chchang/hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add auto fetch ssl certs

Browse Source
This commit is contained in:
Eric Chang
2021-08-26 12:11:25 +08:00
parent 11ca254bed
commit 509ac048fc
237 changed files with 4968 additions and 7406 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
public/post/ubuntu-letsencrypt-cloudflare-wildcard/index.html
View File

@@ -13,7 +13,7 @@
"articleSection" : "post",
"name" : "[筆記] 在 ubuntu 20.04 底下用certbot 透過Cloudflare 申請全域的 Letsencrypt 憑證",
"headline" : "[筆記] 在 ubuntu 20.04 底下用certbot 透過Cloudflare 申請全域的 Letsencrypt 憑證",
"description" : "\x3cp\x3e之前用caddy 作為反向代理其中一個優勢就是caddy 會自動處理Letsencrypt 憑證的問題\x3c\/p\x3e\n\n\x3cp\x3e也不用煩惱怎麼去更新一堆有的沒的\x3c\/p\x3e\n\n\x3cp\x3e不過實際應用上還是偶爾會拿這些憑證檔案來用的狀況\x3c\/p\x3e\n\n\x3cp\x3e雖然可以從caddy 上面取得這些檔案\x3c\/p\x3e\n\n\x3cp\x3e但是基本上這些檔案都是綁定一個特定的hostname\x3c\/p\x3e\n\n\x3cp\x3e可是我想要有一個憑證可以給同網域底下的機器用 ( Wildcard certificates )\x3c\/p\x3e",
"description" : "\x3cp\x3e之前用caddy 作為反向代理其中一個優勢就是caddy 會自動處理Letsencrypt 憑證的問題\x3c\/p\x3e\n\x3cp\x3e也不用煩惱怎麼去更新一堆有的沒的\x3c\/p\x3e\n\x3cp\x3e不過實際應用上還是偶爾會拿這些憑證檔案來用的狀況\x3c\/p\x3e\n\x3cp\x3e雖然可以從caddy 上面取得這些檔案\x3c\/p\x3e\n\x3cp\x3e但是基本上這些檔案都是綁定一個特定的hostname\x3c\/p\x3e\n\x3cp\x3e可是我想要有一個憑證可以給同網域底下的機器用 ( Wildcard certificates )\x3c\/p\x3e",
"inLanguage" : "en",
"author" : "Eric Chang",
"creator" : "Eric Chang",
@@ -24,7 +24,7 @@
"datePublished": "2020-09-02 15:55:40 \x2b0800 CST",
"dateModified" : "2020-09-02 15:55:40 \x2b0800 CST",
"url" : "https:\/\/h.cowbay.org\/post\/ubuntu-letsencrypt-cloudflare-wildcard\/",
"wordCount" : "471",
"wordCount" : "469",
"image" : "https://h.cowbay.orghttps://h.cowbay.org/images/post-default-4.jpg"",
"keywords" : [ ""certbot"",""Cloudflare"",""Letsencrypt"","Blog" ]
}
@@ -45,9 +45,9 @@
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">
<link href="https://h.cowbay.org/css/style.css?v=1626744134" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/style.css?v=1629951055" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1626744134" rel="stylesheet" type='text/css' media='all'>
<link href="https://h.cowbay.org/css/custom.css?v=1629951055" rel="stylesheet" type='text/css' media='all'>
<link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
<link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
@@ -81,10 +81,6 @@ if (!doNotTrack) {
<ul id="menu-secondary-items" class="menu-secondary-items">
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/"></a>
</li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category">
<a href="/categories/ansible">ansible</a>
</li>
@@ -309,80 +305,43 @@ if (!doNotTrack) {
<div class="entry-content">
<article>
<p>之前用caddy 作為反向代理其中一個優勢就是caddy 會自動處理Letsencrypt 憑證的問題</p>
<p>也不用煩惱怎麼去更新一堆有的沒的</p>
<p>不過,實際應用上,還是偶爾會拿這些憑證檔案來用的狀況</p>
<p>雖然可以從caddy 上面取得這些檔案</p>
<p>但是基本上這些檔案都是綁定一個特定的hostname</p>
<p>可是我想要有一個憑證,可以給同網域底下的機器用 ( Wildcard certificates )</p>
<p>要申請Wildcard certificates ,必須要採用 DNS 驗證的方式</p>
<p>一般手動操作的步驟,會先產生一組亂數字串,然後更新 DNS 上面去</p>
<p>如果要改成自動化,要多一些步驟</p>
<h3 id="安裝-certbot-及-cloudflare-外掛">安裝 certbot 及 Cloudflare 外掛</h3>
<p>首先,先來安裝會用到的套件</p>
<pre><code>sudo apt install certbot letsencrypt python3-certbot-dns-cloudflare
</code></pre>
<h3 id="設定-cloudflare-api">設定 cloudflare API</h3>
</code></pre><h3 id="設定-cloudflare-api">設定 cloudflare API</h3>
<p>這個步驟我測了好久網路上的說明似乎都過期了造成cloudflare API 那邊會發生錯誤</p>
