Ubuntu 20.04 certbot-dns-cloudflareでワイルドカード証明書を取得、更新 2021-08-12 https://eggpan.net/post/ubuntu-certbot-dns-cloudflare/
Welcome to certbot-dns-cloudflare’s documentation!¶ https://certbot-dns-cloudflare.readthedocs.io/en/stable/
1. hooks
CloudflareのDNSを利用しているドメインの証明書をcertbotで発行する Akira Ueno 2022-01-09
プラグインのインストール
- certbot-dns-cloudflareプラグインをインストールする。
https://ebith.hatenablog.jp/entry/2020/05/03/033114
- Let's Encryptのワイルドカード証明書の取得と更新
https://0sn.net/posts/20220217/cloudflaredns-certbot/ CloudflareのDNSを使ってCertbotで証明書を発行する 2022-02-17 18:37:18 History #
--manual-auth-hook が実行される(あるいは有効になる)のは、最初に証明書がつくられときだけのようだ。
更新作業に相当する場合にはなぜか実行されない。-- ToshinoriMaeno 2022-02-18 10:41:51
2/23 あたりに renew --force-renewal でなにかが分かるだろう。
- 現在 txt.qmail.jp は存在しない。
txt0 txt.t1.odns.info. 300 IN TXT "tszYBWM9tTSJ9_f9GrPLGCh0uVXlIsEpP8NgZtmaLYk"
2. Pre and Post Validation Hooks¶
Certbot allows for the specification of pre and post validation hooks when run in manual mode.
The flags to specify these scripts are --manual-auth-hook and --manual-cleanup-hook respectively and can be used as follows:
certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
This will run the authenticator.sh script, attempt the validation, and then run the cleanup.sh script.
3. env
Additionally certbot will pass relevant environment variables to these scripts:
CERTBOT_DOMAIN: The domain being authenticated CERTBOT_VALIDATION: The validation string CERTBOT_TOKEN: Resource name part of the HTTP-01 challenge (HTTP-01 only) CERTBOT_REMAINING_CHALLENGES: Number of challenges remaining after the current challenge CERTBOT_ALL_DOMAINS: A comma-separated list of all
Additionally for cleanup:
- CERTBOT_AUTH_OUTPUT: Whatever the auth script wrote to stdout
4. example script
Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use as-is)
certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com
# Get your API key from https://www.cloudflare.com/a/account/my-account API_KEY="your-api-key" EMAIL="your.email@example.com" # Strip only the top domain to get the zone id DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') # Get the Cloudflare zone id ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all" ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])") # Create TXT record CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN" RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" \ --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \ | python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])") # Save info for cleanup if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN fi echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID # Sleep to make sure the change has time to propagate over to DNS sleep 25
/path/to/dns/cleanup.sh (qmail.jp のように単純なら、cron で消去するので十分)
# Get your API key from https://www.cloudflare.com/a/account/my-account API_KEY="your-api-key" EMAIL="your.email@example.com" if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID) rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID fi if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID ]; then RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID) rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID fi # Remove the challenge TXT record from the zone if [ -n "${ZONE_ID}" ]; then if [ -n "${RECORD_ID}" ]; then curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" fi fi