Get You a Free SSL Cert

2019-09-25 551 words 3 minutes

Contents

I like free stuff… well, who doesn’t?

I’m currently hosting this website with cloudflare CDN, so the certificate is free by default (Thanks so much Cloudflare!)

Well, but I still prefer something in control, or maybe encrypt some data or using v2ray 😆

Here is how to:

Assuming you are using MAC, so firstly, we need to install certbot:

1
brew install certbot

Then, get the cloudflare plugin installed:

1
pip3 install certbot-dns-cloudflare

All tools have been installed! well done!

To get your API key, login to your CloudFlare dashboard, go to your profile and at the bottom, click “View” next to “Global API key”.

cloudflare - my profile

/img/post/20190925/api-tokens-api-key.png — api token & key

OK, next, we need to let cloudflare know who are we when we running the certbot to gain a new certificate:

1
2
3
4
5
6
7
8
# Create a folder as work folder
mkdir ~/certbot

# Create credential file
echo "# Cloudflare API credentials used by Certbot
dns_cloudflare_email = <Your Email address as username in Cloudflare>
dns_cloudflare_api_key = <Your api token>
" > ~/certbot/cloudflare.ini

Please note, this IS your password, and you SHOULD ALWAYS secure it for whatever reason:

1
2
3
4
sudo mkdir /root/.secrets
sudo mv ~/certbot/cloudflare.ini /root/.secrets/.
sudo chmod 700 /root/.secrets/
sudo chmod 400 /root/.secrets/cloudflare.ini

OK, we will need to get the wildcard generated by running following:

1
2
3
4
5
# Change example.com,*.example.com to your own domain name
sudo certbot certonly --dns-cloudflare \
-dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
-d example.com,*.example.com \
--preferred-challenges dns-01

You can view your current certificates information by running:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ryc.one
    Domains: ryc.one *.ryc.one
    Expiry Date: 2019-12-24 07:16:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/ryc.one/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ryc.one/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

To renew your certificate by simply running sudo certbot renew, or a crontab job can be simply like:

1
14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1

Or if you want to renew your certificate to specific directory, you can have --config-dir, --work-dir, --logs-dir specified. If you are going to run this in a docker image which doesn’t have any file hosted, alway running as new, you may also consider add --agree-tos and -m EMAIL for script automation, full script is like below:

1
2
3
4
5
6
7
8
9
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials \
/Users/riveryang/tmp/certsmgr/cloudflare.ini \
-d 'ryc.one,*.ryc.one' \
--preferred-challenges dns-01 \
--config-dir /Users/riveryang/tmp/certsmgr \
--work-dir /Users/riveryang/tmp/certsmgr \
--logs-dir /Users/riveryang/tmp/certsmgr \
--agree-tos -m [email protected]

Well, it’s 90 days valid, with automatic renewal process, you can have it whenever you need it and wherever you need it.

Happy operation~