Letsencrypt/certbot/hooks - moin.dnsq.info

Contents

hooks
Pre and Post Validation Hooks¶
env
example script

Ubuntu 20.04 certbot-dns-cloudflareでワイルドカード証明書を取得、更新 2021-08-12 https://eggpan.net/post/ubuntu-certbot-dns-cloudflare/

Welcome to certbot-dns-cloudflare’s documentation!¶ https://certbot-dns-cloudflare.readthedocs.io/en/stable/

1. hooks

CloudflareのDNSを利用しているドメインの証明書をcertbotで発行する Akira Ueno 2022-01-09

https://blog.akky.me/blog/20220109-certbot-cloudflare-dns/#%E3%83%97%E3%83%A9%E3%82%B0%E3%82%A4%E3%83%B3%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB

プラグインのインストール

certbot-dns-cloudflareプラグインをインストールする。

https://ebith.hatenablog.jp/entry/2020/05/03/033114

Let's Encryptのワイルドカード証明書の取得と更新

https://0sn.net/posts/20220217/cloudflaredns-certbot/ CloudflareのDNSを使ってCertbotで証明書を発行する 2022-02-17 18:37:18 History #

--manual-auth-hook が実行される(あるいは有効になる)のは、最初に証明書がつくられときだけのようだ。

更新作業に相当する場合にはなぜか実行されない。-- ToshinoriMaeno 2022-02-18 10:41:51

2/23 あたりに renew --force-renewal でなにかが分かるだろう。

現在 txt.qmail.jp は存在しない。

txt0
txt.t1.odns.info.       300     IN      TXT     "tszYBWM9tTSJ9_f9GrPLGCh0uVXlIsEpP8NgZtmaLYk"

2. Pre and Post Validation Hooks¶

Certbot allows for the specification of pre and post validation hooks when run in manual mode.

The flags to specify these scripts are --manual-auth-hook and --manual-cleanup-hook respectively and can be used as follows:

certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com

This will run the authenticator.sh script, attempt the validation, and then run the cleanup.sh script.

3. env

Additionally certbot will pass relevant environment variables to these scripts:

    CERTBOT_DOMAIN: The domain being authenticated

    CERTBOT_VALIDATION: The validation string

    CERTBOT_TOKEN: Resource name part of the HTTP-01 challenge (HTTP-01 only)

    CERTBOT_REMAINING_CHALLENGES: Number of challenges remaining after the current challenge

    CERTBOT_ALL_DOMAINS: A comma-separated list of all

Additionally for cleanup:

CERTBOT_AUTH_OUTPUT: Whatever the auth script wrote to stdout

4. example script

Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use as-is)

certbot certonly --manual --preferred-challenges=dns 
--manual-auth-hook /path/to/dns/authenticator.sh 
--manual-cleanup-hook /path/to/dns/cleanup.sh 
-d secure.example.com

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="your-api-key"
EMAIL="your.email@example.com"

# Strip only the top domain to get the zone id
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')

# Get the Cloudflare zone id
ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all"
ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \
     -H     "X-Auth-Email: $EMAIL" \
     -H     "X-Auth-Key: $API_KEY" \
     -H     "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])")

# Create TXT record
CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H     "X-Auth-Email: $EMAIL" \
     -H     "X-Auth-Key: $API_KEY" \
     -H     "Content-Type: application/json" \
     --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \
             | python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])")
# Save info for cleanup
if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then
        mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN
fi
echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID

# Sleep to make sure the change has time to propagate over to DNS
sleep 25

/path/to/dns/cleanup.sh (qmail.jp のように単純なら、cron で消去するので十分)

# Get your API key from https://www.cloudflare.com/a/account/my-account
API_KEY="your-api-key"
EMAIL="your.email@example.com"

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then
        ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID)
        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID
fi

if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID ]; then
        RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID)
        rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID
fi

# Remove the challenge TXT record from the zone
if [ -n "${ZONE_ID}" ]; then
    if [ -n "${RECORD_ID}" ]; then
        curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
                -H "X-Auth-Email: $EMAIL" \
                -H "X-Auth-Key: $API_KEY" \
                -H "Content-Type: application/json"
    fi
fi

CategoryDns CategoryWatch CategoryTemplate

MoinQ: Letsencrypt/certbot/hooks (last edited 2023-02-12 14:03:02 by ToshinoriMaeno)