服务器环境

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -a
Linux ushost 6.1.0-31-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) x86_64 GNU/Linux

$ certbot --version
certbot 2.1.0

获取证书

token已脱敏

1
2
3

sudo apt -y install certbot

sudo mkdir -p /opt/certbot/dns

编辑验证域名脚本/opt/certbot/dns/auth.sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

#!/bin/bash

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_TOKEN="Bearer V9nmyI_o20Avum44JI6YLsyH9bNpMS8Y7fuVvSCo"
DOMAIN="yanyong.cc"

# Get the Cloudflare zone id
ZONE_ID=$(curl -sS -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN" \
    -H "Content-Type: application/json" \
    -H "Authorization: $API_TOKEN" | python3 -c "import sys, json; print(json.load(sys.stdin)['result'][0]['id'])")

# Create TXT record
CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_ID=$(curl -sS -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
    -H "Content-Type: application/json" \
    -H "Authorization: $API_TOKEN" \
    --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \
        | python3 -c "import sys, json; print(json.load(sys.stdin)['result']['id'])")

# Save info for cleanup
if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ]; then
    mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi
echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_ID >> /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID

# Sleep to make sure the change has time to propagate over to DNS
sleep 30

编辑清理域名脚本/opt/certbot/dns/clean.sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

#!/bin/bash

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_TOKEN="Bearer V9nmyI_o20Avum44JI6YLsyH9bNpMS8Y7fuVvSCo"

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then
    ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID)
    rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
fi

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID ]; then
    RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID)
    rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID
fi

# Remove the challenge TXT record from the zone
if [ -n "${ZONE_ID}" ] && [ -n "${RECORD_ID}" ]; then
    for id in $RECORD_ID; do
        curl -sS -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$id" \
            -H "Content-Type: application/json" \
            -H "Authorization: $API_TOKEN"
    done
fi

添加执行权限

1
2

sudo chmod +x /opt/certbot/dns/auth.sh
sudo chmod +x /opt/certbot/dns/clean.sh

获取证书,先添加--dry-run测试一下是否正确

从2.0.0版本开始private keys默认ecdsa算法,有需要可以--key-type=rsa指定rsa算法

1
2
3
4
5
6
7
8

sudo certbot certonly -d yanyong.cc -d *.yanyong.cc \
    --email [email protected] \
    --agree-tos \
    --no-eff-email \
    --manual --preferred-challenges=dns \
    --manual-auth-hook /opt/certbot/dns/auth.sh \
    --manual-cleanup-hook /opt/certbot/dns/clean.sh \
    --deploy-hook 'systemctl reload nginx'

测试续签

1

sudo certbot renew --dry-run

nginx配置参考

1
2
3

ssl_certificate         /etc/letsencrypt/live/yanyong.cc/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/yanyong.cc/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yanyong.cc/chain.pem;

参考链接

https://eff-certbot.readthedocs.io/en/stable/using.html#

https://developers.cloudflare.com/api/