CloudFlare Bash hook for dehydrated. This is a hook for Let's Encrypt client dehydrated to use with Cloud Flare.
You have all (or some) these problems:
- Your domain registrar doesn't have / dont' want give you API to write automatically new DNS record (for DNS-01 Challenge of Let's Encrypt)
- Your ISP blocks 80/443 port
- You cannot open one or both ports (e.g. several routers have management page only on 80 port)
- Let's Encrypt needs to verify on both (80 and 443) to release / renew certificate
You only need:
- Register on Cloudflare
- Change your DNS to manage them in Cloudflare (follow their guide). This ATM is valid also for free user!
- Run
dehydratedwith this hook.
Finish! Stop! End!
This bash hook will:
- Contact Let's Encrpyt for DNS-01 challenge (no anymore need forwarded port)
- Get the record to write in DNS
- Call Cloudflare API and write record
- Wait for LE answer
- Create / renew the certificates
You will have the certificates in the folder of dehydrated).
In simple words: you can complete the DNS challenges (dns-01).
Everyone is welcome to contribute!
Create a config file in same folder of ./dehydrated and put staging inside, to no hit Let's Encrypt limit.
Warning! Use this ONLY during development, not in production!
CA="https://acme-staging.api.letsencrypt.org/directory"
- cURL
- Active account on Cloud Flare (tested with free account)
cd ~
git clone https://github.com/lukas2511/dehydrated
cd dehydrated
mkdir hooks
cd hooks
git clone https://github.com/sineverba/cfhookbash.git
cd ..
Or, in one line
cd ~ && git clone https://github.com/lukas2511/dehydrated && cd dehydrated && mkdir hooks && cd hooks && git clone https://github.com/sineverba/cfhookbash.git && cd ..
- Create a file
domains.txtin the folder ofdehydrated - Put inside a list (one for line) of domain that you want secure.
www.example.com
home.example.net
...
- Move inside
cfhookbashfolder - Copy
config.default.shtoconfig.sh
cd ~/dehydrated/hooks/cfhookbash
cp config.default.sh config.sh && rm config.default.sh && nano config.sh
We need to edit config.default.sh. To get values for zones, login to your Cloudflare account, section "DNS" of your domain. Click the link API and you will get some example. Zones is the long string
POST https://api.cloudflare.com/client/v4/zones/THIS_IS_ZONES/dns_records
global_api_key is found under your account
cd ~/dehydrated
./dehydrated --register --accept-terms
./dehydrated -c -t dns-01 -k 'hooks/cfhookbash/hook.sh'
You will find the certificates inside ~/dehydrated/certs/www.example.com (of course the domain name is your).
You can find in hook.sh a recall to another file (deploy.sh).
Here you can write different operation to execute AFTER every successfull challenge.
There is a stub file deploy.config.sh.
Usage:
copy deploy.config.sh deploy.sh && rm deploy.config.sh && nano deploy.sh
Remember that some action require sudo privilege (start and stop webserver, e.g.).
Best is run as root in the dehydrated folder of your user.
To run as cronjob specify full paths
sudo crontab -e
0 4 * * 1 cd /home/YOUR_USER/dehydrated && /home/YOUR_USER/dehydrated/dehydrated -c -t dns-01 -k '/home/YOUR_USER/dehydrated/hooks/cfhookbash/hook.sh' >> /home/YOUR_USER/cfhookbash.log
Execute every monday at 4AM. After the script execution, create also a log in your home.
- Move to folder where script resides (tipically
~/dehydrated/hooks/cfhookbash - Type
git checkout master && git pull
- YasharF
- Ramblurr
Inspired by