Cloudflare hook bash for dehydrated - DNS-01 Challenge Let's Encrypt
CD / CI | |
---|---|
Semaphore CI |
If you like this project, or use it, please, star it!
Cloudflare Bash hook for dehydrated.
For Docker version usage, see wiki
If you cannot solve the HTTP-01
challenge, you need to solve the DNS-01 challenge. Details here.
With use of Cloudflare API (valid also on free plan!), this script will verify your domain putting a new record with a special token inside DNS zone. At the end of Let's Encrypt validation, that record will be deleted.
Depends on jq
: sudo apt install -y jq
You only need:
dehydrated
with this hook (or run Docker image, see below)You will find the certificates in the folder of dehydrated
.
cfhookbash
has some prerequisites:
cd ~
git clone https://github.com/sineverba/cfhookbash.git
domains.txt
in the folder of dehydrated
example.com www.example.com
home.example.net *.home.example.net
[...]
cfhookbash
config.default.sh
to config.sh
config.sh
. To get values:Value | Where to find | Deprecated? |
---|---|---|
Zone ID | Main page domain > Right Column > API section | N |
API Token | Account > My Profile > API Tokens > Create Token > API token templates > "Edit zone DNS" | N |
Global API Key | Account > My Profile > API Tokens > Api Keys > Global API Key | Y, from 4.1.0 |
You can choose between using an API token and using your global API key. It is preferred to create a token, since tokens can be restricted to just the permission to edit DNS records in chosen zones (the DNS:Edit
permission).
If you choose to use an API token, it must be filled into api_token
. If you want to use your global API key, instead use global_api_key
and email
.
Global API key
is deprecated and will be removed in future version.
Make a first run with CA="https://acme-staging-v02.api.letsencrypt.org/directory"
placed in a config
file in root directory of dehydrated
.
./dehydrated -c -t dns-01 -k '${PATH_WHERE_YOU_CLONED_CFHOOKBASH}/cfhookbash/hook.sh'
You will find the certificates inside ~/dehydrated/certs/[your.domain.name]
.
If you are using dehydrated with a config file and, you can speed up the requests for certificates with multiple (sub)domains by using HOOK_CHAIN="yes"
.
You can find in hook.sh
a recall to another file (deploy.sh
).
Here you can write different operation to execute AFTER every successfull challenge.
There is a stub file deploy.config.sh
.
Usage:
cp deploy.config.sh deploy.sh && rm deploy.config.sh && nano deploy.sh
Remember that some action require sudo privilege (start and stop webserver, e.g.).
Best is run as root and running in cronjob specify full paths.
Following script will run every monday at 4AM and will create a log in home folder.
$ sudo crontab -e
0 4 * * 1 cd /home/<USER>/dehydrated && /home/<USER>/dehydrated/dehydrated -c -t dns-01 -k '/home/<USER>/cfhookbash/hook.sh' >> /home/<USER>/cfhookbash-`date +\%Y-\%m-\%d-\%H-\%M-\%S`.log 2>&1
git checkout master && git pull
Error | Solution |
---|---|
Could not route to /zones/dns_records, perhaps your object identifier is invalid? No route for that URI | Check your Zone ID value. There probably is something wrong. |
/home/YOUR_USER/cfhookbash/hook.sh: line XX: jq: command not found | Install jq (sudo apt install jq ) and try again |
{"code": 1001, "error": "method_not_allowed"} | Update this script by running git pull |
Everyone is welcome to contribute! See CONTRIBUTING.md
Inspired by