Configuring Let's Encrypt wildcard certificates on CentOS 7 with validation via CloudFlare API
Like many, I have long been waiting for the possibility of obtaining wildcard certificates from Let's Encrypt. And now the moment has come, but there is no manual on Habré. Well, let's try to fix it.
This is the most simplified manual for configuring wildcard certificates from Let's Encrypt.
Instead of CloudFlare you can use another service, since plugins are in the EPEL repository.
It makes no sense for us to install the latest version of certbot with github, since the functionality we needed appeared in version 0.22.
To install certbot and its plugins, you need to connect the EPEL repository.
')
After that start the installation of certbot.
And then install the CloudFlare plugin for certbot.
In order for certbot to automatically renew wildcard certificates, you need to specify the login of the CloudFlare account and its API Key in the config.
Create a cloudflareapi.cfg file in the / etc / letsencrypt directory using an editor (for example, nano):
And we write the following in it:
Unlike other validation methods, here a certificate is created easily and quickly. Replace example.org with your domain.
The fullchain.pem certificate you need will be located in the / etc / letsencrypt / live / example.org directory.
All created certificates are renewed with certbot.
Actually, open / etc / crontab .
And add the line.
Which means that every Tuesday at 4 o'clock check the relevance of certificates through certbot.
Also, here you should add the restart of the web server that will use this certificate, for example nginx:
Setup is simple, but forgetting it is pretty easy. Therefore, save to bookmarks.
This manual is intended primarily for enthusiasts for your server or for small projects, so there is no special attention to security or advanced settings.
This is the most simplified manual for configuring wildcard certificates from Let's Encrypt.
Instead of CloudFlare you can use another service, since plugins are in the EPEL repository.
Installing certbot and plugins
It makes no sense for us to install the latest version of certbot with github, since the functionality we needed appeared in version 0.22.
To install certbot and its plugins, you need to connect the EPEL repository.
')
sudo yum install epel-release -y After that start the installation of certbot.
sudo yum install certbot -y And then install the CloudFlare plugin for certbot.
sudo yum install python2-cloudflare.noarch python2-certbot-dns-cloudflare.noarch -y If you use another service, find its plugin using yum, for example for digitalocean yum list * digitalocean *Run certbot once to create configs.
sudo certbot Setting up the CloudFlare API
In order for certbot to automatically renew wildcard certificates, you need to specify the login of the CloudFlare account and its API Key in the config.
Login to your CloudFlare account and go to profile
We press View opposite to Global API Key
Enter the password from the account, go through the captcha and click View again
Copy your API Key
Create a cloudflareapi.cfg file in the / etc / letsencrypt directory using an editor (for example, nano):
sudo nano /etc/letsencrypt/cloudflareapi.cfg And we write the following in it:
dns_cloudflare_email = < CloudFlare > dns_cloudflare_api_key = < CloudFlare API Key> Ahtung! This method of storing the API Key is not secure, but since you use Let's Encrypt you should not care.
At the very least, you can add sudo chmod 600 /etc/letsencrypt/cloudflareapi.cfg to limit read access.
Creating a certificate
Unlike other validation methods, here a certificate is created easily and quickly. Replace example.org with your domain.
sudo certbot certonly --cert-name example.org --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflareapi.cfg --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.org" -d example.org When you first start, certbot can ask you for an email address to deliver notifications, agree with ToS (select A ) and approve receipt of spam (choose N ).
That's all, if successful, you will see something like this
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.org/privkey.pem Your cert will expire on 2018-07-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le The fullchain.pem certificate you need will be located in the / etc / letsencrypt / live / example.org directory.
Web server setup
I will not describe the configuration of the web server here, because my piece of config is unlikely to suit you.
You yourself must find the SSL setting for your version of the web server and CMS.
Certificate renewal
All created certificates are renewed with certbot.
sudo certbot renew Actually, open / etc / crontab .
sudo nano /etc/crontab And add the line.
0 4 * * 2 root certbot renew Which means that every Tuesday at 4 o'clock check the relevance of certificates through certbot.
Also, here you should add the restart of the web server that will use this certificate, for example nginx:
10 4 * * 2 root systemctl restart nginx Conclusion
Setup is simple, but forgetting it is pretty easy. Therefore, save to bookmarks.
This manual is intended primarily for enthusiasts for your server or for small projects, so there is no special attention to security or advanced settings.
Source: https://habr.com/ru/post/354052/
All Articles