https://linzeyan.github.io/categories/dns-01/Recent content in DNS-01 on RickyHugo -- gohugo.ioenTue, 24 Jul 2018 18:35:39 +0800https://linzeyan.github.io/posts/2018/20180724-dehydrated/Tue, 24 Jul 2018 18:35:39 +0800https://linzeyan.github.io/posts/2018/20180724-dehydrated/<ul> <li><a href="https://github.com/lukas2511/dehydrated" target="_blank" rel="noopener">dehydrated</a></li> <li><a href="https://github.com/kappataumu/letsencrypt-cloudflare-hook" target="_blank" rel="noopener">letsencrypt-cloudflare-hook</a></li> </ul> <p>Since we cannot upload files to the CDN server, we cannot use file validation to apply for HTTPS certificates. Fortunately, Let&rsquo;s Encrypt supports the dns-01 challenge via DNS validation. We use Dehydrated with the CloudFlare hook to apply for HTTPS certificates.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># First clone the dehydrated repository</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>git clone https://github.com/lukas2511/dehydrated </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># In the cloned dehydrated directory, create a config file. See the example config file:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Append Cloudflare info to the end of the config file</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;export CF_EMAIL=user@example.com&#34;</span> &gt;&gt; config </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;export CF_KEY=K9uX2HyUjeWg5AhAb&#34;</span> &gt;&gt; config </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Clone the Cloudflare hook</span> </span></span><span style="display:flex;"><span>mkdir hooks </span></span><span style="display:flex;"><span>git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook hooks/cloudflare </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Install dependencies</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>pip install -r hooks/cloudflare/requirements-python-2.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Create domains.txt, one domain per line</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">[</span>root@db-slave01 dehydrated<span style="color:#f92672">]</span><span style="color:#75715e"># cat domains.txt</span> </span></span><span style="display:flex;"><span>apk.kosungames.com </span></span><span style="display:flex;"><span>sp-res.kosungames.com </span></span><span style="display:flex;"><span>cpweb.kosungames.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Request HTTPS certificates</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>./dehydrated -c -k hooks/cloudflare/hook.py </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use a Python script to upload the certificates. The script must be in the dehydrated directory.</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aliyunsdkcore <span style="color:#f92672">import</span> client </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aliyunsdkcdn.request.v20141111 <span style="color:#f92672">import</span> SetDomainServerCertificateRequest </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> uuid </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">upload</span>(domain): </span></span><span style="display:flex;"><span> cli <span style="color:#f92672">=</span> client<span style="color:#f92672">.</span>AcsClient(<span style="color:#e6db74">&#34;LTAI7zSXga2D&#34;</span>, <span style="color:#e6db74">&#34;ed03Mt9xcNkRgmadx0XtpyDje&#34;</span>, <span style="color:#e6db74">&#34;cn-hongkong&#34;</span>) </span></span><span style="display:flex;"><span> request <span style="color:#f92672">=</span> SetDomainServerCertificateRequest<span style="color:#f92672">.</span>SetDomainServerCertificateRequest() </span></span><span style="display:flex;"><span> request<span style="color:#f92672">.</span>set_accept_format(<span style="color:#e6db74">&#34;json&#34;</span>) </span></span><span style="display:flex;"><span> request<span style="color:#f92672">.</span>set_DomainName(domain) </span></span><span style="display:flex;"><span> request<span style="color:#f92672">.</span>set_CertName(domain <span style="color:#f92672">+</span> str(uuid<span style="color:#f92672">.</span>uuid1())) </span></span><span style="display:flex;"><span> <span style="color:#75715e">#request.set_CertName(domain)</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#certificate = open(&#34;certs/&#34; + domain + &#34;/fullchain.pem&#34;).read()</span> </span></span><span style="display:flex;"><span> certificate <span style="color:#f92672">=</span> open(<span style="color:#e6db74">&#34;certs/&#34;</span> <span style="color:#f92672">+</span> domain <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/cert.pem&#34;</span>)<span style="color:#f92672">.</span>read() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">&#34;certs/&#34;</span> <span style="color:#f92672">+</span> domain <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/chain.pem&#34;</span>) <span style="color:#66d9ef">as</span> f: </span></span><span style="display:flex;"><span> f<span style="color:#f92672">.</span>readline() </span></span><span style="display:flex;"><span> f<span style="color:#f92672">.</span>readline() </span></span><span style="display:flex;"><span> chain <span style="color:#f92672">=</span> f<span style="color:#f92672">.</span>read() </span></span><span style="display:flex;"><span> certificate <span style="color:#f92672">+=</span> chain </span></span><span style="display:flex;"><span> key <span style="color:#f92672">=</span> open(<span style="color:#e6db74">&#34;certs/&#34;</span> <span style="color:#f92672">+</span> domain <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/privkey.pem&#34;</span>)<span style="color:#f92672">.</span>read() </span></span><span style="display:flex;"><span> request<span style="color:#f92672">.</span>set_ServerCertificateStatus(<span style="color:#e6db74">&#39;on&#39;</span>) </span></span><span style="display:flex;"><span> request<span style="color:#f92672">.</span>set_ServerCertificate(certificate) </span></span><span style="display:flex;"><span> request<span style="color:#f92672">.</span>set_PrivateKey(key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> cli<span style="color:#f92672">.</span>do_action_with_exception(request) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>domain_file<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;domains.txt&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">with</span> open(domain_file) <span style="color:#66d9ef">as</span> f: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> line <span style="color:#f92672">in</span> f: </span></span><span style="display:flex;"><span> domain <span style="color:#f92672">=</span> line<span style="color:#f92672">.</span>split()[<span style="color:#ae81ff">0</span>] </span></span><span style="display:flex;"><span> upload(domain) </span></span></code></pre></div>