chchang/hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update some content

Browse Source
This commit is contained in:
Eric Chang
2021-10-28 14:13:06 +08:00
parent 97eb780aa4
commit 4f99455d8f
242 changed files with 1826 additions and 2616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
public/post/ubuntu-letsencrypt-cloudflare-wildcard/index.html
View File

@@ -13,7 +13,7 @@
"articleSection" : "post",
"name" : "[筆記] 在 ubuntu 20.04 底下用certbot 透過Cloudflare 申請全域的 Letsencrypt 憑證",
"headline" : "[筆記] 在 ubuntu 20.04 底下用certbot 透過Cloudflare 申請全域的 Letsencrypt 憑證",
"description" : "\x3cp\x3e之前用caddy 作為反向代理其中一個優勢就是caddy 會自動處理Letsencrypt 憑證的問題\x3c\/p\x3e\n\x3cp\x3e也不用煩惱怎麼去更新一堆有的沒的\x3c\/p\x3e\n\x3cp\x3e不過實際應用上還是偶爾會拿這些憑證檔案來用的狀況\x3c\/p\x3e\n\x3cp\x3e雖然可以從caddy 上面取得這些檔案\x3c\/p\x3e\n\x3cp\x3e但是基本上這些檔案都是綁定一個特定的hostname\x3c\/p\x3e\n\x3cp\x3e可是我想要有一個憑證可以給同網域底下的機器用 ( Wildcard certificates )\x3c\/p\x3e",
"description" : "\u003cp\u003e之前用caddy 作為反向代理其中一個優勢就是caddy 會自動處理Letsencrypt 憑證的問題\u003c\/p\u003e\n\u003cp\u003e也不用煩惱怎麼去更新一堆有的沒的\u003c\/p\u003e\n\u003cp\u003e不過實際應用上還是偶爾會拿這些憑證檔案來用的狀況\u003c\/p\u003e\n\u003cp\u003e雖然可以從caddy 上面取得這些檔案\u003c\/p\u003e\n\u003cp\u003e但是基本上這些檔案都是綁定一個特定的hostname\u003c\/p\u003e\n\u003cp\u003e可是我想要有一個憑證可以給同網域底下的機器用 ( Wildcard certificates )\u003c\/p\u003e",
"inLanguage" : "en",
"author" : "Eric Chang",
"creator" : "Eric Chang",
@@ -21,8 +21,8 @@
"accountablePerson" : "Eric Chang",
"copyrightHolder" : "Eric Chang",
"copyrightYear" : "2020",
"datePublished": "2020-09-02 15:55:40 \x2b0800 CST",
"dateModified" : "2020-09-02 15:55:40 \x2b0800 CST",
"datePublished": "2020-09-02 15:55:40 \u002b0800 CST",
"dateModified" : "2020-09-02 15:55:40 \u002b0800 CST",
"url" : "https:\/\/h.cowbay.org\/post\/ubuntu-letsencrypt-cloudflare-wildcard\/",
"wordCount" : "469",
"image" : "https://h.cowbay.orghttps://h.cowbay.org/images/post-default-4.jpg"",
@@ -45,9 +45,9 @@
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">
<link href="https://h.cowbay.org/css/style.css?v=1632901489" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/style.css?v=1634607506" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1632901489" rel="stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1634607506" rel="stylesheet" type='text/css' media='all'>
<link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
<link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
@@ -315,7 +315,7 @@ if (!doNotTrack) {
<p>如果要改成自動化,要多一些步驟</p>
<h3 id="安裝-certbot-及-cloudflare-外掛">安裝 certbot 及 Cloudflare 外掛</h3>
<p>首先,先來安裝會用到的套件</p>
<pre><code>sudo apt install certbot letsencrypt python3-certbot-dns-cloudflare
<pre tabindex="0"><code>sudo apt install certbot letsencrypt python3-certbot-dns-cloudflare
</code></pre><h3 id="設定-cloudflare-api">設定 cloudflare API</h3>
<p>這個步驟我測了好久網路上的說明似乎都過期了造成cloudflare API 那邊會發生錯誤</p>
<p>先登入 cloudflare 管理界面的API token 設定</p>
@@ -332,17 +332,17 @@ zone-DNS-edit</p>
<h3 id="編輯-cloudflare-設定檔">編輯 cloudflare 設定檔</h3>
<p>在 /etc底下新增一個 cloudflare.ini</p>
<p>內容如下</p>
<pre><code>sudo vim /etc/cloudflare.ini
<pre tabindex="0"><code>sudo vim /etc/cloudflare.ini
dns_cloudflare_email = #email@address.here
dns_cloudflare_api_key = #API token here
</code></pre><p>存檔後離開然後改一下權限不然等一下certbot 會跳警告</p>
<pre><code>sudo chmod 0600 /etc/cloudflare.ini
<pre tabindex="0"><code>sudo chmod 0600 /etc/cloudflare.ini
</code></pre><h3 id="執行certbot-取得憑證">執行certbot 取得憑證</h3>
<p>執行以下的指令</p>
<pre><code>sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
<pre tabindex="0"><code>sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
</code></pre><p>正常的話,會是這樣的結果</p>
<pre><code>sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
<pre tabindex="0"><code>sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
@@ -370,7 +370,7 @@ IMPORTANT NOTES:
</code></pre><p>這樣子就取得了全域通用的SSL 憑證檔案</p>
<p>如果看到底下這種錯誤</p>
<pre><code>administrator@ubuntu:~$ sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
<pre tabindex="0"><code>administrator@ubuntu:~$ sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
@@ -382,7 +382,7 @@ Error determining zone_id: 6003 Invalid request headers. Please confirm that you
</code></pre><p>那就是cloudflare API 那邊的權限設定錯了,我就是在這邊卡很久&hellip;</p>
<p>請參照上面的步驟和圖片正確的設定</p>
<p>可以用 certbot certificates 來驗證看看</p>
<pre><code>administrator@ubuntu:~$ sudo certbot certificates
<pre tabindex="0"><code>administrator@ubuntu:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -394,10 +394,10 @@ Found the following certs:
Private Key Path: /etc/letsencrypt/live/abc.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
</code></pre><p>之後就可以用</p>
<pre><code>sudo certbot renew
<pre tabindex="0"><code>sudo certbot renew
</code></pre><p>來更新憑證</p>
<p>寫到/etc/crontab 去排程每個月的1號自動更新</p>
<pre><code>administrator@ubuntu:~$ echo &quot;* * 1 * * root /usr/bin/certbot renew&quot; |sudo tee -a /etc/crontab
<pre tabindex="0"><code>administrator@ubuntu:~$ echo &quot;* * 1 * * root /usr/bin/certbot renew&quot; |sudo tee -a /etc/crontab
* * 1 * * root /usr/bin/certbot renew
administrator@ubuntu:~$
</code></pre><p>接下來就等三個月之後,檢查看看憑證是否有自動更新了!</p>
@@ -691,7 +691,7 @@ title="pinterest icon"></i>
</div>
<script src="https://h.cowbay.org/js/jquery.min.js"></script>
<script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1632901489"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1634607506"></script>
</body>
</html>