note/tech/自动获取域名证书及DNS设置.md

# 自动获取域名证书及DNS设置
> How to Get a Free SSL and auto update via cloudflare dns
## Method One:
方法1:
1. get a domain
    1. you can get a domain with godaddy.com or [name.com](http://name.com) or other domain sp EXCEPT chinese sp.
	* 获取域名。我之前推荐使用name.com申请域名。但是现在我更倾向于直接在[cloudflare.com](https://www.cloudflare.com)上申请，并开启自动续费，如果有必要。但是千万不要申请国内域名商的域名。如果有国内的域名，请转出。
2. redirect your domain ns server(nameserver) to cloudflare and get your dns api global key:
    1. redirect domain ns server:modify your domain ns server to cloudflare, You must delete old nameserver and update to new nameserver :[coby.ns.cloudflare.com](http://coby.ns.cloudflare.com/)   and   [mira.ns.cloudflare.com](http://mira.ns.cloudflare.com/) .
    2. get api key: In your cloudfare account profile,you can get your api key.choose GLOBAL Key,like that:cc729fd0aebf3f59a0102a037558aa07f1d52 and your account ,an email address.
	* 如果不在cloudflare上面的域名，建议转到cloudflare或者ns服务器更改为cloudflare的。:coby.ns.cloudflare.com 和  mira.ns.cloudflare.com（可能会有变化，请在官网查看）。
	* 获取到域名/cloudflare的api key。在个人账户里面，找到GLOBAL key。类似这样一串数字：cc729fd0aebf3f59a0102a037558aa07f1d52。外加你的cloudflare的账号（邮箱）。
3. install acme.sh
    1. install。use this code :
    * 安装acme.sh：（如果你在墙内，可能速度很慢甚至无法下载。这个自己解决）
        
        ```shell
        curl  https://get.acme.sh | sh -s email=your@mail.com
        ```
        
    2. your [acme.sh](http://acme.sh) is in your home directory: ~/.acme.sh/
    3. acme的目录在 ~/.acme.sh/ 
    4. create an alias like that: alias [acme.sh](http://acme.sh) = ~/.acme.sh/acme.sh
    * 创建一个应用程序的快捷方式alias，以便后面直接调用。 可以写入到bash.rc里面。如：ache.sh=~/.acme.sh/acme.sh
    5. modify your account config,add your cloudflare key to ~/.acme.sh/account.conf .
    * 修改acme.sh的配置文件：在～/.acme.sh/account.conf里。填入刚才在cloudflare里面获取到的api key。
        
        ```bash
        SAVED_CF_Key='your cloudflare global key'
        SAVED_CF_Email='your@mail.com'
        ```
        
    5. others like dnspod,please modify the key,like:
    * 如果用的不是cloudflare而是其他的，比如Dnspod，则用以下配置。具体可以参看acme的帮助文档：
    
    ```bash
    DP_Id = '123455' # your id;
    DP_Key = 'your key like eabd83adxxxx'
    ```
    
4. get your domain connect to your service
    1. make sure your dns A record is done and in cloudflare;
    2. use this  code to install your domain(cloudflare):
	* 让acme控制你的域名：
        
        ```bash
        "/yourname/.acme.sh"/acme.sh --issue --dns dns_cf -d yourdomain.com -d www.yourdomain.com
        ```
        
    3. others like dnspod:
        
        ```bash
        "/yourname/.acme.sh"/acme.sh --issue --dns dns_dp -d yourdomain.com -d www.yourdomain.com
        ```
        * 以上，其实就完成了。可以看看你的`crontab -l` 定时任务里有没有acme的定时任务。 
	4. auto update
		 1. ganarally,the [ache.sh](http://ache.sh) will add cron job to crontab automaticly;
    	2. use crontab -l to see the [job.](http://job.you) you will find this in list:
        
        ```bash
        52 0 * * * "/yourname/.acme.sh"/acme.sh --cron --home "/yourname/.acme.sh" > /dev/null
        ```
        
    3. if you can't find this, you can use this command  to add job to corntab:
    * 如果没有加入定时任务，则安装cronjob：
        
