CentOS 8 Issuing LetsEncrypt certificate through CloudFlare API with Certbot

(Last Updated On: September 7, 2020)

CentOS 8 에서 CloudFlare API를 통한 LetsEncrypt 인증서 발급

1 YUM Package (EPEL Package 필요)

yum -y install certbot python3-certbot-dns-cloudflare

2 Certbot CloudFlare API 등록

mkdir -p /root/.secrets/certbot/
chmod -R 700 /root/.secrets
cat > /root/.secrets/certbot/cloudflare.ini << _EOF_
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = abcdefg123456
_EOF_

chmod 600 /root/.secrets/certbot/cloudflare.ini

3 Certbot Challenge

certbot certonly \
-d kerus.net \
-d *.kerus.net \
--server https://acme-v02.api.letsencrypt.org/directory \
--dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
--preferred-challenges dns-01

4 Challenge Results

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:N

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kerus.net
dns-01 challenge for kerus.net
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/kerus.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/kerus.net/privkey.pem
   Your cert will expire on 2020-11-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

5 Cron (Auto update)

sudo yum install crontabs
sudo crontab -e
에디터에 한 줄 입력
0 0 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
nginx 웹 서버를 운용하는 경우
0 0 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --renew-hook "systemctl reload nginx"