使用 certbot 的 DNS Plugin (cloudflare) 来获取 Let's Encrypt 的证书

Table of Contents

***的阿里云,你把多少人的生活,都他妈给毁了!

众所周知,想在国内的 VPS 上不备案开 80 端口是几乎不可能的事情。在 Let’s Encrypt 移除基于 TLS-SNI-01 的域名验证 后,想不使用 http-01 challenge 在 Let’s Encrypt 完成域名验证并获得证书只有 dns-01 challenge 一种方法了。

步骤

我使用的是 certbot-dns-cloudflare。该 certbot 插件的文档在 这里 可以阅读。

准备

假设你已经安装了 certbot

安装插件和依赖

插件
sudo apt-get install python3-certbot-dns-cloudflare
➜  ~ sudo apt-get install python3-certbot-dns-cloudflare
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  python3-cloudflare python3-yaml
The following NEW packages will be installed:
  python3-certbot-dns-cloudflare python3-cloudflare python3-yaml
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 157 kB of archives.
After this operation, 713 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 https://mirrors.tuna.tsinghua.edu.cn/debian buster/main amd64 python3-yaml amd64 3.13-2 [121 kB]
Get:2 https://mirrors.tuna.tsinghua.edu.cn/debian buster/main amd64 python3-cloudflare all 2.1.0-1 [27.8 kB]
Get:3 https://mirrors.tuna.tsinghua.edu.cn/debian buster/main amd64 python3-certbot-dns-cloudflare all 0.23.0-2 [7,812 B]
Fetched 157 kB in 4s (36.7 kB/s)
Selecting previously unselected package python3-yaml.
(Reading database ... 135351 files and directories currently installed.)
Preparing to unpack .../python3-yaml_3.13-2_amd64.deb ...
Unpacking python3-yaml (3.13-2) ...
Selecting previously unselected package python3-cloudflare.
Preparing to unpack .../python3-cloudflare_2.1.0-1_all.deb ...
Unpacking python3-cloudflare (2.1.0-1) ...
Selecting previously unselected package python3-certbot-dns-cloudflare.
Preparing to unpack .../python3-certbot-dns-cloudflare_0.23.0-2_all.deb ...
Unpacking python3-certbot-dns-cloudflare (0.23.0-2) ...
Setting up python3-yaml (3.13-2) ...
Setting up python3-cloudflare (2.1.0-1) ...
Setting up python3-certbot-dns-cloudflare (0.23.0-2) ...
依赖

cloudflare >= 2.3.1

Using Cloudflare Tokens also requires at least version 2.3.1 of the cloudflare python module.
If the version that automatically installed with this plugin is older than that,
and you can’t upgrade it on your system, you’ll have to stick to the Global key.

但是:

➜  ~ sudo apt install python3-cloudflare
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3-cloudflare is already the newest version (2.1.0-1).
python3-cloudflare set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

所以我们不得不使用 Global API Key

获取 Global API Key

使用你的帐号登录 Cloudflare。

点击右上角的头像,在弹出的下拉栏中选择 My Profile

切换到 API Tokens Tab。

API Tokens

在下方的 API Keys 中,查看你的 Global API Key

将你的 Cloudflare 登陆邮箱和 Global API Key 按以下格式保存到一个文件中:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = example_i_know_no_one_would_see_this

这里我将其保存到 ~/.secrets/certbot/cloudflare.ini 下。

记得将这个文件 chmod 600

➜  ~ chmod 600 ~/.secrets/certbot/cloudflare.ini

进行验证

➜  ~ sudo certbot certonly \
> --dns-cloudflare \
> --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
> -d <redacted>.anzupop.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for <redacted>.anzupop.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<redacted>.anzupop.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<redacted>.anzupop.com/privkey.pem
   Your cert will expire on <redacted>. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Extra:导出为 pfx 格式

➜  ~ mkdir certs
➜  ~ cd certs
➜  certs sudo cp /etc/letsencrypt/live/<redacted>.anzupop.com/fullchain.pem ./
➜  certs sudo cp /etc/letsencrypt/live/<redacted>.anzupop.com/privkey.pem ./
➜  certs sudo chown nemo ./fullchain.pem
➜  certs sudo chgrp nemo ./fullchain.pem
➜  certs sudo chown nemo ./privkey.pem
➜  certs sudo chgrp nemo ./privkey.pem
➜  certs openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem
Enter Export Password:
Verifying - Enter Export Password:
Nemo Xiong avatar
Nemo Xiong
ex-Cybersecurity Executor, now a student in Unimelb
comments powered by Disqus