The Huawei cloud server applied for a year ago has already expired, and the new server requires a brand new SSL certificate. Due to issues with the domestic network environment, applying for a Let's Encrypt certificate using Certbot can be quite challenging. In the initial period of opening the blog, I could only rely on Cloudflare's free CDN to pretend to have certificate encryption...
Now, a good era has arrived! As long as the domain name is hosted on Cloudflare, a more reliable method can be used to apply for the certificate.
This method requires command line access and a Cloudflare API token
Step 1#
Host the domain name on Cloudflare. The process is brief; you can search online for tutorials. This is about emphasizing what is important and downplaying what is less important.
Step 2#
First, we need to connect to the server using SSH. Then install Certbot, which is a free open-source tool that helps us automate the acquisition and installation of SSL certificates.
sudo apt-get update
sudo apt-get install certbot
Then install the Cloudflare plugin for automated DNS verification.
sudo apt-get install python3-certbot-dns-cloudflare
Step 3#
Next, we need to apply for an API token in Cloudflare to prepare for the subsequent DNS verification. The permissions need to include at least DNS Firewall read and edit, and DNS read and edit. (Make sure to save the token)
Image
Step 4#
Create an ini file to save the API token on the server. I prefer using nano.
sudo mkdir ~/.secrets
sudo mkdir ~/.secrets/certbot
sudo nano ~/.secrets/certbot/cloudflare.ini
Enter the following content in nano, replacing your-cloudflare-api-token with your own API token.
dns_cloudflare_api_token = your-cloudflare-api-token
Then we need to ensure that the credentials file has secure permissions.
sudo chmod 600 ~/.secrets/certbot/cloudflare.ini
Step 5#
Run the Certbot command to automate the certificate application.
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
-d example.com \
-d www.example.com
Replace example.com and www.example.com with the domain names you want to apply for, but this command often fails. Due to DNS record propagation delays, Let's Encrypt may fail to find the required DNS TXT records, resulting in an error. We can increase the DNS record propagation time to ensure that the TXT records have enough time to propagate to all DNS servers. Generally, 60 seconds is sufficient.
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d example.com \
-d www.example.com
In this way, the certificate application is successfully completed, and it will automatically renew each time the certificate expires (of course, before the API token expires), making it worry-free and labor-saving. If the API token expires, you only need to modify the cloudflare.ini file and then rerun this command.
This article is synchronized and updated by Mix Space to xLog. The original link is https://www.actorr.cn/posts/default/cloudflare_and_certificate