<p>先登入 cloudflare 管理界面的API token 設定</p>
<p><a href="https://dash.cloudflare.com/profile/api-tokens">https://dash.cloudflare.com/profile/api-tokens</a></p>
<p>建立一組token</p>
<p>內容如下</p>
<p>![&lsquo;cloudflare API&rsquo;](&lsquo;<a href="https://i.imgur.com/3dZN6qC.png'">https://i.imgur.com/3dZN6qC.png'</a>)</p>
<p><img src="'https://i.imgur.com/3dZN6qC.png'" alt="&lsquo;cloudflare API&rsquo;"></p>
<p>在權限設定的地方,選擇三個項目</p>
<p>zone-zone settings-edit
zone-zone-edit
zone-DNS-edit</p>
<p>在下一個 zone resources 選擇 include-All zones</p>
<p>存檔後會產生一組 API token ,接著就是用這組 token 來做DNS更新</p>
<h3 id="編輯-cloudflare-設定檔">編輯 cloudflare 設定檔</h3>
<p>在 /etc底下新增一個 cloudflare.ini</p>
<p>內容如下</p>
<pre><code>sudo vim /etc/cloudflare.ini
dns_cloudflare_email = #email@address.here
dns_cloudflare_api_key = #API token here
</code></pre>
<p>存檔後離開然後改一下權限不然等一下certbot 會跳警告</p>
</code></pre><p>存檔後離開然後改一下權限不然等一下certbot 會跳警告</p>
<pre><code>sudo chmod 0600 /etc/cloudflare.ini
</code></pre>
<h3 id="執行certbot-取得憑證">執行certbot 取得憑證</h3>
</code></pre><h3 id="執行certbot-取得憑證">執行certbot 取得憑證</h3>
<p>執行以下的指令</p>
<pre><code>sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
</code></pre>
<p>正常的話,會是這樣的結果</p>
</code></pre><p>正常的話,會是這樣的結果</p>
<pre><code>sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
@@ -409,12 +368,8 @@ IMPORTANT NOTES:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
</code></pre>
<p>這樣子就取得了全域通用的SSL 憑證檔案</p>
</code></pre><p>這樣子就取得了全域通用的SSL 憑證檔案</p>
<p>如果看到底下這種錯誤</p>
<pre><code>administrator@ubuntu:~$ sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare.ini --preferred-challenges=dns --email admin@abc.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d abc.com -d *.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
@@ -424,14 +379,9 @@ dns-01 challenge for abc.com
dns-01 challenge for abc.com
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API key?)
</code></pre>
<p>那就是cloudflare API 那邊的權限設定錯了,我就是在這邊卡很久&hellip;</p>
</code></pre><p>那就是cloudflare API 那邊的權限設定錯了,我就是在這邊卡很久&hellip;</p>
<p>請參照上面的步驟和圖片正確的設定</p>
<p>可以用 certbot certificates 來驗證看看</p>
<pre><code>administrator@ubuntu:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
@@ -443,23 +393,14 @@ Found the following certs:
Certificate Path: /etc/letsencrypt/live/abc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/abc.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
</code></pre>
<p>之後就可以用</p>
</code></pre><p>之後就可以用</p>
<pre><code>sudo certbot renew
</code></pre>
<p>來更新憑證</p>
</code></pre><p>來更新憑證</p>
<p>寫到/etc/crontab 去排程每個月的1號自動更新</p>
<pre><code>administrator@ubuntu:~$ echo &quot;* * 1 * * root /usr/bin/certbot renew&quot; |sudo tee -a /etc/crontab
* * 1 * * root /usr/bin/certbot renew
administrator@ubuntu:~$
</code></pre>
<p>接下來就等三個月之後,檢查看看憑證是否有自動更新了!</p>
</code></pre><p>接下來就等三個月之後,檢查看看憑證是否有自動更新了!</p>
</article>
</div>
@@ -738,7 +679,7 @@ title="pinterest icon"></i>
</ul> <div class="design-credit">
<p>&copy; 2018 Göran Svensson</p>
<p>© 2018 Göran Svensson</p>
<p>Nederburg Hugo Theme by <a href="https://appernetic.io">Appernetic</a>.</p>
@@ -750,7 +691,7 @@ title="pinterest icon"></i>
</div>
<script src="https://h.cowbay.org/js/jquery.min.js"></script>
<script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1626744134"></script>
<script src="https://h.cowbay.org/js/production.min.js?v=1629951055"></script>
</body>
</html>