diff --git a/README.md b/README.md index f15ab3a..b38d066 100644 --- a/README.md +++ b/README.md @@ -1,128 +1,113 @@ -# Certbot for Ubuntu 24.04 Server +# Certbot with Cloudflare DNS on Ubuntu 24.04 [![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) [![Shell](https://img.shields.io/badge/shell-bash-121011)](#) [![Certbot](https://img.shields.io/badge/certbot-cloudflare_dns-2AABEE)](#) [![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) -Automated Bash installer script for deploying **Certbot** with **Cloudflare DNS challenge** support on Ubuntu 24.04. +Automated installer for **Certbot + Cloudflare DNS challenge** on Ubuntu 24.04. -> **NOTE** -> Although commonly used for web servers such as Nginx or Apache, this script works with any service that requires TLS certificates. +This setup issues **HTTPS certificates without exposing ports 80/443**, +making it perfect for Nginx, Gitea, DokuWiki, WordPress, mail servers — anything. -### Prerequisites -A Cloudflare API key with **Zone:DNS:Edit** permission for the zone you need a certificate for. See the article [here](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) for detailed information. +Production use ready. No click-through wizard nonsense. -### Preparing -Update your package index before running the installer: +--- -``` -sudo apt update -y -``` +## Requirements -### Download the Script -Clone the repository from your Git server: +### You need: + +✔ A Cloudflare API key with DNS:Edit permissions +✔ A domain pointing to Cloudflare + +Guide if needed: +https://certbot-dns-cloudflare.readthedocs.io/ + +--- + +## 1. Download ``` git clone https://git.x-files.dk/webserver/certbot-ubuntu.git -``` - -``` cd certbot-ubuntu ``` -### Usage -Run the script using: +--- + +## 2. Run the installer ``` sudo ./certbotinstall [-p] ``` -### Example +Example: + ``` -sudo ./certbotinstall -p 1234567890abcdef1234567 +sudo ./certbotinstall -p 1234567890abcdef123456abcd ``` -### Post-install -Nothing to do. +After installation, certbot is ready to issue certificates immediately. -### Examples +--- + +## 3. Issue Certificates + +### Standard certificate + Nginx reload -### Creating a new certificate with Nginx hook ``` -sudo certbot certonly -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email email@example.com --dns-cloudflare-propagation-seconds 30 +sudo certbot certonly -d example.com -d www.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email admin@example.com --dns-cloudflare-propagation-seconds 30 ``` -### Creating a wildcard certificate with Nginx hook +--- + +### Wildcard (includes all subdomains) + ``` -sudo certbot certonly -d *.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email email@example.com --dns-cloudflare-propagation-seconds 30 +sudo certbot certonly -d *.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email admin@example.com --dns-cloudflare-propagation-seconds 30 ``` -### Delete a certificate -List all certificates: -```bash +Wildcard = **ideal for multi-site hosting**. + +--- + +## Certificate Management + +### List certificates +``` sudo certbot certificates ``` -Example output: -``` -Saving debug log to /var/log/letsencrypt/letsencrypt.log - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Found the following certs: - Certificate Name: example.com - Serial Number: 4fac2132bca56b1ce808116378450ed5197 - Key Type: RSA - Domains: example.com sub1.example.com sub2.example.com sub3.example.com - Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days) - Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem - Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -Delete `example.com`: +### Delete certificate ``` sudo certbot delete --cert-name example.com ``` -### Adding a subdomain or domain to a certificate -To add a subdomain, expand the current certificate with the new subdomain. This means including all the existing domains, then expanding with the new subdomain. +--- + +## Add new subdomain to existing cert -Example (adding sub1.example.com): ``` -sudo certbot certonly --expand -d example.com -d www.example.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini +sudo certbot certonly --expand -d example.com -d www.example.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini ``` -> **NOTE** -> Best practice is to delete the current certificate and request a new one with all domains and subdomains. +### Best practice: +If many domains change → reissue instead of modifying. + +--- + +### Modify/Remove domains + +List existing: -### Modify a certificate -List all certificates: ``` sudo certbot certificates ``` -Example output: -``` -Saving debug log to /var/log/letsencrypt/letsencrypt.log +Reissue without `sub2.example.com`: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Found the following certs: - Certificate Name: example.com - Serial Number: 4fac2132bca56b1ce808116378450ed5197 - Key Type: RSA - Domains: example.com sub1.example.com sub2.example.com sub3.example.com - Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days) - Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem - Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` - -To remove `sub2.example.com`, run: +sudo certbot --cert-name example.com -d example.com -d sub1.example.com -d sub3.example.com ``` -sudo certbot --cert-name example.com -d example.com -d sub1.example.com -d sub3.example.com -``` - -This will reissue the certificate for example.com, sub1.example.com, and sub3.example.com, leaving out sub2.example.com. ---