑證是否有自動更新了!