        ```bash
        "/yourname/.acme.sh/acme.sh" --install-cronjob
        ```
        
6. copy your cert and key file to your really using cert and key file:
    * 接下来，把生成的证书，复制到你要用的地方。千万不要直接链接到证书生成的地方：
    ```bash
    "/yourname/.ache.sh/acme.sh" --install-cert -d example.com \
    --key-file       /path/to/keyfile/in/nginx/key.pem  \
    --fullchain-file /path/to/fullchain/nginx/cert.pem \
    --reloadcmd     3u88额u鹅ue e e e u e e 4
    ```
    
    please use fullchain file while using nginx.
    如果是nginx的，用--fullchain-file 复制证书cert。
7. check  config file in domain path:
    * 在acme目录里，会生成以域名的名字命名的目录，每个里面都会有一个conf文件：
    you can check the file name such as:
    
    ```ini
    "yourdomain.com.conf"
    ```
    
     in your domain path ,the file struct is like this:
    这个文件长这个样子：
    ```ini
    Le_Domain='www.yourdomain.com'
    Le_Alt='no'
    Le_Webroot='dns_cf'
    Le_PreHook=''
    Le_PostHook=''
    Le_RenewHook=''
    Le_API='https://acme.zerossl.com/v2/DV90'
    Le_Keylength=''
    Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/OeqVf5QtIVRk32MefKS05qA/finalize'
    Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/OeqVf5QtIVRk32MefKS05qA'
    Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/tLbbP1kzrwv--IyPDT9zjQ'
    Le_CertCreateTime='1626686754'
    Le_CertCreateTimeStr='Mon Jul 19 09:25:54 UTC 2021'
    Le_NextRenewTimeStr='Fri Sep 17 09:25:54 UTC 2021'
    Le_NextRenewTime='1631784354'
    Le_RealCertPath=''
    Le_RealCACertPath=''
    Le_RealKeyPath='/your/real/key/path/www.yourdomain.com.key'
    Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hRCBuZ2lueA==__ACME_BASE64__END_'
    Le_RealFullChainPath='/your/real/fullchain/path/www.yourdomain.com.crt'
    ```
    
    that's all.and then it will auto renew the cert.
    具体我就不解释了。
8. set your nginx config file
    * 在你的nginx里面，要进行ssl相关的配置，主要是指向证书。
    set your nginx config file for ssl file:
    
    ```bash
    				ssl_certificate       /your/real/key/path/www.yourdomain.com.crt;
            ssl_certificate_key   /your/real/key/path/www.yourdomain.com.key;
            ssl_protocols         TLSv1.2 TLSv1.3;
    ```
    
    you need restart your nginx service while changing the path or file.
	记得改了以后要重启nginx，systemctl restart nginx。
	
	---
	## 我的配置
	
	1. 搬瓦工服务器：
	
		account.conf
		```ini 
		LOG_FILE='/root/.acme.sh/acme.sh.log'
		#LOG_LEVEL=1
		AUTO_UPGRADE='1'
		#NO_TIMESTAMP=1
		UPGRADE_HASH='0013d98d045aa57c6a541ec97dd55722d76b319e'
		USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin'
		SAVED_CF_Key='cc729fd0febf3f59a0102a047558aa07f1d51'
		SAVED_CF_Email='maxwellxzy@gmail.com'
		```

		i.disbaidu.com.conf
		```
		Le_Domain='i.disbaidu.com'
		Le_Alt='no'
		Le_Webroot='dns_cf'
		Le_PreHook=''
		Le_PostHook=''
		Le_RenewHook=''
		Le_API='https://acme.zerossl.com/v2/DV90'
		Le_Keylength='2048'
		Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/_nt_mu_uXXi1CH6a334enw/finalize'
		Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/_nt_mu_uXXi1CH6a334enw'
		Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/BQEhssHOMGSEiFQOD_NT1g'
		Le_CertCreateTime='1657904190'
		Le_CertCreateTimeStr='2022-07-15T16:56:30Z'
		Le_NextRenewTimeStr='2022-09-13T16:56:30Z'
		Le_NextRenewTime='1663001790'
		Le_RealCertPath=''
		Le_RealCACertPath=''
		Le_RealKeyPath='/data/i.disbaidu.com.key'
		Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIHJlbG9hZCBuZ2lueA==__ACME_BASE64__END_'
		Le_RealFullChainPath='/data/i.disbaidu.com.crt'
		```


	3. 南非服务器：