- Create your Cloudflare Token API with permissions for read access to
Zone.Zone, and edit/write access toZone.DNS, across all Zones. - Grab your Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing
export CF_DNSAPI_GLOBAL='y'
export CF_Token="YOUR_CF_TOKEN"
export CF_Account_ID="YOUR_CF_ACCOUNT_ID"
# for ssl wildcard do not specify subdomains, only top level domain with 'wwww'
# i.e. domain.com
# change domain variable appropriate
domain=domain.com
mkdir -p /usr/local/nginx/conf/ssl-wildcards/$domain
echo y | /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
/root/.acme.sh/acme.sh --issue --force --dns dns_cf --days 60 -d $domain -d "*.$domain" -k 2048 --useragent centminmod-centos-acmesh-cf-dns --log /root/centminlogs/acmetool.sh-debug-log-${domain}-wildcard.log --log-level 2
/root/.acme.sh/acme.sh --installcert -d $domain -d "*.$domain" --certpath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-acme.cer --keypath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-acme.key --capath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-fullchain-acme.key
Letsencrypt wildcard SSL certificate will be installed at /usr/local/nginx/conf/ssl-wildcards/$domain
Where
- private key =
/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.key - certificate =
/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer
/root/.acme.sh/acme.sh --installcert -d $domain -d "*.$domain" --certpath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-acme.cer --keypath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-acme.key --capath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl-wildcards/${domain}/${domain}-fullchain-acme.key
[Sun Dec 29 01:47:20 UTC 2019] Installing cert to:/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer
[Sun Dec 29 01:47:20 UTC 2019] Installing CA to:/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer
[Sun Dec 29 01:47:20 UTC 2019] Installing key to:/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.key
[Sun Dec 29 01:47:20 UTC 2019] Installing full chain to:/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-fullchain-acme.key
[Sun Dec 29 01:47:20 UTC 2019] Run reload cmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl): [ OK ]
[Sun Dec 29 01:47:20 UTC 2019] Reload success
ssl_certificate /usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.key;
ssl_trusted_certificate /usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-fullchain-acme.key;
You can verify the domain's configuration in acme.sh config file at /root/.acme.sh/domain.com/domain.com.conf
Le_Domain='domain.com'
Le_Alt='*.domain.com'
Le_Webroot='dns_cf'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Keylength='2048'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/74727453/1878731810'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/74727453/1878731810'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04cc8d158514c951423ddae9d021778c616a'
Le_CertCreateTime='1577583985'
Le_CertCreateTimeStr='Sun Dec 29 01:46:25 UTC 2019'
Le_RenewalDays='60'
Le_NextRenewTimeStr='Thu Feb 27 01:46:25 UTC 2020'
Le_NextRenewTime='1582681585'
Le_RealCertPath='/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer'
Le_RealCACertPath='/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer'
Le_RealKeyPath='/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.key'
Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9iaW4vbmd4cmVsb2Fk__ACME_BASE64__END_'
Le_RealFullChainPath='/usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-fullchain-acme.key'
Using openssl
openssl x509 -noout -text -in /usr/local/nginx/conf/ssl-wildcards/domain.com/domain.com-acme.cer
domain=domain.com
/root/.acme.sh/acme.sh --remove -d $domain
vhostname=xxx.centminmod.com
dig $vhostname | grep -A1 'AUTHORITY SECTION' | grep -v 'AUTHORITY SECTION' | awk '{print $1}' | sed -e 's|\.$||'
centminmod.com
or
vhostname_dns=xxx.centminmod.com
CHECKIDN=$(echo $vhostname_dns | idn | grep '^xn--' >/dev/null 2>&1; echo $?)
if [[ "$CHECKIDN" = '0' ]]; then
TOPLEVELCHECK=$(dig soa @8.8.8.8 $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//' | idn)
else
TOPLEVELCHECK=$(dig soa @8.8.8.8 $vhostname_dns | grep -v ^\; | grep SOA | awk '{print $1}' | sed 's/\.$//')
fi
from acmetool.sh
if [ ! -f "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt.key.conf" ]; then
cat > "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt.key.conf"<<EVT
ssl_dhparam /usr/local/nginx/conf/ssl/${vhostname}/dhparam.pem;
ssl_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key;
#ssl_trusted_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-trusted.crt;
EVT
fi
and
cat > "/usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt.key.conf" <<EOF
ssl_dhparam /usr/local/nginx/conf/ssl/${vhostname}/dhparam.pem;
ssl_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.key;
ssl_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme-ecc.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme-ecc.key;
#ssl_trusted_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme.cer;
#ssl_trusted_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-acme-ecc.cer;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-dualcert-rsa-ecc.cer;
EOF
Modify it to detect sslwildcard domain setups so if wildcard option enabled change references
from
/usr/local/nginx/conf/ssl/${vhostname}
to
/usr/local/nginx/conf/ssl-wildcards/${vhostname}