!!!NOTICE: Clouflare DNS challenge temporary not working. Cloudflare add reCaptcha on login page and are now looking for ways to bypass the restrictions.!!!
DotNetCertBot with cloudflare (and freenom) DNS challenge for Freenom (tk/ml) domains
The app was written in connection with CloudFlare's restrictions on using its api to manage DNS records .tk .ml .cf and other free domain names from Freenom.
Under the hood is a regular client up to Let's encrypt and the code for the selenium driver, where the application automatically, emulating the behavior of the login user in cloudflare, selects the desired zone, adds an entry for the DNS Challenge and after the request is validated by the certification authority, saves the certificate and deletes the entry from the DNS
Also added the ability to issue certificates for domains issued through Freenom and continue to use the standard dns provided by Freenom. To do this, you need to specify the required provider: --provider freenom
Available DNS providers for acme dns challenge:
- Cloudflare - Used headless chrome, for issue certificate for free freenom domains. Also suitable for another domains who use cloudflare dns
- Freenom - suitable for issuing certificates for domains that have been registered through Freenom or using freenom dns
| Argument | Description |
|---|---|
| -e | Required. Email for cloudflare (and it use for let's enctypt) |
| -p | Required. Password for cloudflare account |
| -z | Required. Zone name in cloudflare (main domain name) |
| -d | Required. Domain name for which the certificate is issued (is a subdomain of the zone) |
| --provider | (Default: cloudflare) DNS provider through which the dns record will be added for validation through ACME. Providers: Cloudflare, freenom |
| -h | (Default: true) Selenium driver headless mode |
| -o | (Default: app directory) Directory where saved generated certificates |
| --noop | (Default: None) Noop mode start half functional or test mode for tesing sctipts or schedules. NoOp modes (full,acme, none) |
For issue certificate in shell (not in container), on pc should be installed chrome 87.xx version. In prepared assemblies for windows and linux, chromedriver is already included. If chrome installed and app downloaded, you can run next command for automatic issue certificate.
Windows:
DotNetCertBot.Host.exe -e example@gmail.com -p VerySecretCloudflarePass -z example.tk -d subdomain.example.tkLinux:
./DotNetCertBot.Host -e example@gmail.com -p VerySecretCloudflarePass -z example.tk -d subdomain.example.tkWhen success issue certificate, in DotNetCertBot.Host app folder will appear two files:
subdomain.example.tk.pem- Full chain certificate filesubdomain.example.tk.key- Private Key
To issue a certificate in a container, you need to mount the directory where the certificates will appear.
Because chrome will run inside the container, the host must have at least 200 MB of free RAM.
For start container and issue certificate, run next command:
docker run -v /tmp/certbot:/certbot/certs \
--rm \
-it \
eluki/freenom-cloudflare-certbot \
-e example@gmail.com \
-p VerySecretCloudflarePass \
-z example.tk \
-d subdomain.example.tk \
-o certsTwo scripts are prepared for the build, after running which, the compiled application with all dependencies, including chromedriver, will appear in the published folder. Scripts:
Build-linux.sh- start build application for linux-x64Build-winx86.bat- start build application for win-x86
docker build -t certbot .