You've already forked certbot-ubuntu
docs: clearer README, more user-friendly
This commit is contained in:
133
README.md
133
README.md
@@ -1,128 +1,113 @@
|
||||
# Certbot for Ubuntu 24.04 Server
|
||||
# Certbot with Cloudflare DNS on Ubuntu 24.04
|
||||
[](#)
|
||||
[](#)
|
||||
[](#)
|
||||
[](./LICENSE)
|
||||
|
||||
Automated Bash installer script for deploying **Certbot** with **Cloudflare DNS challenge** support on Ubuntu 24.04.
|
||||
Automated installer for **Certbot + Cloudflare DNS challenge** on Ubuntu 24.04.
|
||||
|
||||
> **NOTE**
|
||||
> Although commonly used for web servers such as Nginx or Apache, this script works with any service that requires TLS certificates.
|
||||
This setup issues **HTTPS certificates without exposing ports 80/443**,
|
||||
making it perfect for Nginx, Gitea, DokuWiki, WordPress, mail servers — anything.
|
||||
|
||||
### Prerequisites
|
||||
A Cloudflare API key with **Zone:DNS:Edit** permission for the zone you need a certificate for. See the article [here](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) for detailed information.
|
||||
Production use ready. No click-through wizard nonsense.
|
||||
|
||||
### Preparing
|
||||
Update your package index before running the installer:
|
||||
---
|
||||
|
||||
```
|
||||
sudo apt update -y
|
||||
```
|
||||
## Requirements
|
||||
|
||||
### Download the Script
|
||||
Clone the repository from your Git server:
|
||||
### You need:
|
||||
|
||||
✔ A Cloudflare API key with DNS:Edit permissions
|
||||
✔ A domain pointing to Cloudflare
|
||||
|
||||
Guide if needed:
|
||||
https://certbot-dns-cloudflare.readthedocs.io/
|
||||
|
||||
---
|
||||
|
||||
## 1. Download
|
||||
|
||||
```
|
||||
git clone https://git.x-files.dk/webserver/certbot-ubuntu.git
|
||||
```
|
||||
|
||||
```
|
||||
cd certbot-ubuntu
|
||||
```
|
||||
|
||||
### Usage
|
||||
Run the script using:
|
||||
---
|
||||
|
||||
## 2. Run the installer
|
||||
|
||||
```
|
||||
sudo ./certbotinstall [-p] <Cloudflare API Key>
|
||||
```
|
||||
|
||||
### Example
|
||||
Example:
|
||||
|
||||
```
|
||||
sudo ./certbotinstall -p 1234567890abcdef1234567
|
||||
sudo ./certbotinstall -p 1234567890abcdef123456abcd
|
||||
```
|
||||
|
||||
### Post-install
|
||||
Nothing to do.
|
||||
After installation, certbot is ready to issue certificates immediately.
|
||||
|
||||
### Examples
|
||||
---
|
||||
|
||||
## 3. Issue Certificates
|
||||
|
||||
### Standard certificate + Nginx reload
|
||||
|
||||
### Creating a new certificate with Nginx hook
|
||||
```
|
||||
sudo certbot certonly -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email email@example.com --dns-cloudflare-propagation-seconds 30
|
||||
sudo certbot certonly -d example.com -d www.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email admin@example.com --dns-cloudflare-propagation-seconds 30
|
||||
```
|
||||
|
||||
### Creating a wildcard certificate with Nginx hook
|
||||
---
|
||||
|
||||
### Wildcard (includes all subdomains)
|
||||
|
||||
```
|
||||
sudo certbot certonly -d *.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email email@example.com --dns-cloudflare-propagation-seconds 30
|
||||
sudo certbot certonly -d *.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email admin@example.com --dns-cloudflare-propagation-seconds 30
|
||||
```
|
||||
|
||||
### Delete a certificate
|
||||
List all certificates:
|
||||
```bash
|
||||
Wildcard = **ideal for multi-site hosting**.
|
||||
|
||||
---
|
||||
|
||||
## Certificate Management
|
||||
|
||||
### List certificates
|
||||
```
|
||||
sudo certbot certificates
|
||||
```
|
||||
|
||||
Example output:
|
||||
```
|
||||
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
||||
|
||||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
Found the following certs:
|
||||
Certificate Name: example.com
|
||||
Serial Number: 4fac2132bca56b1ce808116378450ed5197
|
||||
Key Type: RSA
|
||||
Domains: example.com sub1.example.com sub2.example.com sub3.example.com
|
||||
Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days)
|
||||
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
|
||||
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
|
||||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
```
|
||||
|
||||
Delete `example.com`:
|
||||
### Delete certificate
|
||||
```
|
||||
sudo certbot delete --cert-name example.com
|
||||
```
|
||||
|
||||
### Adding a subdomain or domain to a certificate
|
||||
To add a subdomain, expand the current certificate with the new subdomain. This means including all the existing domains, then expanding with the new subdomain.
|
||||
---
|
||||
|
||||
## Add new subdomain to existing cert
|
||||
|
||||
Example (adding sub1.example.com):
|
||||
```
|
||||
sudo certbot certonly --expand -d example.com -d www.example.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini
|
||||
sudo certbot certonly --expand -d example.com -d www.example.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini
|
||||
```
|
||||
|
||||
> **NOTE**
|
||||
> Best practice is to delete the current certificate and request a new one with all domains and subdomains.
|
||||
### Best practice:
|
||||
If many domains change → reissue instead of modifying.
|
||||
|
||||
---
|
||||
|
||||
### Modify/Remove domains
|
||||
|
||||
List existing:
|
||||
|
||||
### Modify a certificate
|
||||
List all certificates:
|
||||
```
|
||||
sudo certbot certificates
|
||||
```
|
||||
|
||||
Example output:
|
||||
```
|
||||
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
||||
Reissue without `sub2.example.com`:
|
||||
|
||||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
Found the following certs:
|
||||
Certificate Name: example.com
|
||||
Serial Number: 4fac2132bca56b1ce808116378450ed5197
|
||||
Key Type: RSA
|
||||
Domains: example.com sub1.example.com sub2.example.com sub3.example.com
|
||||
Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days)
|
||||
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
|
||||
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
|
||||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
```
|
||||
|
||||
To remove `sub2.example.com`, run:
|
||||
sudo certbot --cert-name example.com -d example.com -d sub1.example.com -d sub3.example.com
|
||||
```
|
||||
sudo certbot --cert-name example.com -d example.com -d sub1.example.com -d sub3.example.com
|
||||
```
|
||||
|
||||
This will reissue the certificate for example.com, sub1.example.com, and sub3.example.com, leaving out sub2.example.com.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user