Quick and Easy process of getting letsencrypt wildcard domain certificate with cloudflare as dns provider

-


Login to any of your server ( this method does not requires to run commands from a working apache or nginx web server hence you can even run these commands from your workstation line client machine)

Create a cloudflare credentials file
need your email id and api key of cloudflare login

you can get cloudflare api key from login into cloudflare account and nevigating to myprofile -> api tokens -> api keys -> global api key -> view

# vim .cloudflarecredentials.ini

paste content as bellow

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

use your mail id and api key in above file

save and make it secure

# chmod 400 .cloudflarecredentials.ini

Now install required package

# yum -y install python2-certbot-dns-cloudflare

Now run bellow command

# certbot certonly --dns-cloudflare --dns-cloudflare-credentials .cloudflarecredentials.ini -d *.mydomain.com

replace *.mydomain.com  with *. your domain

Now accept policy etc from certbot and it will automatically validate ddomain and generate certificate and key file for you.

certificate file    :  /etc/letsencrypt/live/mydomain.com/fullchain.pem;
keyfile             :  /etc/letsencrypt/live/mydomain.com/privkey.pem;

you can use this certificates now in nginx or apache. example bellow is config snippet for nginx

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

Now for automatic renewal setup a cron as bellow

0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

Done!

Comments

Post a Comment

Popular posts from this blog

Running web ssh client on port 443 /80 with nginx as reverse proxy

-
Package used         : shellinabox , nginx Repository used        : epel-release Linux distro used    : Centos 7.6 nginx reverse proxy server ip : 192.168.1.65 shellinabox web ssh server ip : 192.168.1.111 login to web ssh server first install epel-repo # yum install epel-release -y install shellinabox package # yum -y install shellinabox start and enable shellinaboxd service # systemctl enable shellinaboxd && systemctl start shellinaboxd By default shellinaboxd service starts with ssl port 4200 for us to run this in a reverse proxy environment need to make this as insecure hence the encryption will be done by nginx to end user. edit file /etc/sysconfig/shellinabox  like bellow- USER=shellinabox GROUP=shellinabox CERTDIR=/var/lib/shellinabox PORT=4200 OPTS="--disable-ssl-menu -s /:LOGIN" OPTS="-t -s /:SSH:192.168.1.111" save file exit and restart service # systemctl restart shellinaboxd Now open firewall for listening port 4200 from nginx proxy server only #
Read more

Running cockpit behind nginx reverse proxy with nginx ssl and cockpit non ssl

-
Domain for web access to cockpit : cockpit.mylab.local cockpit server ip : 192.168.1.61 nginx server ip   : 192.168.1.65 Linux distro using is Centos 7.6 Login to cockpit server Create a file [root@repo ~]# vim /etc/cockpit/cockpit.conf content will be like [WebService] Origins = https://cockpit.mylab.local wss://cockpit.mylab.local ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = true save and restart cockpit # systemctl restart cockpit now  login to your nginx webserver and install nginx # yum install nginx -y create a new file vim /etc/nginx/conf.d/cockpit.conf paste content as bellow server {     listen         80;     listen         443 ssl http2;     server_name    cockpit.mylab.local;     ssl_certificate /etc/ssl/certs/cockpit-selfsigned.crt;     ssl_certificate_key  /etc/ssl/private/cockpit-selfsigned.key;     location / {         proxy_pass http://192.168.1.61:9090;         proxy_set_header Host $host;         proxy_http_version 1.1;
Read more

Setup VOD streaming server with nginx using RTMP on Ubuntu 18.04

-
Install required packages for source code nginx build # apt-get install -y build-essential ca-certificates wget curl libpcre3 libpcre3-dev autoconf unzip automake libtool tar git libssl-dev zlib1g-dev uuid-dev lsb-release vim htop sysstat ufw fail2ban makepasswd libgd-dev libgeoip-dev -y create a directory # mkdir /usr/local/src/nginx/ # cd /usr/local/src/nginx/ download and extract nginx tar # wget -qO- http://nginx.org/download/nginx-1.14.2.tar.gz | tar zxf - clone nginx rtmp module # git clone https://github.com/arut/nginx-rtmp-module Download other modules - PCRE version 8.42 # wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz && tar xzvf pcre-8.42.tar.gz - zlib version 1.2.11 # wget https://www.zlib.net/zlib-1.2.11.tar.gz && tar xzvf zlib-1.2.11.tar.gz - OpenSSL version 1.1.0h # wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz && tar xzvf openssl-1.1.0h.tar.gz # cd nginx-1.14.2/ configure  nginx with modules and options # ./configure --add-modu
Read more