## page was copied from DnsTemplate ##master-page:HelpTemplate <> <> Ubuntu 20.04 certbot-dns-cloudflareでワイルドカード証明書を取得、更新 2021-08-12 https://eggpan.net/post/ubuntu-certbot-dns-cloudflare/ Welcome to certbot-dns-cloudflare’s documentation!¶ https://certbot-dns-cloudflare.readthedocs.io/en/stable/ == hooks == CloudflareのDNSを利用しているドメインの証明書をcertbotで発行する Akira Ueno 2022-01-09 https://blog.akky.me/blog/20220109-certbot-cloudflare-dns/#%E3%83%97%E3%83%A9%E3%82%B0%E3%82%A4%E3%83%B3%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB プラグインのインストール certbot-dns-cloudflareプラグインをインストールする。 https://ebith.hatenablog.jp/entry/2020/05/03/033114 Let's Encryptのワイルドカード証明書の取得と更新 https://0sn.net/posts/20220217/cloudflaredns-certbot/ CloudflareのDNSを使ってCertbotで証明書を発行する 2022-02-17 18:37:18 History # ---- --manual-auth-hook が実行される(あるいは有効になる)のは、最初に証明書がつくられときだけのようだ。 更新作業に相当する場合にはなぜか実行されない。-- ToshinoriMaeno <> 2/23 あたりに renew --force-renewal でなにかが分かるだろう。 現在 txt.qmail.jp は存在しない。 {{{ txt0 txt.t1.odns.info. 300 IN TXT "tszYBWM9tTSJ9_f9GrPLGCh0uVXlIsEpP8NgZtmaLYk" }}} == Pre and Post Validation Hooks¶ == Certbot allows for the specification of pre and post validation hooks when run in manual mode. The flags to specify these scripts are --manual-auth-hook and --manual-cleanup-hook respectively and can be used as follows: {{{ certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com }}} This will run the authenticator.sh script, attempt the validation, and then run the cleanup.sh script. == env == Additionally certbot will pass relevant environment variables to these scripts: {{{ CERTBOT_DOMAIN: The domain being authenticated CERTBOT_VALIDATION: The validation string CERTBOT_TOKEN: Resource name part of the HTTP-01 challenge (HTTP-01 only) CERTBOT_REMAINING_CHALLENGES: Number of challenges remaining after the current challenge CERTBOT_ALL_DOMAINS: A comma-separated list of all }}} Additionally for cleanup: CERTBOT_AUTH_OUTPUT: Whatever the auth script wrote to stdout == example script == Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use as-is) {{{ certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com }}} {{{ #!/bin/bash # Get your API key from https://www.cloudflare.com/a/account/my-account API_KEY="your-api-key" EMAIL="your.email@example.com" # Strip only the top domain to get the zone id DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') # Get the Cloudflare zone id ZONE_EXTRA_PARAMS="status=active&page=1&per_page=20&order=status&direction=desc&match=all" ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN&$ZONE_EXTRA_PARAMS" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" | python -c "import sys,json;print(json.load(sys.stdin)['result'][0]['id'])") # Create TXT record CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN" RECORD_ID=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" \ --data '{"type":"TXT","name":"'"$CREATE_DOMAIN"'","content":"'"$CERTBOT_VALIDATION"'","ttl":120}' \ | python -c "import sys,json;print(json.load(sys.stdin)['result']['id'])") # Save info for cleanup if [ ! -d /tmp/CERTBOT_$CERTBOT_DOMAIN ];then mkdir -m 0700 /tmp/CERTBOT_$CERTBOT_DOMAIN fi echo $ZONE_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID echo $RECORD_ID > /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID # Sleep to make sure the change has time to propagate over to DNS sleep 25 }}} /path/to/dns/cleanup.sh (qmail.jp のように単純なら、cron で消去するので十分) {{{ #!/bin/bash # Get your API key from https://www.cloudflare.com/a/account/my-account API_KEY="your-api-key" EMAIL="your.email@example.com" if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID ]; then ZONE_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID) rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/ZONE_ID fi if [ -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID ]; then RECORD_ID=$(cat /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID) rm -f /tmp/CERTBOT_$CERTBOT_DOMAIN/RECORD_ID fi # Remove the challenge TXT record from the zone if [ -n "${ZONE_ID}" ]; then if [ -n "${RECORD_ID}" ]; then curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \ -H "X-Auth-Email: $EMAIL" \ -H "X-Auth-Key: $API_KEY" \ -H "Content-Type: application/json" fi fi }}} ---- CategoryDns CategoryWatch CategoryTemplate