This page shows how to configure Certbot with a domain that uses Cloudflare DNS. This allows us to issue wildcard certificates.
It assumes, that you’ve already set up your server and can establish an SSH connection. My server is running CentOS, so you’ll have to replace
yum with the appropriate package manager for your system, for Ubuntu this it is
If you haven’t installed Certbot go to https://certbot.eff.org/ and follow the instructions.
Cloudflare-DNS plugin for Certbot
Next, we’ll need to install the Cloudflare DNS plugin for Certbot:
First, we need the Python package manager PIP.
sudo yum install python-pip
which we can use to install the Certbot plugin
sudo pip install certbot-dns-cloudflare
Set up the credentials file
Create a new file
~/.secrets/certbot/cloudflare.ini and write your Cloudflare account credentials down as follows:
# Cloudflare API credentials used by Certbot dns_cloudflare_email = <your-email-address> dns_cloudflare_api_key = <your-api-key>
You can find your Cloudflare API key by logging into Cloudflare, and then going to My Profile. There you can copy the Global API Key.
Because these credentials can be used to perform arbitrary actions on your Cloudflare account, it is essential to set the correct access permissions. You can restrict the access to your account by running
chmod 600 ~/.secrets/certbot/cloudflare.ini. This will also remove write permission for you, so make sure to finish editing beforehand.
Issuing the certificate
If you are using Certbot / LetsEncrypt for the first time, you’ll be asked to create an account in the next step. Just follow the steps and everything should work.
To issue the certificate one command is sufficient:
sudo certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \ --preferred-challenges dns-01 \ -d <cert-names>
Replace the last line with all names you want to be included in the certificate. You can separate multiple entries with
example.com, www.example.com, something.example.com
A wildcard can be used by including an
* in the name:
The active certificate will be linked into
/etc/letsencrypt/live. You can now configure your server to use the certificate.
Because LetsEncrypt certificates are valid for only 90 days, it is a good idea to schedule the certificate renewal automatically, such that there is always a valid certificate available. This can be done for example by creating a cron job:
crontab -e and then enter the following line:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
- LetsEncrypt: https://letsencrypt.org/
- Certbot: https://certbot.eff.org/
- Cloudflare DNS plugin: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
- Test your SSL configuration: https://www.ssllabs.com/ssltest/