最新内容

https://yanyong.cc/post/certbot-cloudflare-letsencrypt/

2025.4.2

安装Certbot

参考链接:

https://certbot.eff.org/docs/using.html?highlight=renew#automated-renewals

https://askubuntu.com/questions/553937/what-is-the-difference-between-the-core-full-extras-and-light-packages-for-ngi

https://salsa.debian.org/nginx-team/nginx/-/blob/master/debian/control

debian操作系统:

1
2
3

sudo apt-get -y install certbot
sudo apt-get -y install nginx libnginx-mod-stream

centos操作系统:

1
2
3
4
5
6

sudo yum -y install epel-release
sudo yum -y install certbot
sudo systemctl start certbot-renew.timer && sudo systemctl enable certbot-renew.timer
sudo yum -y install nginx nginx-mod-stream  # 可选

#SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}') && echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/cron.d/certbot > /dev/null

获取SSL证书

manual模式

参考链接:

https://certbot.eff.org/docs/using.html#manual

https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

Cloudflare API: 官方链接

DNSPod API: 官方链接

GoDaddy API: 官方链接

Cloudflare

Login Email: [email protected]

Zone ID: 2109e1497fb164ac32a8a56f493jd767

Global API Key: b16b2371170e9i9t7aed5df44a69f3k0fd947

--manual-public-ip-logging-ok # 此参数在certbot新版中已弃用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

sudo certbot certonly --manual \
  -d yanyong.cc -d *.yanyong.cc \
  --email [email protected] \
  --agree-tos \
  --no-eff-email \
  --preferred-challenges=dns \
  --manual-public-ip-logging-ok \
  --manual-auth-hook \
    'curl -sS -X POST "https://api.cloudflare.com/client/v4/zones/2109e1497fb164ac32a8a56f493jd767/dns_records" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: b16b2371170e9i9t7aed5df44a69f3k0fd947" -H "Content-Type: application/json" -d {\"type\":\"TXT\",\"name\":\"_acme-challenge.yanyong.cc\",\"content\":\"$CERTBOT_VALIDATION\",\"ttl\":60,\"proxied\":false} && sleep 30' \
  --manual-cleanup-hook \
    'sleep 30 && id=`curl -sS -X GET "https://api.cloudflare.com/client/v4/zones/2109e1497fb164ac32a8a56f493jd767/dns_records?name=_acme-challenge.yanyong.cc" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: b16b2371170e9i9t7aed5df44a69f3k0fd947" -H "Content-Type: application/json" \
    | grep -oP "(?<=result\":\[\{\"id\":\")\w+"` \
    && curl -sS -X DELETE "https://api.cloudflare.com/client/v4/zones/2109e1497fb164ac32a8a56f493jd767/dns_records/$id" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: b16b2371170e9i9t7aed5df44a69f3k0fd947" -H "Content-Type: application/json"' \
  --deploy-hook 'systemctl reload nginx'

DNSPod/腾讯云

ID: 168457

Token: b472bfa84ac4e861c926crb0926c9d77

--manual-public-ip-logging-ok # 此参数在certbot新版中已弃用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

sudo certbot certonly --manual \
  -d yanyong.cc -d *.yanyong.cc \
  --email [email protected] \
  --agree-tos \
  --no-eff-email \
  --preferred-challenges=dns \
  --manual-public-ip-logging-ok \
  --manual-auth-hook \
      'wget https://dnsapi.cn/Record.Create -qO - --post-data "login_token=168457,b472bfa84ac4e861c926crb0926c9d77&domain=$CERTBOT_DOMAIN&sub_domain=_acme-challenge&record_type=TXT&record_line_id=0&value=$CERTBOT_VALIDATION" && sleep 30' \
  --manual-cleanup-hook \
      'sleep 30 && recordid=`wget https://dnsapi.cn/Record.List -qO - --post-data "login_token=168457,b472bfa84ac4e861c926crb0926c9d77&domain=$CERTBOT_DOMAIN&sub_domain=_acme-challenge&record_type=TXT&record_line_id=0" \
      | grep -oP "(?<=records\":\[\{\"id\":\")\d+"` \
      && wget https://dnsapi.cn/Record.Remove -qO - --post-data "login_token=168457,b472bfa84ac4e861c926crb0926c9d77&domain=$CERTBOT_DOMAIN&record_id=$recordid"' \
  --deploy-hook 'systemctl reload nginx'

GoDaddy

API Key: e9CahQ5IAHEz_CbrhCS1CxpXgLPgAdCUk17

Secret API Key: LMFh2nNET8szNIT14bT1A7

Customer ID: 379363747

--manual-public-ip-logging-ok # 此参数在certbot新版中已弃用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

sudo certbot certonly --manual \
  -d yanyong.cc -d *.yanyong.cc \
  --email [email protected] \
  --agree-tos \
  --no-eff-email \
  --preferred-challenges=dns \
  --manual-public-ip-logging-ok \
  --manual-auth-hook \
      'curl -sS -X PATCH "https://api.godaddy.com/v1/domains/yanyong.cc/records" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: sso-key e9CahQ5IAHEz_CbrhCS1CxpXgLPgAdCUk17:LMFh2nNET8szNIT14bT1A7" -d "[ { \"data\": \"$CERTBOT_VALIDATION\", \"name\": \"_acme-challenge\", \"ttl\": 600, \"type\": \"TXT\" }]" && sleep 60' \
  --manual-cleanup-hook \
      'sleep 60 && curl -sS -X DELETE "https://api.godaddy.com/v1/domains/yanyong.cc/records/TXT/_acme-challenge" -H  "accept: application/json" -H  "X-Shopper-Id: 379363747" -H  "Authorization: sso-key e9CahQ5IAHEz_CbrhCS1CxpXgLPgAdCUk17:LMFh2nNET8szNIT14bT1A7"' \
  --deploy-hook 'systemctl reload nginx'

standalone模式参考

需要绑定80端口进域名验证,可以手动停掉比如nginx等服务

1

sudo certbot certonly --standalone -d standalone.yanyong.cc --email [email protected] --agree-tos --no-eff-email

webroot模式参考

nginx配置:

1
2
3
4
5
6
7
8

server {
    listen      80;
    server_name example.yanyong.cc;

    location ^~ /.well-known/acme-challenge/ {
        root /srv/www/_letsencrypt;
    }
}

获取证书

1
2
3
4
5
6

sudo certbot certonly --webroot -w /srv/www/_letsencrypt \
  -d example.yanyong.cc \
  --email [email protected] \
  --agree-tos \
  --no-eff-email \
  --deploy-hook 'systemctl reload nginx'