使用 Certbot 取得 Let’s Encrypt SSL 憑證常見的驗證方式為 HTTP-01 challenge ,如果無法使用此驗證方式時,仍有其他的選擇可以使用。目前 Let’s Encrypt 支援以下 4 種驗證方式:
- HTTP-01 challenge
- DNS-01 challenge
- TLS-SNI-01
- TLS-ALPN-01
工作原理及優缺點可以參考 Let’s Encrypt 官方網站的說明。
本篇使用 Certbot 的 DNS-Cloudflare 外掛進行註冊憑證。
操作環境: Ubuntu Server 22.04 LTS (Jammy Jellyfish)
Step.1 - 取得 DNS 服務供應商的 API token
先到 Cloudflare 建立一組 API token。
建議限縮至 specific zone,送出後就可以獲得 token,複製起來。
建立 token 檔,內容自行替換。
1
2
3
4
|
mkdir -p ~/.secrets/certbot
echo '# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567' > ~/.secrets/certbot/cloudflare.ini
chmod 600 ~/.secrets/certbot/cloudflare.ini
|
Step.2 - 安裝套件
安裝 certbot 與 Cloudflare 用的 plugin python3-certbot-dns-cloudflare
1
2
|
sudo apt update
sudo apt install -y certbot python3-certbot-dns-cloudflare
|
執行憑證註冊
1
2
3
4
|
sudo certbot certonly \
--dns-cloudflare # 使用 certbot-dns-cloudflare plugin
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \ # API token 檔案路徑
-d test-dns-challenge.caloskao.org # 憑證核發網域
|
註冊成功。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for test-dns-challenge.caloskao.org
Unsafe permissions on credentials configuration file: /home/calos/.secrets/certbot/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test-dns-challenge.caloskao.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/test-dns-challenge.caloskao.org/privkey.pem
This certificate expires on 2024-05-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
Reference: User Guide — Certbot 2.7.0.dev0 documentation
