HA

在启用Cloudflare DNS Proxy的情况下使用certbot自动更新letsencrypt证书

Tags:

结论是不能, 但是Cloudflare提供了API可以开关DNS Proxy, certbot提供了hook

于是就可以先关闭DNS Proxy, 再更新证书, 完成后再开启DNS Proxy

获取Cloudflare DNS记录ID

# 区域ID 可以在Cloudflare中站点主页的右下角找到, 并且有申请API令牌的快捷入口
# 返回的结果是json, 找到A记录和CNAME记录的ID
# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-list-dns-records
curl -X GET "https://api.cloudflare.com/client/v4/zones/[区域ID zoneId]/dns_records" \
     -H "Authorization: Bearer [API令牌]" \
     -H "Content-Type:application/json"

关闭DNS Proxy

把下面脚本写入/etc/letsencrypt/renewal-hooks/pre/pre.sh

# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-patch-dns-record
curl -sS --request PATCH \
  --url https://api.cloudflare.com/client/v4/zones/[区域ID zoneId]/dns_records/[A记录ID] \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer [API令牌]" \
  --data '{
  "content": "112.112.113.114",
  "name": "example.com",
  "proxied": false,
  "type": "A",
  "comment": "",
  "tags": [
  ],
  "ttl": 3600
}' > test.log
curl --request PATCH \
  --url https://api.cloudflare.com/client/v4/zones/[区域ID zoneId]/dns_records/[CNAME记录ID] \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer [API令牌]" \
  --data '{
  "content": "example.com",
  "name": "www",
  "proxied": false,
  "type": "CNAME",
  "comment": "",
  "tags": [
  ],
  "ttl": 3600
}'
# 等待五分半, 确保DNS Proxy关闭起效
sleep 330

开启DNS Proxy

把下面脚本写入/etc/letsencrypt/renewal-hooks/post/post.sh

# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-patch-dns-record
curl -sS --request PATCH \
  --url https://api.cloudflare.com/client/v4/zones/[区域ID zoneId]/dns_records/[A记录ID] \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer [API令牌]" \
  --data '{
  "content": "112.112.113.114",
  "name": "example.com",
  "proxied": true,
  "type": "A",
  "comment": "",
  "tags": [
  ],
  "ttl": 3600
}' > test.log
curl --request PATCH \
  --url https://api.cloudflare.com/client/v4/zones/[区域ID zoneId]/dns_records/[CNAME记录ID] \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer [API令牌]" \
  --data '{
  "content": "example.com",
  "name": "www",
  "proxied": true,
  "type": "CNAME",
  "comment": "",
  "tags": [
  ],
  "ttl": 3600
}'

测试

certbot renew --dry-run

reference

  1. certbot instructions
  2. Setting up automated renewal

Updated: 2023-08-30 00:11
Created: 2023-08-29 19:00